By: Curt Martin, Richard Volack, Partners, and Quinn Kuriger, Associate, Peckar & Abramson, P.C.
November 18, 2025

The well-known maxim among carpenters – “measure twice, cut once” – serves as a prudent reminder in the context of construction progress payments, which have become increasingly vulnerable to cybercriminal activity.

Consider the following scenario: a joint venture contractor had been receiving progress payments via wire transfer from the project owner.  A cybercriminal infiltrated the contractor’s IT infrastructure, identified a pending invoice, and impersonated an employee to redirect the payment.  The hacker initially requested that the funds be sent to a new account in rural New York under the general contractor’s name, rather than to the joint venture’s established Houston account.  The owner wisely inquired why it should pay the general contractor and not the joint venture who the owner had paid on the prior twenty-nine progress payments.  The hacker quickly corrected its request, submitted a new request that misspelled the joint venture’s name, and specified ACH to a third bank, this time in Florida.  Despite these glaring red flags, the owner less wisely wired $460,000 to the hacker’s account.

These types of scams are increasingly common.  The FBI’s Annual Cybercrime Report for 2024 calls this a “Business Email Compromise” (“BEC”), and cites 21,442 reported complaints last year. The losses resulting from these schemes totaled $2,770,151,146, making BEC the cybercrime with the second highest losses for victims.  (That’s right – about $129,000 average loss per hack.)

This example is not presented as breaking news, but rather as a springboard for examining how U.S. courts are adjudicating disputes involving misdirected payments, many of which arise in the construction sector, and to highlight preventative measures companies should consider to help mitigate cyber risk.

There are at least four common sense reactions that we might have about how to allocate responsibility for the losses in the example above.  These include:

  1. The contractor performed the work but was not compensated; therefore, the owner should be required to remit payment again.
  1. The contractor’s cybersecurity failure enabled the diversion; thus, the owner should not bear the burden of double payment.
  1. The owner had an opportunity to prevent the fraud by verifying the change in payment instructions and should therefore be held responsible.
  1. The presence of red flags in the fraudulent communications heightened the owner’s duty to investigate and verify.

Each of these themes appears in the handful of written court decisions discussed below.  The decisions take three different approaches:

The Contract Governs

A Maryland federal court judge issued a detailed opinion last year ruling that a contractor’s payment obligation to its subcontractor was not discharged by a fraudulent diversion of funds.  See United States for Use & Benefit of Jay Worch Elec., LLC v. Atl. Specialty Ins. Co., No. 8:22-CV-02420-PX, 2024 WL 2302322 (D. Md. May 21, 2024).

The court reasoned that the contract’s payment conditions – completion of work, submission of a lien release, and receipt of payment from the owner – had been satisfied.  Even though the security lapse may have been the subcontractor’s fault, the court found that payment was still due under the contract, citing the contract’s silence on a specific method of payment or cybersecurity obligations.  Even a fraudulent email with a name similar to the general contractor’s (.net instead of .com) did not excuse breach.

Exercise of Ordinary Care

The Uniform Commercial Code (“UCC”) instructs courts to assess whether parties exercised ordinary care.  Two federal courts – in Florida and Texas – have applied UCC principles under Article 3, originally intended for negotiable instruments, to allocate losses resulting from fraudulent conduct.  See Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., No. 8:14-CV-2052-T-30TGW, 2015 WL 4936272 (M.D. Fla. Aug. 18, 2015); see also J.F. Nut Co., S.A. de C.V. v. San Saba Pecan, LP, No. A-17-CV-00405-SS, 2018 WL 7286493 (W.D. Tex. July 23, 2018).

Although not applicable on its face, the courts followed that section of the UCC, ruling that: (a) the payor’s duty to pay is discharged by a diverted payment if the payor is acting in good faith, unless (b) either the payor or payee failed to exercise ordinary care and the failure contributes to the loss, in which case the negligent party is responsible.  Both judges found that the payor should have been mindful of, and heeded, the red flags.  One of the judges noted that the buyer of goods (payor) was in the better position to confirm the authenticity of the wiring instructions, given the change from prior instructions and the noticeable discrepancies in account details.  The buyer’s failure to verify the new information was held to be a failure to exercise ordinary care.

Application of Comparative Fault

The UCC doesn’t apply this concept, but comparative fault has been used nevertheless by some courts under common law.  In a Texas appellate court decision, the court determined that the UCC didn’t apply but concluded that common law “holds that when allocating a loss between two parties resulting from another’s fraud, the loss should fall on the one who enabled the fraud to happen.”  Prosper Florida, Inc. v. Spicy World of USA, Inc., 649 S.W.3d 661 (Tex. App.—Houston [1st Dist.] 2022, no pet.).  The court then undertook an analysis of comparative fault similar to the approach taken by the courts in the paragraph above. 

The analytical framework that future courts will adopt in BEC cases remains uncertain.  A unified approach may emerge as more decisions are rendered.  But, in the meantime, parties are well-advised to remain observers of this evolving jurisprudence rather than participants. The following measures can help reduce exposure:

  1. Practice proactive cybersecurity. The obvious best tactic is to avoid a hack.  Keep the company’s computer systems safe by implementing at least the following:
    1. Require strong passwords- at least ten characters in length with a mix of capital and small letters, numbers, and special characters.  Change the passwords every 6 months.
    2. Implement multi-factor authentication. This means setting up the system so that it cannot be accessed by a password alone; that some additional code, number, or biometric information is needed to access the system. Companies and individuals are already seeing this requirement in interactions with banks and health care companies who ask for a code that the company sends to the individual’s phone or email.
    3. Make sure that the IT department regularly updates and patches the company’s systems to account for the latest changes in technology and system specifications. IT should also be using the latest firewalls, antivirus programs, and threat protection software and regularly backing up the company’s systems.  Employees should restart Microsoft-based computers at least weekly to incorporate Microsoft patches.
    4. The company should provide personnel, especially HR and Accounting personnel, regular training on IT security including how to spot and avoid cyber scams, phishing attacks, and unauthorized requests for information. There are specialized firms that perform this function. Many insurance companies that provide cyber insurance offer this training for free.
  1. Obtain cyber insurance that covers cybercrime (specifically Business Email Compromise). Your insurance agent can help you price coverage that is right for the company.
  1. Agree by contract how payments will be made – or how notifications of changes will be sent. For example, agree that payments will only be made by check.  Or, if payments are made by wire transfer, agree that the payor will always call a live person at the payee to verify the wire transfer instructions.  Usually, a code that only the two parties know will add an extra layer of protection.
  1. Remind customers that the company will not use email to notify the customer of a change in wiring instructions. Some contractors send letters to their owners every six months reminding the owner that wiring instructions have not changed, wiring instructions will not be changed by email, and the owner is encouraged to direct questions by telephone to a named employee at the employee’s work phone number.

While no strategy can guarantee immunity from Business Email Compromise, adopting a “measure twice” approach may help ensure that companies only “cut the check” once.

Peckar & Abramson Has The Most Experienced and Largest Construction & Infrastructure Practice in the United States – With a Worldwide Reach.

The views expressed in this article are not necessarily those of ConsensusDocs. Readers should not take or refrain from taking any action based on any information without first seeking legal advice.