If you aren’t losing sleep over malicious phishing schemes and other cybercrimes, you should be. According to the FBI, one type of cybercrime in particular—Business Email Compromise or BEC—cost businesses more than $26 billion over only three years. And, to bring the point closer to home, according to State Bar alerts, cybercriminals who use these schemes are specifically targeting North Carolina lawyers.
The U.S. District Court for the Western District of North Carolina recently considered a section 75-1.1 claim that arose out of a BEC cybercrime known as wire-transfer phishing. The decision provides a small lesson about section 75-1.1 litigation and serves as an important reminder for lawyers to remain vigilant against cyberthreats.
Nirav Ingredients v. Wells Fargo: The Background
Nirav Ingredients, Inc. v. Wells Fargo Bank, N.A. was brought by two companies who did business together—Nirav and Ash. Ash purchased chemicals from Nirav over a two-year period and paid for them in 10 separate wire transfers that were executed without incident.
Things changed in May 2019. As Ash was preparing to make a payment to Nirav, it received an email with wire-transfer instructions. Ash was expecting an email and instructions, and what Ash received generally looked correct. Ash recognized Nirav’s correct name and address listed as the wire-transfer beneficiary. The instructions identified an account at Wells Fargo—the bank that Nirav had used exclusively for over 25 years. Believing the instructions to be legitimate, Ash wired over $95,000 to the account.
Unfortunately for both Nirav and Ash, the emailed instructions were fraudulent. On closer inspection, they realized that the sender’s email account, although otherwise legitimate looking, had an extra “v” in Nirav’s name—a technique called email spoofing. The Wells Fargo account number in the instructions was not Nirav’s. Instead, it was a newly established account that the sender (referred to as “Hacker” in the opinion) had opened. Hacker had received the $95,000 that Ash intended to send to Nirav.
Upon discovering that they had fallen victim to cybercrime, Nirav and Ash tried to track down the money. They asked Wells Fargo to help them identify Hacker, but, according to their allegations, Wells Fargo refused.
Time Out: A Familiar Fact Pattern for Lawyers
If the facts of Nirav sound familiar to you, it may be because they mirror a 2015 Formal Ethics Opinion that caused you more than one sleepless night.
Inquiry #5 in 2015 FEO 6 follows the story of a lawyer retained to close a real estate transaction. The lawyer had funds for the closing in a trust account and planned to disburse the funds to the seller by trust account check.
Unbeknownst to the lawyer, however, someone (also named Hacker, incidentally) had gained access to information about the transaction. Hacker sent the lawyer an email from a “spoof” email address that—just like the email address in Nirav—varied from a legitimate address by only one letter. The email told the lawyer that there had been a change in plans and that the seller wanted the funds wired to a particular account rather than sent by check. The lawyer complied and soon thereafter learned it was a scam. Although the lawyer asked the bank to reverse the wire, the bank refused and said that it would “not cooperate or communicate with Lawyer without a subpoena.”
The related opinion confirms that, on these facts, the lawyer has a professional responsibility to replace the stolen funds. The lawyer should have implemented reasonable security measures to prevent the theft. In particular, the lawyer should have called the seller to confirm the change in plans or otherwise confirmed the seller’s email address.
Back to Nirav: The Lawsuit
Nirav and Ash brought a lawsuit against Hacker, in which Nirav also sued Wells Fargo. Nirav blamed Wells Fargo for permitting Hacker to open an account in the first place. It also complained that, given Nirav’s 25-year exclusive banking relationship, Wells Fargo should have detected an error in the wire-transfer request and raised a red flag. Finally, Nirav complained that Wells Fargo did not help Nirav and Ash investigate Hacker.
Nirav asserted three claims against Wells Fargo: (1) negligence, (2) violation of Article 4A of the UCC, as adopted in North Carolina, and (3) section 75-1.1.
After removing the case to federal court, Wells Fargo moved to dismiss the complaint for failure to state a claim. The court largely granted Wells Fargo’s motion.
Nirav first held that Federal Reserve Board Regulation J preempted Nirav’s negligence claim in large part. Subpart B of Regulation J incorporates Article 4A of the UCC as an “exclusive means of determining the rights, duties, and liabilities of the affected parties in [fund transfers].” A pair of Fourth Circuit cases, Donmar Enterprises v. Southern National Bank and Eisenberg v. Wachovia Bank, N.A., controlled. Together, they held that state-law negligence claims in conflict with Regulation J are preempted, but those “applicable to bank functions having nothing to do with” wire transfers are not. Nirav’s negligence claim could proceed, but only insofar as it was based on conduct before the wire transfer—namely, the creation of Hacker’s account.
Nirav’s claim under Article 4A was dismissed for lack of standing. Although the statute provides rights and remedies when a wire-transfer beneficiary has been misdescribed, those rights and remedies do not extend to those who claim to be “intended beneficiaries” like Nirav. While Ash, as an “originator” of the transfer, might have claims under the statute, Ash had asserted no claims against Wells Fargo.
The court then made quick work of Nirav’s section 75-1.1 claim, reasoning that it was based entirely on the same conduct as the other claims and, thus, rose or fell with them. Because the negligence and Article 4A claims failed as a matter of law, they could not serve as the basis for a section 75-1.1 claim. But what about the portion of the negligence claim based on the creation of Hacker’s account that survived the motion to dismiss? Nirav’s complaint alleged that the section 75-1.1 claim was based, in part, on Wells Fargo “[f]ailing to have proper procedures in place to prevent Hacker from opening [Hacker’s] Fake Account.” The court, however, noted that Nirav’s brief in opposition to the motion to dismiss narrowed its claim “to specific tortious conduct related only to the wire transfer procedures and post-transfer conduct.” Accordingly, it dismissed the claim in its entirety.
The Takeaways for Section 75-1.1 Litigation and Cybersecurity
Nirav illustrates a routine point about section 75-1.1 litigation: A section 75-1.1 claim is often judged by the company that it keeps. Section 75-1.1 prohibits a broad scope of conduct (including, for example, direct unfairness and deception that falls short of fraud) that can extend far beyond the reach of other claims. As we have discussed previously, though, the section 75-1.1 claim may rise or fall with the other claims in the case unless some differentiating conduct is pleaded and argued explicitly.
Nirav also serves as an important reminder to stay vigilant against cyberthreats—including, especially, BEC schemes. Lawyers act as information intermediaries all the time, handling communications between clients and opposing counsel or other third parties. We also engage with the wire-transfer process more than many other professionals, authorizing wires when transactions close, when litigation settles, and when the funds entrusted to our care need to be moved. It is no wonder cybercriminals view the bar as a target-rich environment.
(If you want to know what you can do to avoid a mishap like the fact pattern in Nirav, your malpractice carrier is likely a great source of information about “best practices” in this area. Lawyers Mutual provides a helpful list of “best practices” here. Remember, lawyers are under affirmative duties to stay educated about security risks posed by wire transfers and to actively maintain up-to-date, end-user security for themselves and their staff.)