Business Email Compromises: Current Legal Trends and Key Strategies | Security, Privacy and the Law

Businesses have for years suffered from a sophisticated, targeted cybercrime that exploits trust, human relationships, and our reliance on digital communication: the business email compromise (BEC).  Sometimes referred to as “man-in-the-middle attacks,” BECs are among the most financially damaging cyber-attacks.  Not only do they lead companies to misdirect large wire transfers to criminal actors, these scams also leave behind a messy and costly fallout, including compromised data, onerous breach notification obligations, broken business relationships, and legal disputes with no quick or predictable resolution.

In this post, we cover the following topics:

• An overview of BECs, including an example of a typical BEC scenario and recent trends and statistics;
• The growing use of artificial intelligence (AI) to carry out these attacks with increased effectiveness;
• Legal frameworks used by courts to adjudicate disputes arising from BECs and allocate damages between parties;
• Steps companies should take after a BEC; and
• Best practices to prevent BECs from occurring in the first place.

Overview of Business Email Compromises

A typical BEC starts quietly but ends with a bang.  Many of them look like this fictionalized scenario:

The financial losses from schemes like this are staggering, both individually and collectively.  According to the FBI’s Internet Crime Complaint Center (IC3) 2024 Annual Report, the most recent data from IC3, business email compromises resulted in over 21,000 complaints and were the second most costly crime reported to IC3, with close to $2.8 billion in losses.  According to the 2025 Association for Financial Professionals (AFP) Payments Fraud and Control Survey, 63% of surveyed treasury practitioners cited BECs as the number one avenue for payment fraud attempts. IC3 has also reported that between October 2013 and December 2023, business email compromise scams caused over $55 billion in domestic and international losses, with U.S. victims reporting over $20 billion in losses.  In particular, the IC3 has seen increased BEC reports involving funds sent directly to financial institutions that hold accounts for third-party payment processors, peer-to-peer payment processors, and cryptocurrency exchanges.

In 2026, cyber attackers are leveraging generative AI tools to improve the effectiveness of their schemes.  Threat actors can now use generative AI to efficiently scour the internet for personal information relevant to a target and draft highly credible phishing emails, with technically perfect prose, at a scale and speed previously unachievable by humans. IBM’s Cost of a Data Breach Report 2025 reported that 16% of all data breaches in 2025 (including BECs) involved attackers using AI, with 37% of those attacks involving AI-generated phishing or other communications.  Those percentages are likely to increase throughout 2026 as cybercriminals use generative AI tools to maximize cyberattacks—like BECs— that depend on social engineering.  

Who Bears the Loss of a BEC?  

BECs often result in lawsuits to determine who should bear the losses these attacks leave behind—typically, a payor’s misdirected wire transfer and a payee’s unpaid invoice. Cases involving BECs are often fact-intensive and generally not decided before trial ⁱ.  The case law stemming from BECs has evolved over the past decade, with courts largely taking two different approaches to allocating these losses when multiple parties have been harmed by a BEC: applying the so-called “imposter rule,” and thereby asking who was in the best position to prevent the loss, or employing a straightforward (and less forgiving) breach of contract analysis.

The Imposter Rule

Victims of BEC scams often bring lawsuits involving negligence and/or breach of contract claims against other involved parties, including third-party institutions or business partners who may have unwittingly played a role in the fraud (especially where a breach in a party’s IT system allowed the threat actor to impersonate that party in external communications).  The imposter rule comes from Section 3-404 of the Uniform Commercial Code and gets its name from scenarios where a fraudster impersonates someone to induce a counterparty to make a payment.  This rule has emerged as the prevailing legal theory for addressing BEC-related lawsuits. 

Courts following the imposter rule will assign liability to the party that, under the circumstances, is determined to have been in the best position to discover and prevent the fraud. ⁱⁱ Though the analysis is highly fact-specific, application of the rule often results in liability for payors that fail to verify suspicious payment instructions, even if the attack originated with a compromise of the payee’s computer system.

