Phishing in the Time of Covid-19
Throughout the course of the COVID-19 pandemic, attorneys have gradually assimilated to working remotely from home. It seems like every week, we encounter a litany of new challenges that we must tackle gracefully and professionally. In the midst of working in our newly established Wi-Fi silos, one other annoyance that we cannot seem to get rid of is the ubiquitous phishing emails that strangely appear in our inboxes. Hopefully by now, your company’s IT director, like ours, has already blasted the proper firm policies and procedures to help you steer clear of any and all spam emails. But what if an associate or partner at your firm decides to ignore their beloved IT director’s instructions, and instead wishes to engage in dialogue, or maybe even shares a bank routing number or two, with what they believe is close business associate or client?
Well that is precisely what happened in the matter of Beins, Axelrod, P.C. v. Analytics, LLC et al, where a plaintiff’s law firm in Washington D.C. commenced an action in federal court after a third-party allegedly hacked into the firm’s managing partner’s email and diverted $60,000 into a Citibank account. After a failed attempt by the managing partner of the firm to recover the funds, he filed an action in District Court for common law negligence fraud, breach of contract claims, and a claim under the Computer Fraud and Abuse Act (CFAA) 18 U.S. Code § 1030 against defendant Citigroup (“Citi”). The plaintiff alleged that Citi aided and abetted the hacker.
Citi moved to dismiss the complaint for a failure to state a claim. The Court found the bank cannot be held liable under the theory that it conspired with the hacker given the absence of an allegation of an agreement between Citibank and the hacker to violate the CFAA. Moreover, the court indicated that a key element of establishing aiding and abetting of conspiracy liability is demonstrating the requisite mens rea “state of mind” of the perpetrator. The plaintiff had failed to plead defendants knowing involvement in the scheme under the “willful blindness” theory.
Judge James E. Boasberg provided the following analogy to substantiate court’s reasoning in granting Citi’s motion to dismiss: “a bank that allows a private part party to open an account to which funds are improperly transferred is not akin to a farmer, who in exchange for a bribe, provides refuge to a group of strangers wearing ski masks and carrying bags of cash….. where it otherwise, whenever a thief used an unwitting bank in connection with his criminal scheme, the bank would be both criminally and civilly liable for the offense, regardless of the surrounding circumstance.”
The attack that plaintiff’s counsel faced is known as a “business email compromise”, which has become more prevalent during the COVID-19 pandemic. This case highlights the importance of how diligent attorneys and other professionals must be when responding to emails seeking confidential or sensitive information.
Thanks to James Papadakis for his contribution to this post. Please email Heather Aquino with any questions.