By Lia Szasz, Esq.
In today’s business world, email is a primary means of communication, especially for sending invoices and confirming payments. But this convenience has created a dangerous vulnerability: email-based wire fraud. In a world where hackers exploit even brief lapses in diligence, courts are signaling that email alone isn’t enough. The Imposter Rule serves as a warning: the cost of not picking up the phone may be far higher than you think.
Increasingly, fraudsters are hacking into a company’s email system, impersonating an employee, and sending fake wire instructions that reroute payments to foreign bank accounts. The real estate and construction industries, where payments are often frequent, large, and time-sensitive, are common targets.
When fraud occurs, and the money disappears overseas, both parties are victims. Yet the debt remains unpaid. Who bears the loss? The law provides a framework for answering this question—but not a simple one. A growing number of courts are turning to an old common law doctrine known as the Imposter Rule to determine liability in modern cyberfraud cases.
The Imposter Rule asks which party was in the best position to detect and prevent the fraud. If that party failed to exercise reasonable care, courts may hold them responsible for the lost funds—even if they, too, were duped. In essence, it’s a negligence-based standard focused on risk allocation and fault.
Applying the rule is a fact-intensive inquiry. Courts consider whether the wire instructions matched prior ones used in the relationship, whether the receiving account was in the name of a third party or located in a foreign country, and whether any red flags were missed. But one question now dominates the analysis: Did the payor confirm the new wire instructions by phone?
Courts across jurisdictions increasingly find that a failure to make a verification call constitutes negligence. Even if the fake email appears legitimate, courts are imposing liability on the party who wired funds without verbal confirmation. A single phone call, it seems, can make all the difference. When the Imposter Rule applies, the payor may find themselves paying twice: once to the fraudster, and again to the rightful recipient of the funds.
To avoid becoming the next headline, businesses should implement simple but critical safeguards. Never rely solely on email to confirm payment instructions, especially when wiring funds to a new account. Always verify changes using a phone number known to be correct, not one listed in the email. Train employees to recognize suspicious email behavior, such as unusual language, time-of-day sends, or new domains. Ensure cybersecurity protocols are strong, including two-factor authentication and phishing detection software.
Contractual risk-shifting can also help. Consider including provisions in your agreements that allocate liability for wire fraud or require specific verification procedures. These clauses can establish clarity and potentially shift the burden of loss, potentially overcoming the Imposter Rule’s sometimes harsh result to payors.
