In the 1973 movie, “The Sting,” actor Harold Gould, playing the grifter “Kid Twist,” has to convince Robert Shaw’s “mark,” — Doyle Lonnegan — that a proposed wire room (for horse betting) is legitimate. Without the time to set up a fake wire room, Gould’s Kid Twist sneaks into a legitimate Western Union office (posing as a painter) and meets Shaw’s Lonnegan at the real office – convincing him that the wire transfer is legitimate. In the modern internet age, would a financial institution that allowed someone to do what Twist did to Western Union – to set up a fake business – have liability to those scammed as a result? Magic 8-ball says, “Situation unclear, ask again later.”

Business email compromise, or BEC fraud, is the digital age’s version of the long con. It doesn’t depend on technical sophistication or cutting-edge malware but instead on careful impersonation, psychological manipulation and institutional complacency. With little more than a web browser and a convincing email, perpetrators of BEC schemes have managed to siphon billions of dollars from businesses, nonprofits, schools and government agencies. The FBI’s Internet Crime Complaint Center reported over $2.9 billion in domestic and international losses from BEC schemes in 2023 alone—a number that likely understates the true magnitude of the problem.
BEC schemes begin deceptively simply. The attacker compromises or spoofs a legitimate business email account — usually that of a vendor, an executive, or a trusted supplier. Often, they do so by registering a deceptive domain name that looks almost identical to the legitimate domain. For example, instead of “acmecorp.com,” the fraudster registers “acmecorpp.com” or “acme-corp.com.” These lookalike domains are used to craft credible-looking email addresses which, when viewed quickly or on mobile devices, are often indistinguishable from the real thing. Using this fake domain, the fraudster sends an urgent payment request — typically a revised invoice or updated wire transfer instructions. The message may reference prior conversations or even include legitimate documents exfiltrated from earlier breaches. Alternatively, the fraudsters can take over a legitimate e-mail account and send and receive e-mails (and block emails from and to) that account.

The victim — often a company’s accounts payable department — receives what looks like a legitimate invoice or payment instructions from a legitimate customer. The fraudster can either direct payments for actual invoices (they know the amounts because they have hacked the account of the payor or payee) to be directed to an account in the name of the payee at a new financial institution, or they can create new invoices, or they can modify existing invoices to direct payment for more money for services never performed. The recipient of the email directing payment believes the communication is genuine and wires funds accordingly. But the money doesn’t go to the legitimate vendor. Instead, it is directed to a bank account set up and controlled by the fraudster, usually under a name similar or identical to the intended payee. In many cases, the account has been opened at a U.S.-based financial institution using synthetic identity documents, a shell company, or a DBA that mimics the real payee. The fraudster, posing as the vendor, then quickly transfers the money out of the receiving account — often layering it through additional accounts before sending it offshore.

Fighting Over Liability

Litigation in the wake of such frauds typically focuses on the victim and their bank. Courts analyze whether the victim exercised reasonable care, whether the bank’s security protocols were commercially reasonable under Article 4A of the Uniform Commercial Code, and whether the bank acted in good faith in executing the wire. In cases like Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012), courts have found banks liable for failing to detect anomalous behavior despite having ostensibly robust security measures in place. Other courts, such as in Compass Bank v. Calleja-Ahedo, 569 S.W.3d 104 (Tex. App. 2018), have placed the burden on the customer, holding that when a bank’s procedures are deemed commercially reasonable, losses lie with the client. These cases often boil down to questions of comparative negligence and the adequacy of authentication procedures. This is also true about the discussion about the relative liability of the payor and payee – should each have done more to prevent/authenticate the transaction? With these kinds of social engineering attacks, there’s always more that can be done to prevent it – by all parties

Banks for the Memories

Largely absent from the legal analysis is the role of the receiving bank — the institution that opened and maintained the fraudulent account into which the misdirected funds were transferred. This is the missing link in the enforcement and regulatory regime surrounding BEC frauds. Unlike domain registrars, who have neither a legal duty nor any real incentive to verify that the registered domain corresponds to a legitimate company or corporate interest, banks are governed by a far more stringent legal framework. Under federal law—principally the Bank Secrecy Act (BSA), 31 U.S.C. §§ 5311–5332, and implementing regulations at 31 C.F.R. Chapter X—financial institutions must know their customers. This is not a marketing slogan; it is a legal mandate.

