Cybercriminals will continue intercepting electronic fund transfers (EFTs) until EFT participants slow down, read, and ask questions, particularly in response to emails requesting last-minute changes to payment methods (e.g., from check to wire or ACH) or destinations (e.g., from one payee to another). Whether handling a lawsuit settlement, a real estate closing, or a routine transaction between businesses, EFT participants should view emails requesting last-minute changes to payment methods or destinations with extreme skepticism. In other words, assume the worst.
Two recent cases bear this out. In Thomas v. Corbyn Rest. Dev. Corp,[1] the parties to a personal injury lawsuit reached a $475,000 settlement to be paid by check to the plaintiff and the trust account of the plaintiff’s law firm. About one week later, an imposter emailed the defendants’ attorney from an email address that closely resembled that of an administrator at the plaintiff’s law firm[2] to request that the settlement funds be paid by wire to a different payee.[3] Accounting personnel from the defendants’ law firm spoke with a person identified in one of the imposter emails as the “Head of Finance” at the plaintiff’s law firm before sending the wire to the imposter’s account. After not receiving the settlement funds, the plaintiff obtained a judgment on an application to enforce the settlement agreement, which judgment was affirmed on appeal, based on a finding that the defendants’ law firm had stood in the best position to prevent the fraud but had ignored several red flags. The red flags included last minute changes to the settlement’s payment terms, including method of payment, payee, removal of plaintiff’s name, and location of bank, as well as changes in email addresses and phone numbers for the plaintiff’s law firm, particularly because the defendants’ law firm knew that a phone number listed on an imposter email was inoperable.
In Real Advantage Title Ins. Co. v. United States,[4] an escrow agent for a real estate closing received three sets of payoff instructions from a trustee, each identifying NOVAD Management Consulting, LLC (NOVAD) as the payee and specifying that a cashier’s check or certified funds were the only acceptable methods of payment. Nonetheless, at the request of a title company that was also acting as sub-escrow agent, the escrow agent emailed NOVAD at a given address to request wire instructions. The next day, the escrow agent received fraudulent wire instructions by email from a slightly different email address. The escrow agent then forwarded the fraudulent wire instructions to the sub-escrow agent, who wired the funds to the imposter’s account. On cross motions for summary judgment, the U.S. District Court for the Central District of California determined that a trial would be necessary to determine which party stood in the better position to prevent the fraud.
In Thomas, no evidence indicated how the imposter learned of the lawsuit settlement. In Real Advantage, some evidence suggested that NOVAD's payoff systems had previously been compromised. In both cases, the basic sequence of events played out the same: (1) known parties with established communication channels agreed to a payment method; (2) a fraudulent actor entered the parties’ communications using a similar but not identical email address in order to change the payment method from check to EFT; (3) the party making the payment followed the imposter’s EFT instructions; (4) a court decided that the party better positioned to prevent the fraud should bear the loss.
Regarding how to combat this type of fraud, the last part of Thomas is worth quoting in full:
The antidote to these innovative fraudulent schemes may involve sophisticated encryption and digital safeguards (e.g., multifactor authentication), or it may sometimes be as old-fashioned and simple as picking up the phone and calling opposing counsel at a verified phone number, or meeting face-to-face to confirm the identity of one's counterpart and the validity of the transaction details. Either way, this case demonstrates that parties to modern, high-tech financial transactions must remain vigilant in ensuring they are dealing with their authentic peer. Failing to do so may be at their own financial peril.[5]
[1] 111 Cal. App. 5th 439, 332 Cal. Rptr. 3d 839 (2025).
[2] The fraudulent email address omitted one letter of the purported sender’s email address and added one letter to the domain name.
[3] The payee designation for the settlement check was also changed.
[4] 2025 WL 1720185, at *1 (C.D. Cal. June 17, 2025).
[5] Thomas, 111 Cal. App. 5th at 459, 332 Cal. Rptr. 3d at 855.