In Erie Ins. Co. v. WAWGD, Inc., Civil Action No. EA-22-1783, 2024 U.S. Dist. LEXIS 77140 (D. Md. Apr. 29, 2024), the U.S. District Court for the District of Maryland applied an imposter rule analysis to assign responsibility for the loss associated with a BEC scam. The case arose from a threat actor’s successful impersonation of counsel for the plaintiff Erie Insurance Company during an email exchange between the parties’ attorneys regarding a settlement agreement. The threat actor emailed fraudulent wiring instructions to the defendant company, WAWGD, Inc., resulting in WAWGD inadvertently wiring payments associated with the settlement agreement directly to the threat actor. When the plaintiff Erie brought a subrogation action to seek recovery from WAWGD, WAWGD argued that because plaintiff counsel’s email system was the source of the compromise and resulted in the threat actor fraudulently intercepting the settlement proceeds, WAWGD was not responsible for issuing another check to Erie. Conversely, Erie argued that WAWGD could not be excused from performance under the settlement agreement and that WAWGD’s sole remedy for its loss was to seek recovery from the unidentified threat actor. 

Invoking Section 3-404 of the Uniform Commercial Code and prior cases applying the imposter rule analysis, the court determined that the defendant WAWGD was still responsible for paying the plaintiff Erie the previously agreed upon amount. Critically, the court determined that WAWGD was “in the best position to prevent the fraud” and “failed to exercise reasonable care,” given that no earnest effort was made to verify payment instructions over the course of 50 emails involving the threat actor, many of which presented multiple indicia of fraud. For example, the imposter’s email address did not match Erie’s counsel, communications regarding payment conflicted with prior instructions and altered names, addresses, and methods of payment, and the emails “contained typographical errors and did not reflect a sophisticated understanding of how settlement payments are executed.” Although WAWGD had already suffered a loss from paying the wrong party, the court concluded that WAWGD was still obligated to pay Erie the previously agreed upon amount.

Breach of Contract

Other courts have applied a straightforward breach-of-contract analysis without regard to the relative fault of the parties involved in a BEC.  Under this approach, courts enforce the payment terms of an agreement even where a payor acted reasonably in unwittingly sending payment to a threat actor instead of the intended payee. Courts applying this analysis will typically find failure to pay the proper payee to be dispositive regardless of the payor’s intent or the sophistication of the BEC. ⁱⁱⁱ

In Barrett v. Daly, 743 F. Supp. 3d 672 (D. Md. 2024), the U.S. District Court for the District of Maryland declined to apply the imposter rule and instead considered only two questions: whether a settlement agreement between the parties was enforceable, and whether the defendant had made the required settlement payment to the plaintiff.  The court answered both questions in the affirmative, concluding that the defendant was liable for the nonpayment despite his intention to make the payment and relative lack of fault for the misdirected payment (it was the defendant’s insurer, though counsel, that had fallen victim to the fraudulent email scheme). The court acknowledged that the defendant may have had a claim against the insurer’s counsel for failing to prevent the fraud but determined that “none of those causes of actions [had] been asserted” and entered judgment against the defendant. Barrett illustrates that a binding agreement can be outcome determinative in a dispute arising from a BEC.

How Should Your Company Respond to a Business Email Compromise?

When a company discovers it has been involved in a business email compromise, it should move quickly and pursue multiple avenues of potential recovery.  The following are key steps to take in the aftermath of such an attack, although in all cases you should consult with legal counsel to consider whether, when, and how these steps should be taken in any specific case:

