Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

Credit union to pay $558,000 in cyber fraud case

Courts Consumer Finance Payments Fraud


On January 12, the U.S. District Court for the Eastern District of Virginia ruled that a credit union (defendant) is responsible for $558,000 in compensatory damages for processing a payment order that was allegedly induced through fraud by the beneficiary, but later rescinded its decision to award punitive damages. According to the initial opinion and order, in October 2018, the plaintiff received a “spoofed” email from an unknown third party claiming to be one of the plaintiff’s suppliers. The email instructed the plaintiff to change its banking remittance information for the supplier. However, unknown to the plaintiff, the new banking information contained in the email belonged to an individual who had opened a personal account with the defendant months prior. The order stated that from October to November in 2018, the plaintiff made four payments to the individual’s account held by the defendant, identifying the supplier as the beneficiary. The plaintiff sued alleging that the defendant failed to “comport with basic security standards that resulted in the unlawful diversion of funds.” According to the opinion and order, the court found that Virginia Commercial Code required the defendant to reject the deposits if it knew there was a discrepancy between the intended beneficiary and the account receiving the deposit. The court further wrote that the defendant did not have a duty to “proactively” discover a discrepancy, but found that “the evidence at trial illustrated that [the defendant] did not maintain reasonable routines for communicating significant information to the person conducting the transaction. If [the defendant] had exercised due diligence, the misdescription would have been discovered during the first [] transfer.” Additionally, the court stated the defendant did have “actual knowledge” of the fraud because “the transfers generated real-time warnings that the name of the intended beneficiary [] did not match the name of the owner of the account receiving the [deposits].” The court awarded the plaintiff $558,000 in compensatory damages and $200,000 in punitive damages. However, the court rescinded the punitive damage award stating that the plaintiff has not provided sufficient evidence to support punitive damages.