Skip to content

Who’s to Blame: Texas Federal Court Finds Contractual Counterparty Not Liable for Third-Party Wire Transfer Fraud

Time for a Check-Up: Updates in Data Breach Notification and Reporting Background Image

The facts are an oft-told business email compromise horror story: a hacker interjects themselves into an email discussion of a business deal, changes the wire instructions to their own account, and disappears with the misdirected funds. The buyer is out the money and has no product. The seller hasn’t been paid and won’t ship the product. Everyone is looking for someone to blame and a lawsuit follows. So who’s to blame?

A federal court in Houston offered its view on this question recently, rejecting claims brought by the victim of wire transfer fraud attempting to recover misdirected funds from its contractual counterparty. Benchellal v. The Okonite Co., Inc., No. 4:22-CV-04435 (S.D. Tex. Mar. 11, 2024). Ultimately, the court ruled that the victim could not recover under Texas Business and Commerce Code Section 3.406, or for common law negligence or breach of contract. Id.

There is no clear consensus on these issues under Texas law. At least one other Texas court has sidestepped negligence altogether and handled similar facts under a breach of contract theory, falling back on the UCC’s “imposter rule.” Meaning, the party in the best position to prevent the impersonation by exercising reasonable care bears the loss for a misdirected payment.1

But even as the law develops, Okonite serves as an important reminder companies should develop and employ processes to identify fraudulent communications and to arm internal stakeholders with the tools needed to avoid falling victim to a false wire transfer scheme or other business email compromise. Cybersecurity insurance, if available, may also help to recover some portion of misdirected funds.

Overview of the Case

Plaintiffs Mohamed Benchellal and Benchellal Electrical Engineering S.A.R.L. (collectively, “Benchellal”) and Defendant The Okonite Company, Inc. (“Okonite”) were engaged in email negotiations regarding a potential contract for sale of custom electrical cable to Benchellal.

Over a year into negotiations and close to closing, Benchellal emailed a correct Okonite email address asking for banking details, but the response came from a fake email account (“okonte.com,” missing the “i”). Even though this new banking information conflicted with previous wire instructions from Okonite, Benchellal proceeded to wire approximately $250,000 to the malicious actor’s account. The malicious actor, having received the funds, then disappeared.

Okonite refused to proceed with Benchellal’s purchase order because Okonite had not — in reality — received payment from Benchellal. Benchellal then sued, bringing claims of negligence, violation of Texas Business and Commerce Code Section 3.406, and breach of contract against Okonite in federal court, alleging Okonite negligently failed to warn of the cyberattack and failed to train its employees to detect, report, and delete phishing emails that compromised email security. Okonite moved for summary judgment on all claims.

The court granted Okonite’s motion for summary judgment in its entirety, ruling:

  • Plaintiffs did not have Article III standing to sue, as their alleged injury was not “fairly traceable” to Okonite’s conduct.
  • Plaintiffs’ injury was not “proximately caused” by Okonite’s conduct.
  • Benchellal’s evidence provided no more than speculation that the email scam originated from a cyberattack impacting Okonite’s computer network.
  • The court also cited a line of cases in the Fifth Circuit holding that intervening acts of third parties break the chain of causation for standing purposes.2
  • Regarding Benchellal’s negligence claim, the court determined there was no “special relationship” between Benchellal and Okonite that created a duty for Okonite to act to prevent harm to Benchellal.
  • Finally, the court concluded Benchellal was nevertheless precluded from recovering on their negligence claim under the economic loss rule because their injury consisted only of economic losses from a contractual expectancy.
  • The court determined that Section 3.406 of the Texas Business and Commerce Code was inapplicable in its entirety, as that provision only applies to a negotiable instrument

Finally, the court rejected Benchellal’s breach of contract claim, concluding that, even if a valid contract was formed between the parties, there was no breach by Okonite despite its refusal to provide the at-issue goods because Benchellal never paid. Rather, Benchellal wired funds to the third-party malicious actor’s bank account. The court rejected Benchellal’s novel argument that the malicious actors had apparent authority to accept payment for Okonite because no conduct by Okonite, the principal, or its legitimate agents created apparent authority in the malicious actors.

What This Means for You

The law in this area is continuing to develop. This is just one judge’s opinion and a different court may have ruled differently. In addition, the victim here appears to have done little to develop a record about the nature, cause and scope of the cybersecurity incident, and thus the court was left only with speculation that a breach did in fact occur. Other courts have found a duty of care may be created if the entity is in the better position to discover and prevent the fraud. Companies should take care to detect suspicious or unusual activity in their business transactions and promptly notify customers if any such activity is identified.

Further, this case highlights what we already know: a victim of third-party wire transfer fraud will likely have a difficult time recovering its losses. Accordingly, it is important to develop and employ processes to avoid falling victim in the first place. This could include learning and documenting the other contracting party’s payment information and payment protocol through trustworthy means other than business email. Companies should also educate employees on how to identify fraudulent communications and how to take steps to verify that the sender and the content of the email are legitimate.

V&E assists clients in identifying, managing, and mitigating cybersecurity risks, from early planning and assessment to managing incident response and resulting investigations and litigation.

1 See J.F. Nut Co., S.A. de C.V. v. San Saba Pecan, LP, No. A-17-CV-00405-SS, 2018 WL 7286493, at *3 (W.D. Tex. July 23, 2018) (“liability for … misdirected payment will be determined based on an allocation of fault … .”).

2 See S. Christian Leadership Conf. v. Sup. Ct. of State of La., 252 F.3d 781, 788 (5th Cir. 2001); Zamarripa v. Farrakhan, No. 3:16-CV-3109-N, 2017 WL 11563226 at *4 (N.D. Tex. June 20, 2017); Pennie v. Obama, 255 F. Supp. 3d 648, 661 (N.D. Tex. 2017); Peters v. St. Joseph Servs. Corp., 74 F. Supp. 3d 847, 854 (S.D. Tex. 2019).

This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.