company email hacked, customer paid into fraudulent bank accounts

[Ethan J Tucker]

Jurisdiction

Illinois

Hello,

I recently had a customer in Chicago who purchased $60,000.00 of product from me. The product was transported in rail cars owned by the customer. After the first 3 of 4 rail cars were released we requested payment on those cars from our customer. We sent ACH payment instructions and before we were paid our email was hacked. The hackers began corresponding with the customer and sending fraudulent banking information from one of our employees email accounts. The customer sent the payments to the fraudulent accounts.

Since we have discovered what happened both our company and our customer have filed police reports as well as complaints with the FBI in hopes that they will be able to track down who was responsible for the theft.

That being said we are viewing our customer as the victim in this situation because they sent money to the fraudulent accounts and were basically robbed. We feel like they still owe us the $60,000 plus another $20,000 for the fourth rail car. The customer on the other hand is taking the position that they paid for their product and they are not planning on paying for it again. This leaves us without an option other than filing a suit agains them to try to collect.

Am I correct in my belief that they are the victims because they sent money to the fraudulent accounts and that they are still required to pay us for the product they ordered and received?

If I am correct how likely is it that I would collect attorneys fees along with the amount owed?

 

[Zigner]

It seems that your data policies are lacking. You may want to speak with your insurance company.

 

[zddoodah]

Am I correct in my belief that they are the victims

I would say that both your company and the other company are victims, but slapping a label on it is of no value.

and that they are still required to pay us for the product they ordered and received?

I assume the $20k for the fourth installment isn't at issue correct? As far as the $60k, it's impossible to assess this intelligently without reviewing the contract between the two companies and other relevant documents. Does your company have in-house counsel? If so, this is something he/she should be reviewing and advising you about. If not, then your company should retain an attorney. Off the top of my head, and without knowing what state's laws apply, I would say your customer has the better argument because it was your company's computer system that got hacked. The other company had absolutely no culpability or ability to prevent what happened. Maybe your company doesn't and didn't either, but your company should be able to make an insurance claim to recover the loss. The other company has no basis for such a claim.

 

[army judge]

We sent ACH payment instructions and before we were paid our email was hacked.

Have you spoken to your corporate attorney, mate?

If you're shipping boxcars full of "stuff" with a purported value between $60K to $80K, you surely employ (or have on retainer) an attorney.

I will respect your privacy, and you should, too.

The above sentence COULD suggest that YOU were hacked, NOT the customer.

If that is true, the customer MIGHT not owe you anything.

You, on the other hand, MIGHT end up owing the customer.

I can't say who will be culpable here, but your posts don't help you.

The hackers began corresponding with the customer and sending fraudulent banking information from one of our employees email accounts. The customer sent the payments to the fraudulent accounts.

 

[Michael Wechsler]

The following is not legal advice, just my personal opinion. As stated above, this is an issue which you must speak to an attorney for a proper legal consultation on a serious matter. My personal thoughts on what you said:

sending fraudulent banking information from one of our employees email accounts.

Accordingly, the customer was corresponding with a legitimate company email which is in your control. It's not as if this was a phishing expedition and the client was corresponding with a gmail account posing as being your company. It was actually a legitimate corporate email account under your control and your responsibility for security. Put yourself in their shoes - why should they bear the risk of loss because your company was hacked and your assets were used to defraud one of your own customers? It would seem that the party in the best position to bear responsibility was your company.

Getting beyond a legal issue, I'd think long and hard about the business reputation issue. Imagine how many clients will want to do business with your company if they knew that corresponding with your own legitimate email accounts would NOT be a guarantee of secure transmission and the customer bears the risk of loss for your company's failures. From my perspective, your competitors will be all over that policy and market the fact that risk of loss from doing business with your company is on the customer.