So here’s a recent lawsuit arising from a spoofing attack:
Company A makes a large equipment purchase from Company B. Company A receives an email with instructions on sending payment to Company B. Of course, the email is actually not from Company B, but from an unknown “John Doe” conducting a spoofing attack.
Company A falls for it. When it can’t identify the John Doe, it sues Company B, alleging it “failed to protect confidential information,” thereby making the spoofing attack possible. After several years of protracted discovery, the federal judge overseeing the case grants Company B’s motion to dismiss.
As Company A conceded there was no express breach of contract, its lawsuit hinged on establishing a “breach of implied contract.” But its only evidence was an affidavit filed by an expert witness, who concluded Company B’s “IT setup must have allowed the third-party to hack into [Company B’s] system.” The judge said there was “no evidentiary foundation” for this conclusion, so he rejected the evidence and threw out the case.