This month, we borrow a lesson from our carpenter friends. Measuring twice helps to avoid mistakes. That sage advice applies to making construction progress payments as well, which are increasingly targeted by cybercriminals.
This arises from a client’s recent experience. You’ve heard stories like this before. This contractor client’s joint venture had been receiving progress payments by wire transfer from the project owner. However, a hacker got into the contractor’s IT system, learned of the pending invoice, and posed as an employee to request that the progress payment be made not to the joint venture through its usual Houston, Texas, bank account but to the general contractor through a new bank in rural New York.
The owner inquired why they would pay the general contractor and not the joint venture as they had in the prior 29 progress payments. The hacker quickly corrected its request, submitted a new request that misspelled the joint venture’s name, and specified ACH to a third bank, this time in Florida. Despite these glaring red flags, the owner wired $460,000 to the hacker’s account.
We can’t divulge the rest of the story, but these types of scams are increasingly common. The FBI’s Annual Cybercrime Report for 2024 calls this a Business Email Compromise (BEC) and cites 21,442 reported complaints last year. The losses totaled over $2.77 billion (about $129,000 average loss per hack), making BEC the cybercrime with the second highest losses for victims.
So, we don’t share this story as news. Instead, it’s an opportunity to tell you how U.S. courts are responding to diverted payments — many of them in construction — and to remind you of steps that you might consider to avoid the risk of cybercrime.
| Your local Komatsu America Corp dealer |
|---|
| Kirby-Smith Machinery |
| WPI |
Before we get to court rulings, however, let’s consider some common reactions that one might have. As I’ve told friends and colleagues this story (with client permission but without naming the participants), I’ve heard responses that follow three common themes. These are:
- The contractor did the work but didn’t get paid, so the owner should have to pay again
- It was the contractor’s cybersecurity breach that allowed the diverted payment, so the owner shouldn’t have to pay twice
- The owner had the opportunity to stop the diversion by confirming the payment changes with a call to the purported author
- Red flags in the hacker’s emails heightened the owner’s duty to verify
- Have strong passwords, at least 10 characters in length with a mix of capital and small letters, numbers, and special characters.
- Implement multi-factor authentication. This means setting up your IT system so that it cannot be accessed by a password alone — that some additional code, number, or biometric information is needed to access the system. You’re already seeing this in your interactions with banks and health care companies who will ask you to enter a code that they send to your phone or email.
- Make sure that your IT support regularly update and patch your systems to account for the latest changes in technology and system specifications. They should also be using the latest firewalls, antivirus programs, and threat protection software and regularly backing up your firm’s systems. Your employees should be restarting any Microsoft-based computers weekly to pick up Microsoft patches.
- Give your personnel, especially your human resources and accounting personnel, regular training on IT security and how to spot and avoid cyber scams, phishing attacks, and unauthorized requests for information. There are specialized firms that perform this function. Also, many insurance companies that provide cyber insurance offer this training for free.
Each of these themes appears in the handful of written court decisions discussed below. The decisions follow three different approaches:
| Your local Stewart-Amos dealer |
|---|
| Closner Equipment Co Inc |
A Maryland federal court judge wrote a detailed opinion last year ruling that a contractor’s wrongfully diverted payment didn’t discharge the contractor’s contractual obligation to pay its subcontractor.
The court reasoned that the contract’s payment conditions — completion of work, a lien release, and owner payment — were met. Even if the security lapse was the subcontractor’s fault, the court said payment was still due. The court noted the contract’s silence on method of payment or cybersecurity regulations. Even the fraudulent email with a name similar to the general contractor’s (.net instead of .com) did not excuse breach.
The Uniform Commercial Code (UCC) tells us to look to whether the parties exercised ordinary care. Two federal courts in Florida and Texas borrowed a section of the UCC intended for negotiable instruments to evaluate how to apportion loss from an imposter’s fraudulent actions. Although not applicable on its face, the courts followed that code section, ruling that the payor’s duty to pay is discharged by a diverted payment if the payor is acting in good faith, unless either payor or payee failed to exercise ordinary care and the failure contributes to the loss, in which case the negligent party is responsible.
| Your local Sennebogen LLC dealer |
|---|
| WPI |
| ASCO Equipment |
Both judges found that the payor should have been mindful of, and heeded, the red flags in each case. One of the judges noted that the buyer of goods (payor) was in the better position to confirm the authenticity of wiring instructions, given the change from prior instructions and the noticeable discrepancies in account details. The buyer’s failure to verify the new information was a failure to exercise ordinary care.
The UCC doesn’t apply but comparative fault should nevertheless be used. The final approach we’ve seen came from another Texas case, where a state appeals court determined that the UCC didn’t apply, but common law “holds that when allocating a loss between two parties resulting from another's fraud, the loss should fall on the one who enabled the fraud to happen.” The court then undertook an analysis of comparative fault similar to the approach taken by the courts in the section above.
We can’t tell you what a court would do in the next case. Perhaps the courts will blend these analyses into a uniform approach as more cases are presented to them. But we’re hoping that you’ll view those developments as a spectator rather than a participant. To avoid becoming a participant, let’s consider some approaches.
| Your local Wirtgen America dealer |
|---|
| Kirby-Smith Machinery |
| Nueces Power Equipment |
Your best approach is to attempt to avoid the hack. Consider these approaches:
Keep your computer systems safe by implementing at least the following:
| Your local Gomaco dealer |
|---|
| Closner Equipment Co Inc |
| Romco Equipment Co |
Get cyber insurance that covers cybercrime (specifically Business Email Compromise). Speak to the same insurance broker that you use for your other insurance policies (CGL, auto, etc.). They can help you obtain the coverage that is right for your company.
Agree by contract how payments are to be made — or how notifications of changes will be sent. Agree, for example, that payments will only be made by check. Or, if payments are made by wire transfer, agree that the payor will always call a live person at the payee to verify the wire transfer instructions. Usually, a code that only the two parties know will add an extra layer of protection.
| Your local Hitachi dealer |
|---|
| Bane Machinery |
| ASCO Equipment |
Remind customers that you won’t notify them of a change in wiring instructions by email. One of our contractor friends sends letters to their owners every six months reminding them of wiring instructions that haven’t changed. They tell their owners that they won’t change wiring instructions via email. And they encourage owners to direct questions by telephone to a named employee at his/her work phone number.
We can’t guarantee that you’ll avoid Business Email Compromise. But measuring twice may allow you to cut the check only once.
