Business Email Compromise Litigation in California

When a fraudulent email turns into a real dispute between two real businesses

Business email compromise — often called BEC — happens when a criminal slips into the middle of a legitimate business transaction by impersonating one of the parties over email. Typically the criminal either hacks into a real email account, registers a “look-alike” domain (for example, @acmecorp.com vs. @acrnecorp.com), or simply spoofs the sender field. From that foothold, the criminal sends what looks like a routine email — new wiring instructions for an upcoming payment, a “corrected” invoice, or an updated account number — and the money goes to the criminal instead of the intended recipient.

By the time anyone realizes what happened, the funds are usually gone. The FBI’s Internet Crime Complaint Center has, for years, identified BEC as one of the most financially damaging online crimes, with billions in reported losses across U.S. businesses.

The funds are almost never recoverable as they are usually overseas, anonymous, and judgment-proof. So the real dispute, and the lawsuit, ends up between two legitimate businesses. Each business, which may have done nothing wrong itself, fights over who has to absorb the loss.

That is the kind of case Chatow Law handles.

The California rule: loss falls on the party best positioned to prevent the fraud

Until recently, California had no published appellate decision squarely addressing how to allocate loss between two parties in a BEC case. That changed in 2025. In Thomas v. Corbyn Restaurant Development Corp.  The Fourth District Court of Appeal held that the risk of loss from a fraudulently diverted wire transfer falls on the party in the best position to prevent the fraud. The court further held that this is a factual question, decided on the totality of the circumstances, and that loss can be apportioned between the parties based on their comparative fault.

In other words, there is no automatic winner. The party that was contractually owed money does not automatically lose the right to be paid simply because its counterparty wired the money to a criminal. And the party that sent the money does not automatically escape liability simply because it was tricked. The court looks at what each side did — and didn’t do — to enable or prevent the fraud.

Importantly, Thomas also held that a finding of negligence is not required. A court can find that one party was best positioned to prevent the fraud even where neither party acted unreasonably in the abstract.

What courts look at

The kinds of facts that drive these cases include:

• Whose email account was actually compromised, and how — a real intrusion, a spoofed domain, a forwarding rule, a phishing click?
• What security controls were in place — multi-factor authentication, DMARC/SPF/DKIM, security awareness training, written policies?
• Did the fraudulent email contain “red flags” — a different sending domain, an unusual request, a change in payee name, an inoperable callback number, urgency language, a brand-new account at a different bank?
• Did the parties’ prior course of dealing call for verification of payment instructions by phone or in person?
• Was there an established wire instruction on file, and did the new instruction conflict with it?
• Once the fraud was discovered, who acted first — and how quickly — to notify the other side, the banks, and law enforcement?

Courts outside California have, in Federal cases like Beau Townsend Ford Lincoln v. Don Hinds Ford and Arrow Truck Sales, applied similar reasoning. Thomas aligned California with that body of federal authority, drawing on the Uniform Commercial Code’s “imposter rule” by analogy.

A critical detail most businesses get wrong: verify the phone number, too

Out-of-band telephone verification — picking up the phone to confirm a wire instruction before sending money — is the single most effective defense against BEC. But it only works if you call a phone number you already know is the real one.

A sophisticated BEC criminal anticipates that the payor will want to verify by phone. So the fraudulent email almost always includes a phone number — sometimes in the body of the email, sometimes in a signature block, sometimes embedded in a PDF of “updated wiring instructions.” That number may not ring the real counterparty. It may instead reach the criminal, or an accomplice, who is ready to confirm the fake instructions.

The only safe verification call is to a phone number you obtained through a separate, previously trusted channel — a number from a prior signed contract, an established vendor file, the company’s public main line on its actual website, or a personal contact you have used before. 

If your only point of contact for a counterparty is the email thread you are currently in — and you cannot independently verify a phone number for them — stop the wire and resolve that gap before sending money. After the fact, in litigation, the question of whether the payor used an independently verified phone number is often dispositive in the “best position to prevent the fraud” analysis.

A common misconception: “the bank should pay”

It is tempting to assume the wiring bank should bear the loss. Usually it will not. California’s Commercial Code Article 4A governs wire transfers, and it generally insulates a receiving bank from liability when it executes an authorized, error-free payment order — even if the originating customer was tricked into giving the order. Banks can be liable where they failed to follow an agreed security procedure, or where a payment order they accepted was not actually authorized, but those are narrower situations than most BEC victims expect. The realistic adversaries in a BEC case are almost always the two business counterparties.

Why these cases need a litigator who understands both sides

BEC litigation is part forensic, part contractual, part negligence, and part credibility contest. The “best position to prevent the fraud” inquiry is exactly the kind of fact-intensive comparative-fault analysis where careful discovery, well-targeted document requests (email logs, audit logs, MFA enforcement records, training records, IT vendor communications, prior cybersecurity assessments), and the right expert can change the outcome. Often, the side that does the better job of reconstructing how the fraud happened wins, regardless of which side initially looks more sympathetic.

We have:

• Drafted and propounded the discovery needed to surface the technical and procedural facts (email security configurations, audit logs, MFA enforcement, security policies, prior incidents, IT provider communications, cyber-insurance correspondence).
• Worked with cybersecurity experts, including ex-FBI investigators, and the forensic record to identify which side’s environment was actually compromised, and which side ignored warning signs that, with ordinary care, would have stopped the loss.
• Built and defended against the comparative-fault arguments that decide who pays.

Whether you are the payor or the payee, your strongest defense was put in place before the fraud

If your business is engaged in regular wire-transfer activity, the time to think about BEC is before it happens. Out-of-band telephone verification of any change to wiring instructions — using a previously known, independently confirmed phone number — multi-factor authentication on all email accounts, DMARC/SPF/DKIM configured correctly, employee training, and a clear written incident response plan are not just good cybersecurity. They are evidence that, after a loss, materially changes how a court will allocate fault.

Contact Chatow Law

If you are dealing with a business email compromise dispute in California — whether your business sent the payment or was supposed to receive it — Chatow Law may be able to help. We work with clients in Orange County, Los Angeles County, San Diego County, and beyond. Contact us today to schedule a free initial consultation.

Mark Chatow | Chatow Law, PC

23 Corporate Plaza Drive, Suite 150

Newport Beach, CA 92660

949-478-8393