Banks are required to implement robust Customer Identification Programs (CIPs) under 31 C.F.R. § 1020.220. These programs must include procedures for verifying the identity of legal entity customers and confirming their existence through documentary or non-documentary methods. The regulations also require that banks obtain information sufficient to form a reasonable belief that they know the true identity of each customer, including their legal name, physical address, and employer identification number. Under FinCEN’s Customer Due Diligence Rule, codified at 31 C.F.R. § 1010.230, banks must go further, identifying the beneficial owners of legal entities and verifying that the individuals purporting to open accounts on behalf of those entities are authorized to do so.

In practice, this means that if an individual seeks to open a business account in the name of “Apple Inc.” or “IBM Corporation,” the bank must verify not only the existence of that entity but also that the individual opening the account is an officer or director with the authority to do so. A mismatch—say, where someone from “XYZ Plumbing LLC” seeks to open an account in the name of “Apple Inc.”—should immediately raise red flags. If the account is nonetheless opened and begins receiving high-value wire transfers intended for the real Apple or IBM, the bank’s failure to investigate may constitute a violation of federal law and could potentially give rise to civil liability.

Establishing these “fake” accounts — or at least “fake-ish” accounts is a critical component in furthering the fraud schemes. Without a bank account to direct — or misdirect — the money into, the crime can’t occur.

FinCEN guidance makes clear that financial institutions have an affirmative duty to detect and report suspicious activity. In its 2014 advisory on email compromise fraud, FinCEN warned that red flags include unusual account-opening procedures, high-dollar wires inconsistent with the customer’s profile, and the receipt of funds by entities with no discernible connection to the sender. A bank that ignores these indicators, or that has no effective system for identifying them in the first place, may be failing in its obligations under both the BSA and the broader AML framework.

Duty of Due Care?

Despite this, courts have historically been reluctant to impose a duty of care on banks in favor of non-customers. The prevailing doctrine holds that a bank’s duties run to its own clients—not to strangers injured as a result of its negligence. Yet this rule is not absolute. Some courts have recognized exceptions where the bank’s conduct rises to the level of bad faith or where it knowingly facilitates fraudulent activity. The distinction between a failure of oversight and active complicity is one of degree, not kind. When a bank opens an account under the name of a major multinational corporation, based on documents from a party with no corporate affiliation, and fails to verify the legitimacy of that arrangement — especially when large sums of money begin to flow into the account — it is not unreasonable to suggest that the bank may bear some legal responsibility for the resulting harm.

The policy rationale for extending liability in such cases is compelling. Unlike domain registrars, banks serve as financial gatekeepers. They are not simply custodians of funds, but agents of regulatory compliance, uniquely positioned to detect and prevent fraud. Allowing them to avoid liability in scenarios where even minimal due diligence would have uncovered a sham account undermines both public confidence in the banking system and the deterrent effect of the AML regime. Holding banks to their statutory and regulatory obligations is not just about punishing negligence — it is about enforcing standards of conduct that are essential to the integrity of the financial system.

If I were to walk into a bank and open a business account in the name of “Apple Inc.” without any corporate authority or affiliation, and then begin receiving large wire transfers from counterparties intending to pay the actual Apple, the bank should not be allowed to plead ignorance. It should verify whether I am, in fact, authorized to act on behalf of Apple. It should question the legitimacy of the transfers. It should file a suspicious activity report. If it does none of these things, it is not simply a bystander — it is a participant.

BEC fraud thrives on institutional blind spots and regulatory asymmetry. Victims are often blamed for failing to verify email addresses or call to confirm wire instructions. But the real enablers of these frauds are the institutions that create the illusion of legitimacy (the Western Unions in the Sting) — by opening fraudulent accounts in the names of real companies, and by allowing those accounts to operate without scrutiny. Until regulators, courts and litigants begin to hold receiving banks accountable, BEC fraud will remain profitable, persistent, and practically immune from deterrence. Remembering the Robert Redford comment to Paul Newman in The Sting about Lonnegan, “He’s not as tough as he thinks”, to which Newman replies, “Neither are we…”