1. Notify the payor’s bank.  As soon as possible following the discovery of a business email compromise, an impacted party—either the payor or payee—should notify the payor’s bank and instruct the bank to recall the payment and contact the receiving institution to freeze the funds.  Time is of the essence for this step, as every minute that passes following the wire request reduces the likelihood of a full or even partial recovery of the funds.
2. File a complaint with the FBI. Submit an online complaint with the FBI’s Internet Crime Complaint Center (IC3), also as soon as possible.  The FBI has had some success in clawing back wire transfers that were misdirected because of fraud.  It is critically important, however, to have counsel involved in both the decision to notify and in the kinds of communications that should be sent.
3. Conduct an incident review to understand the nature and scope of the attack.  If a company believes that its IT system was or may have been compromised in connection with a BEC, it should—through legal counsel—engage a forensic vendor to conduct a privileged investigation into whether there was a compromise, and if so, which systems and files were impacted.  
4. Review insurance policies and notify insurers.  Identify any potentially applicable insurance policies to determine whether coverage is included for a BEC and what notification may be required to the insurer and/or other parties, especially if your company maintains business fraud or cyber fraud insurance designed to protect against financial losses from fraudulent activity. Cyber fraud insurance commonly covers incidents involving fraudulent misdirection of funds, in addition to coverage for other forms of cybercrime (including cyber extortion, ransomware attacks, and identity theft).  In some cases, cyber insurance policies may also include an obligation by the insurance company to work with law enforcement and financial institutions to attempt to replace or claw back lost funds.  
5. Provide other required notifications.  A company harmed by a business email compromise should, consistent with applicable legal requirements, notify any customers or other individuals whose personal information was compromised during the attack.  Breach notification requirements are largely established by state law, and the process of determining whose information has been accessed, where those individuals reside, and what, if any, notification they must receive is complex and time-consuming.  Consult with legal counsel to determine whether consumer notification is necessary, what form of notification is required, and whether your company has contractual obligations to notify business partners or other organizations in the event of a BEC.
6. Engage with other parties involved.  BECs leave behind a trail of damage.  There is often a payor that misdirected funds and now faces the prospect of making that same payment again, this time to the correct counterparty.  That counterparty will want the payment to which it was entitled in the first place but never received.  Sometimes payment intermediaries or other parties arguably have some responsibility for the loss.  These multi-party disputes must be handled strategically and with careful attention to any applicable contractual terms, including dispute resolution provisions that may mandate mediation, arbitration, or litigation in an inconvenient forum.
7. Implement improvements. Being involved in a BEC is a painful but potent learning experience for any organization.  There should be cybersecurity enhancements, changes to payment protocols, education, training, and other measures taken to reduce the risk of similar cyberattacks in the future.

Reducing the Risk of Business Email Compromises

Though BEC attacks have increased in sophistication and frequency, organizations can take the following measures to reduce the likelihood of such attacks or mitigate their impact:

1. Establish strong IT security and email/password management protocols.  Regular review of an organization’s IT protocols is crucial to detecting a BEC and preventing a threat actor from entering and staying in the organization’s systems. 

    Establish robust password complexity minimums (i.e., using a range of letters, numbers, and special characters)

    Implement multifactor authentication (MFA) requirements that require additional verification methods beyond the use of a password before providing access to an email account or financial information. 

    Clearly flag emails from senders outside the organization.  An automatically populated header signaling when an email originates externally can place employees on higher alert and increase the likelihood that they detect an attempted intrusion.

    Implement notifications to detect the creation of automatic forwarding rules in email accounts, which are often used by threat actors to hide evidence of a fraudulent transaction; or consider eliminating auto-forwarding entirely. 

    Regularly review audit logs.  Ensure that IT teams review audit logs on a regular basis, which could reveal unauthorized access by a threat actor.  Failure to implement appropriate security measures, like audit log reviews, could be used following a BEC as evidence that the organization was the party in the best position to prevent a financial loss.

 

2. Sensitize personnel to be alert for red flags.  Employees and officers of an organization should be trained to recognize common red flags in phishing emails, including typos, typeface irregularities or inconsistencies, grammatical mistakes, and unsolicited links or attachments.  These red flags are unfortunately appearing less frequently, and making it harder to detect fraudulent requests, as generative AI enables threat actors from foreign countries to realistically replicate fluency in any major language and eliminate awkward turns of phrase that have historically been somewhat reliable indicators of foul play.    

