Cyber security is a major issue for every business today, as getting it wrong can have serious legal and financial ramifications. In this respect, below is some guidance on a recent case on internet fraud and some easy practical tips to follow, which should reduce this threat to your business.
Online payments always carry a risk – but hackers have developed a new scam that all businesses need to be mindful of. Online con-artists now seek to intercept emails containing payment details that are routinely sent between businesses. Once in possession of such an email, the hacker replaces the recipient’s bank details with the hacker’s own, which leads to the victim unwittingly transferring their payment of a legitimate invoice directly into the hacker’s bank account.
In most cases, the money transferred to the hacker cannot be recovered. Furthermore, the original invoice remains unpaid and the victim of the fraud is still legally liable for payment.
The recent decision of J Brazil Road Contractors v Belectric Solar  (Case No: C1EQ331C2 County Court at Canterbury 22 January 2018 WL 01993147) demonstrates the position and is one of only a few reported cases on this type of fraud (despite the frequency of its occurrence).
The customer received an invoice from their contractor but, unbeknown to the customer, the contractor’s email account had been hacked. The payment details on the contractor’s invoice were changed and sent to the customer on a separate email from the same email account by the hacker. Relying on the payment information they’d received, the customer subsequently paid the invoice amount to the hacker and not the contractor. Due to non-payment, the contractor later made a claim against the customer for the full amount of the invoice which, in the view of the contractor, remained outstanding.
The customer argued that they were entitled to rely on the instructions for payment as stated on the email from the contractor’s email address, and that the law of agency applied.
The Court found that both parties were innocent victims of the scam but, nevertheless, held that the customer remained liable for payment of the invoice.
The customer appealed but the case was dismissed. In dismissing the appeal, the appellate judge commented that the law of agency didn’t apply in these circumstances. Furthermore, whilst estoppel wasn’t pleaded, in order for an estoppel argument to succeed there must exist a representation by words or conduct of the payee that the content of its email was secure.
What should you take away from this judgement?
Despite being the innocent victim of a crime, if you’re duped by fraudulently amended payment details it’s unlikely that the Courts will release you from your obligations to make payment on the terms agreed between you and a third party. You should therefore exercise caution and be mindful of the fact that email accounts are not secure (unless otherwise stated) and are susceptible to hacking.
Protection to be introduced by banks to combat fraud
As recently as October 2018, The Guardian reported that, in an attempt to “halt the rising tide of bank transfer fraud,” some UK banks will soon check the names of UK bank customers against the name on their bank account when money transfers are made. Effectively this will close the current procedural loophole whereby banks only verify the payee’s account name, account number and sort code; any disparity between the payee’s account name against the payee’s name is not currently checked.
The new “confirmation of payee” system requires customers to confirm that the identity of the recipient is correct if the name of the payee and the name of the payee’s bank account do not match. This welcome innovation presents a further impediment to fraudsters and will, hopefully, lead to a sharp decline in the incidence of such cases.
Tips for customer protection
1 Consider the circumstances of the email. Was an invoice expected at this stage? Have the payment details changed without notice? If so, contact the individual/business directly over the phone to confirm the payment details are correct
2 Insist that payment information is sent via a secured or encrypted email
3 Always exercise caution when dealing with the transfer of money.
Rob Coleridge is a senior associate and commercial litigation lawyer who has a particular interest in technology. In this context, he has considerable experience of advising on high value contractual and product liability based risks and disputes. He also has expertise in contentious public procurement issues.
023 8083 1215
Commercial litigation partner Hannah Clipston is the IM Business Services lead partner in Southampton. She has significant experience in the resolution of disputes for commercial organisations, particularly in the sport and leisure industry. Clients she has assisted include Greenwich Leisure and Nuffield Health. She trained and worked in the City for five years and her practice covers High Court litigation, arbitration and mediation.
023 8083 1233