When phishers jump into a deal, running off with hundreds of thousands of dollars in intercepted funds, which party is left on the hook? One recent case out of Ohio provides some insight. The case, Beau Townsend Ford v. Don Hinds Ford, involves Nigerian hackers who made off with $736,225.40 after getting in between a deal to sell 20 Ford Explorers.
But before we jump in, some basics. For those who are unfamiliar, phishing involves sending emails meant to mimic legitimate, official messages in order to bait a recipient into taking a specific action, such as disclosing personal information. This might take the shape of an email claiming to be from one’s bank, linking you to a fraudulent website, for example. Fall for the trick and scammers could run off with your login credentials. Or, as is the case in a particular subset of phishing attacks, hackers will infiltrate a target’s email system during a financial transaction. When it comes time to make payment, the hackers intervene, sending along instructions to wire money to their account.
This isn’t just a risk in business, either. Lawyers have fallen victim to such scams on numerous occasions, sending settlement payments to hackers rather than clients.
The Case of the Phished Ford Payments
Back to Beau Townsend Ford v. Don Hinds Ford (S.D. Ohio) and those phished Ford payments. In this case, a deal for the cars was negotiated over email. As the deal progressed, everything seemed on the up and up, except that neither party realized that the seller’s email system had been compromised by hackers—that is, until it was a few days too late. Eric Goldman, who covered the case on his Technology & Marketing Law Blog, provides a concise summary:
After the email deal was struck, all incoming emails from the buyer’s contact were filtered out of the sales guy’s email account and forwarded to the Nigerians. The Nigerians then responded to the buyer’s emails from a Gmail account that used the sales guy’s name.
Just how was this forwarding done? The court explains:
Beau Townsend Ford uses a third-party service called FuseMail for its email service. All of its emails have the domain “btford.com” but are received and sent through FuseMail, and FuseMail allows users to remotely access their email accounts through a “webmail” interface. FuseMail also allows users to set up certain rules in their account that will forward emails to other email addresses. This feature was known to Beau Townsend Ford, particularly the person responsible for its IT systems, John Wanamaker. Wanamaker knew that some users had forwarding rules in place on their accounts. Moreover, as the person in charge of Beau Townsend Ford’s IT systems, Wanamaker had access to all of the company’s email accounts.
The hackers appear to have used this feature in order to get in the middle of the sale. Again, Eric Goldman:
So when the buyer proposed paying by check, the fake Gmail account responded with wire transfer instructions. The instructions listed the destination account holder as “K.B. KEY LOGISTICS L.L.C.,” but the buyer didn’t think that name was strange because car dealers often use DBAs. The wire transfers were sent (to the Nigerians), the buyer picked up the vehicles in stages, and the buyer emailed to confirm that the wire transfers were received, which the fake Gmail account confirmed. A week later, the seller reaches out to the buyer to find out where the money is, and everyone involved had a bad day.
Indeed. Several bad days, actually. And as all this was going on, another buyer also contacted the dealership to check on wiring instructions, instructions that seem to have been sent by the same phishers. That phone call, thankfully, prevented another theft, but the seller appears to have taken its time investigating the issue.
After two weeks of back and forth, the seller sued the buyer for breach of contract. “Both parties would each have the Court find that the other was in the best position to avoid the misfortune that occurred in this case,” Judge Thomas M. Rose notes.
The seller argued that the buyer failed to recognize significant “red flags” that would have alerted it to the phishers’ fraud, such as the use of a wire transfer where only checks had been used before, that seller was not named as the beneficiary of the wire transfer, and that the funds were wired to an account in Texas, rather than Ohio.
The buyer, in turn, noted the seller’s unsecured email system and “its slow response to signs that something was amiss.”
“Here, both parties were negligent in their business practices,” the court determined.
It cannot be said that either was “obviously in the best position to protect their own interest.” Beau Townsend Ford should have maintained a more secure email system and taken quicker action upon learning that it might have been compromised. Don Hinds should have ascertained that an actual agent of Beau Townsend Ford was requesting that it send money by wire transfer.
The court thus denied the buyer’s equitable estoppel claims, ruling that, in paying the phishers rather than the seller, the dealership had breached the contract.
When a buyer accepts goods the buyer must pay for such goods. Don Hinds Ford accepted the 20 Ford Explorers from Beau Townsend Ford. Therefore, Beau Townsend Ford is entitled to be paid by Don Hinds Ford.
Lessons for Legal Professionals
This case should catch attorneys’ attention not just for its contract law implications. As noted above, it’s not only clients, or Ford dealerships, who have found themselves mislead by email phishers. In August, attorneys in Los Angeles were warned to beware of phishers, after a firm paid a $500,000 settlement to email scammers, rather than the intended settlement administrator.
The U.S. District Court of the Eastern District of Virginia also weighed in on a similar case in 2016. In that case, scammers had compromised the plaintiff attorney’s email account, instructing the defense to wire a settlement to an account in London. When the plaintiff later moved to enforce the settlement, arguing that the defense still needed to uphold its end of the deal, the court disagreed. The attorney had known his account was compromised, but failed to inform opposing counsel. That failure to exercise “ordinary care,” the court ruled, meant that the plaintiff was left to “bear the losses to which his failure substantially contributed,” the court concluded.
Thankfully, the rest of the bar can learn from these lawyers (and client) mistakes. So, before you find yourself on the hook after a successful phishing attack—or any technology disaster—take some time to investigate how your technology works and whether it provides the appropriate level of security. When an issue arises, take quick action to address it. And don’t be afraid to pick up the phone and confirm before you wire hundreds of thousands of dollars to a strange new account.
This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.