    Be on the lookout for emails that describe atypical circumstances (e.g., an apparently urgent need to complete a transaction or use an alternate bank account, especially where there are sudden or numerous changes to regularly used bank account information). 

    Be alert when receiving an email sent from an atypical party, such as someone claiming to have authority but who is not an established point of contact for a particular transaction, which is a common indicator of a BEC.

3. Follow independent verification protocols.  Members of an organization should be taught to not only recognize the indicators of a BEC attack, but also to consistently follow established best practices for conducting business transactions. 

    Employees involved in the processing of wire transfers and financial transactions should insist on multiple methods of verification (i.e., verbal and/or visual confirmation through trusted verification channels as to the amount and destination of a particular wire transfer) before authorizing a transaction, particularly when circumstances are time-sensitive or unusual.  As shown in cases that apply the imposter rule, whether a payor verified the authenticity of unusual instructions via telephone or another contact method is a key fact in determining fault for any resulting losses.

    Over the past several years, the rise of “deepfakes” and AI-powered audio and video tools has made it increasingly easy and effective for fraudsters to convincingly impersonate real voices, images, and people. Be hyper-vigilant for unusual circumstances or behavior when verifying financial transactions. Consider establishing specific verification protocols that are difficult to replicate (i.e., predetermined security codes or in-person verification) and ensure that you use secure, verified communication channels whenever possible. 

4. Secure appropriate insurance coverage.  Coverage for losses flowing from successful attacks may be provided in first-party cyber-incident insurance policies or commercial crime insurance policies under provisions regarding fraudulent transfers of funds or social engineering fraud.

    Consult with an insurance broker and legal counsel to identify the appropriate types and levels of coverage.

i Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 Fed. Appx. 348 (6th Cir. 2018) (question of which party was in the best position to prevent the fraud is a factual dispute that should not be resolved at summary judgment stage); but see Forde v. Krantz, No. 21-cv-80603-RKA, 2023 U.S. Dist. LEXIS 192940 (S.D. Fla. Oct. 26, 2023) (summary judgment granted because facts, even when viewed in the light most favorable to plaintiff, were sufficient to find that plaintiff buyer had materially breached his obligations to defendant seller, where buyer clearly failed to exercise reasonable care to verify fraudulent wiring instructions).
ii See, e.g., Thomas v. Corbyn Restaurant Development Corp., 111 Cal. App. 5th 439 (2025) (risk of loss from an imposter’s fraudulent diversion of a wire transfer shall be borne by the party in the best position to prevent the fraud); Ostrich Int’l Co., LTD v. Michael A. Edwards Grp. Int’l Inc., No. 2:21-cv-00639-JVS(ASx), 2023 U.S. Dist. LEXIS 105828 (C.D. Cal. May 18, 2023) (party that failed to carefully evaluate email addresses and telephone opposing counsel to confirm wiring instructions in the face of multiple, conflicting instructions could have more easily avoided the loss); Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., 484 F. Supp. 3d. 915 (D. Nev. 2020) (buyer was in the best position to prevent the loss by taking the reasonable precaution of verifying the wiring instructions by phone; while the email account hack created the scenario for the loss, the seller had taken reasonable security steps, including hiring an IT consultant and installing virus scanning software on its systems).
iii See, e.g., Barrett v. Daly (discussed above); Erie Ins. Co. v. WAWGD, Inc. (D. Md. Apr. 29, 2024) (under either imposter rule or contractual analysis, payor was obligated to perform under terms of settlement agreement despite BEC scam; threat actor’s actions only affected performance of the agreement, not its formation, and did not render the settlement agreement void); Peeples v. Carolina Container, LLC, No. 4:19-CV-21-MLB, 2021 U.S. Dist. LEXIS 176076 (N.D. Ga. Sept. 16, 2021) (finding breach of contract where payment was unknowingly remitted to third-party fraudster).