Say you have an important deal that you must close. It’s Friday afternoon and, after months of negotiations, you receive an email from the other side with instructions to wire the payment to another account for what seems like a valid reason. Having done business with the other party many times before, you do not call. You don’t even notice that the email address isn’t quite right. Or perhaps it is but the name or something else isn’t quite right. Nevertheless, you wire the money and go home.
On Monday morning, you see lots of messages from the other party and your own people asking where the money is. You know you sent it on Friday afternoon. That sinking feeling sets in, and you confirm that you sent the payment only to find out that the account was fraudulent. Upon closer examination, something was wrong about the email that you received. Perhaps the other account was hacked or the email was from another account entirely that just looked like it came from the company you were doing business with.
What happens to the money? Do you have to pay again? Did you meet the terms of the deal? The answers are not so simple. Regardless, someone is out lots of money and the relationship may be in jeopardy.
The answer involves legal analysis because it is based on statutes and case law. It shows the complicated nature of this issue.
WHICH PARTY IS LIABLE FOR THE MISDIRECTED PAYMENT?
Liability between the parties
Courts that have determined liability among the parties when fraud has occurred by an unknown third party, have concluded that the loss “should be borne by the party in the best position to prevent the fraud.”1
20-0013, 2020 WL 7232025, at *6 (W. Va. Dec. 7, 2020) (adopting same rule for assigning loss); Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., 484 F. Supp. 3d 915, 920 (D. Nev. 2020) (same); J.F. Nut Co., S.A. de C.V. v. San Saba Pecan, LP, No. A-17-CV-00405-SS, 2018 WL 7286493, at *3 (W.D. Tex. July 23, 2018) (concluding that party in the best position to prevent the fraud should suffer the loss for a misdirected payment); Arrow Truck Sales, Inc. v. Top Quality Truck & Equipment, No. 8:14-cv-2052-T-30TGW, 2015 WL 4936272, at *4−6 (M.D. Fla. Aug. 18, 2015) (same); Meritdiam, Inc. v. Facets Fine Jewelry, LLC, No. CV1407041MWFCWX, 2015 WL 12660377, at *6 (C.D. Cal.
Apr. 27, 2015) (“[T]he Court believes that liability will likely lie with the party the jury determines was most greatly at fault in causing the payment to be misdirected. Meritdiam either allowed unauthorized access to its email account or failed to prevent its system from being hacked[.] . . . JB Hudson did not pick-up on certain clues in the emails[.] These are issues for the jury.”). The ultimate question for the court was which party should bear the loss attributable to the scheme perpetrated by an unidentified third-party fraudster. Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 F. App'x 348, 353 (6th Cir. 2018).
In a case, where one party followed “updated” wiring instructions to pay for trucks that it purchased instead of the usually agreed upon wiring instructions, the court found that the paying party “had more opportunity and was in the better position to discover the fraudulent behavior based on the timing of the e-mails and the fact that the fraudulent wiring instructions involved . . . different account information from all of the previous wiring instructions."2 In that case, a third-party fraudster hacked into the email accounts of the buyer and seller and used the seller’s account to send the updated instructions. According to the court, “at the very least, the change in wiring instructions and conflicting
e-mails should have prompted [the buyer] to confirm the information with [the seller] prior to wiring any funds."3 Because the buyer failed to "exercise[] reasonable care after receiving conflicting e-mails containing conflicting wire instructions," the court held that the buyer should suffer the loss associated with the fraud."4
Typically, "if a payor issues an instrument but fails to deliver the instrument to the payee's possession, then the payor is still liable on the underlying obligation."5 However, under UCC §§ 3-404 and 3-406, which address third-party fraud in negotiable instruments, "a party whose failure to take ordinary care results in loss must be the party to bear that loss," and "a blameless party is entitled to rely on reasonable representations, even when those reasonable representations are made by fraudsters."6
CAN THE BANK BE HELD LIABLE?
Bank Liability for Unauthorized Transfers
Liability for unauthorized wire transfers is governed by the Uniform Commercial Code (“UCC”). Under the UCC, banks are liable for unauthorized transfers from non-consumer accounts unless the bank and depositor agree to use a commercially reasonable security procedure to verify wire transfer requests before they are sent. If the bank and depositor agree to such a procedure, and the bank sends a wire after following that procedure then the depositor is liable for the loss. However, the bank only avoids liability if it accepts the payment order in good faith. In other words, for a bank to avoid liability it must
(1) agree with the depositor to verify wire transfer requests with a commercially reasonable security procedure, and (2) follow that procedure in good faith.
In a case where a commercial payor and their bank agreed to security measures and the bank did not follow those procedures, the court denied the bank’s motion to dismiss. The court found that the bank failed to prevent an unauthorized individual from accessing the account on an unknown computer, and that the bank permitted these transfers to go through despite being unable to confirm their authenticity
with the account holder and despite suspicions that they were fraudulent.7 In that case, the transfers came from an unknown computer using the account holder’s credentials; however, the bank did not lock the account and verbally verify the transfers as agreed upon.
The court denied the bank’s motion to dismiss based on the UCC. N.J.S.A. § 12A:4A-202(2) provides that the customer will be liable for an alleged fraudulent transfer if the bank and customer have agreed upon "a security procedure to verify the authenticity of payment orders" that is commercially reasonable and "the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer " Whether a bank's security
procedure is commercially reasonable is an issue of law for the Court to determine.8
Bank Liability for authorized transfers to fraudsters
In another case, the court granted a credit union’s motion to dismiss agreeing that it had no obligation to reimburse a depositor who transferred funds based on fraud.9 In that case, a customer sued after her credit union refused to reimburse her for a Zelle transfer that turned out to be fraudulent. The transactions were authorized; however, they were made based on fraud by a third party. Even where an individual sent a fraudulent transfer after having been scammed, the bank was not liable.10 Likewise, when individuals were tricked into giving their login credentials, or remote access to their device, to the scammers, who then transferred money to themselves, the bank was not liable.11 Nor was the bank held liable when the individual alleged that someone gained access to their physical device, or that they simply do not know how the fraudulent transfers happened.12
SO WHAT HAPPENS?
If the transfer was authorized, even if you sent it to a scammer, the law indicates that the bank will not be held liable. In all likelihood, if the money was not transferred out of the fraudulent account, the bank would be able to recover whatever money was left in the account. Whether there is a third party to recover from depends on whether you can obtain the identity of the owner of the fraudulent account and whether that information is reliable. You may have a claim against your insurance policy, if you have insurance for cyber risks, but that requires an analysis of the insurance policy.
THIS WILL NEVER HAPPEN TO ME.
Do you think that this will never happen to you? According to the Federal Trade Commission, Americans lost over $311 million to wire transfer fraud in 2022 alone.13 Maybe, after all of this, you’ll decide to only send money after a phone call or even video.
Video is secure, right?
Then you haven’t heard about the finance employee who was tricked into paying $25 million to fraudsters because of a deepfake video.14
That employee received what he thought was a fake email (known as phishing) from the chief financial officer (CFO). The worker was right to doubt the email when it mentioned the need for a secret transaction.15
A video call that involved the CFO and other people he knew removed all of his doubts. The employee transferred more than $25 million to multiple accounts. But the video was fake.
If you have questions about this article, or about wire fraud in general, contact Mitchell Goldstein (mgoldstein@setlifflaw.com) at (804) 377-1269, or Steve Setliff (ssetliff@setlifflaw.com) at (804) 377-1261.
Footnotes
© 2025 Setliff Law, P.C.| View Our Disclaimer | Privacy Policy