This blog has covered numerous cases of hackers impersonating parties to commercial transactions, and rerouting funds meant to pay for equipment or services. Fraudsters have impersonated high-level executives to induce accounting employees to transfer funds. Fraudsters impersonated a company’s vendor, and provided fraudulent wiring instructions for the company to send payments. That same kind of fraud led to litigation between a company and its insurance company over whether there was coverage for stolen payments.

In a recent case, fraudsters impersonating an auto dealership caught a Maryland-based commercial bakery off guard. Before anyone knew what happened, the bakery sent $1,337,608.80 earmarked to purchase a fleet of trucks to fraudsters. The funds were supposed to be a down payment for delivery of 24 out of 48 delivery trucks that the bakery was attempting to purchase from a Tennessee dealership. Unbeknownst to the bakery, fraudsters had infiltrated the dealership’s email account, and provided fraudulent wiring instructions to the bakery.

The case of Russell Barnett Ford v. H&S Bakery began when the dealership filed a lawsuit to enforce the bakery’s contract with the dealership to buy the 48 delivery trucks. Under the contract, the dealership agreed to construct and deliver 48 vehicles. The dealership sought to enforce the contract and compel the bakery to pay the dealership the $1.337 million down payment, despite the bakery sending the payment to fraudsters.

The dealership argued it had an enforceable contract to sell the vehicles to the bakery. From the dealership’s perspective, it did not matter that the bakery attempted to send payment, because the dealership did not receive the payment.

There are many reasons why a dealership might seek to enforce a contract for an order like this. For example, the dealership may have expended resources to prepare for the construction of the vehicles. The vehicles may be configured in a manner unique to the bakery, which makes them difficult to sell to third parties. Finally, the dealership may just want the contract performed because that is what the parties bargained for.  

The reasons why the dealership might try to enforce the agreement with the bakery are the same reasons other vendors may try to enforce an agreement, even when fraudsters steal the contract payments. A vendor that is selling a product or service will expect payment regardless of whether fraudsters stole the funds.

Russell Barnett Ford v. H&S Bakery is a good example of the legal havoc fraudsters can cause. In addition to losing $1.337 million, the bakery also faces the prospect of having to perform the contract. The bakery might have insurance, but as this blog has previously covered, so-called “cyber” insurance often does not cover liability to third-parties based on a contract. The bakery will likely argue that the dealership’s email compromise contributed to the loss, but it is not clear whether those facts will be relevant to a breach-of-contract analysis.

There are a number of ways this loss could have been avoided. If bakery employees had done more to verify the authenticity of the dealership wire instructions, it might have avoided this incident. Similarly, the dealership apparently failed to implement quality controls to prevent fraudsters from infiltrating its email system.  

This case is yet another example of how important it is for organizations of all kinds to make sure they have controls and processes in place to mitigate the risk of a cybersecurity incident. Neither a bakery nor a vehicle dealership seem like a type of organization that would need to be concerned with cybersecurity, but they were targets nonetheless.