Spotting suspicious emails is becoming increasingly difficult as cybercriminals become more adept at making their emails appear genuine.
The Covid-19 era has seen a surge in email scams. The World Health Organisation (WHO) has published a warning on its website about cybercriminals taking advantage of Covid-19 by sending fraudulent emails posing as the WHO to trick unsuspecting victims in to revealing their user names and passwords, which are used to steal money or sensitive information1.
Business Email Compromise
Business email compromise (BEC) is a type of phishing scheme whereby a cybercriminal uses emails to pretend to be a genuine person who is known to you in order to trick you into transferring money to them. The cybercriminal may use an almost identical email address to the genuine person or they may even gain access to that genuine person's email account to intercept, amend and send emails to you requesting money.
Using these techniques, cybercriminals take control of a business's email account and send out fake invoices via email to customers of the business with amended bank account details; and/or pretend to be a senior executive in a company and send out a message to staff of the company directing them to transfer money to the fraudster's account.
According to the ACCC, Australian businesses lost over $60 million to BEC scams in 20182.
Broadcom Inc (a USA based technology company) collated data in July 2019 which identifies Australia in the top ten regions in the world targeted by BEC scammers and ranked third only behind USA and the United Kingdom3.
BEC in the News and Civil Case Summaries
On 4 May 2020 Lawyers Weekly published an article about a national law firm that is facing civil court proceedings in Australia by a client for allegedly breaching its duty of care by transferring almost $1 million in client funds to the bank account of a fraudster. Lawyers Weekly reported that the firm has stated, "the client's email system was hacked" and that the case will be "vigorously defended"4.
There is a dearth of Australian civil case law dealing with the issue of BEC scams. Here we have summarised some cases from Canada whose legal system, like Australia, is based around the British "common law" system. We also summarise a case from Scotland, which has a mixed legal system containing both civil law and common law elements.
These cases give some insight as to how similar cases might be determined in Australia.
Yunsheng Du v Jameson Bank 2017 ONSC 2422
In this Canadian case, Yungsheng Du (Du) commenced proceedings against Jameson bank (Bank) for negligence, breach of contract and breach of fiduciary duty following a BEC event.
After the account was opened, the Bank received numerous requests from Du by email to transfer monies from his foreign currency account to various accounts. The Bank acted in accordance with the Agreement and the requests received from Du's email account, including the transfer of two transactions totalling US$135,000 to a Singapore account.
Subsequently after the latter two transactions were completed, it became apparent that although the emails were from Du's account his email account had been compromised. Du sought to recover his loss from the Bank and the Bank brought an application for summary judgment to dismiss Du's claim.
The Court found in favour of the Bank and dismissed Du's claim. In arriving at its decision, the Court found that:
- The Bank was not required to question the instructions received from Du's email account.
- The Bank was acting in accordance with the Agreement that governed the relations between the Bank and Du.
- The Agreement contained a contractual exclusion of liability and Du failed to establish that the Bank was grossly negligent or acted with wilful misconduct.
- The Agreement that Du signed with the Bank was a complete bar to his claims.
St. Lawrence Testing & Inspection Co. Ltd v Lanark Leeds Distribution Ltd & Mark Schokking 2019 CanLII 49497 (ON SCSM)
In this Canadian case, the plaintiff and defendants were both innocent victims of a cybercrime which resulted in the loss of funds that were paid by the defendants to settle the plaintiff's claim. Whilst both parties were innocent the Court was asked to determine which one of them should bear the loss.
The plaintiff had issued Court proceedings against the defendants, which had subsequently settled pursuant to terms of settlement signed by the parties and filed with the Court. The terms of settlement required the defendants to pay $7,000 to the trust account of the plaintiff's solicitor. In the brief interval between the execution and delivery of the terms of settlement and the payment of settlement funds by the defendants, a fraudster intervened and sent revised wire transfer instructions to the defendants, which resulted in the defendants sending the settlement payment to the fraudster's account rather than to the plaintiff's solicitor.
The defendants asked the Court to make an order that the terms of settlement had been satisfied. The plaintiff argued that, not having received the settlement funds, the terms of settlement had not been satisfied.
Upon investigation it was found that a malicious user had managed to gain access to an email address belonging to the paralegal handling the matter at the plaintiff's solicitors. Once the malicious user was able to login to the paralegal's portal they had access to all of the paralegal's email information including sent items and contacts. The malicious user was then able to redirect, forward, delete and send emails from the paralegal's account.
Issue for determination
The issue for determination in the case was, where a computer fraudster assumes control of Victim A's email account and, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster's account, is Victim A liable for the loss?
The Court held that the answer is "no", unless:
- Victim A and Victim B are parties to a contract which:
- (i) authorizes Victim B to rely on email instructions from Victim A, and
- (ii) assuming compliance with the terms of the contract, shifts liability for a loss resulting from fraudulent payment instructions to Victim A; or
- There is evidence of wilful misconduct or dishonesty by Victim A; or
- There is negligence on the part of Victim A.
The Court held:
- There was no contract between Victim A (plaintiff) and Victim B (defendants) allowing the defendants to rely on email instructions from the plaintiff and shifting liability for a loss resulting from fraudulent payment instructions to the plaintiff.
- There was no evidence of any wilful misconduct or dishonesty by the plaintiff, the plaintiff's solicitor or the paralegal.
- There was no evidence to support a finding of negligence on the part of the plaintiff's law firm with respect to its computer/email security system.
- The Court therefore found in favour of the plaintiff. However, the Court commented that this is clearly an area that would benefit from legislation to establish clear principles and guidelines for the allocation of liability in the event of computer frauds which are increasing in number.
Peebles Media Group Pty Ltd v Reilly (2019) CSOH 89
In this Scottish case the plaintiff sought payment of £107,984.02 from its former credit controller, Ms Reilly (Reilly) who had been the victim of an email scam whilst employed by the plaintiff.
A fraudster impersonated Reilly's boss in a series of emails instructing her to make various payments from the plaintiff's account in the sum of £193,250. Reilly, believing she was in communication with her boss, who was away on holiday at the time, acted on those instructions.
Reilly did try to call her boss after the first exchange of emails regarding an initial payment of £24,800 and had left a voicemail for her, which her boss deleted.
The fraudster contacted Reilly again a few days later and after a further exchange of emails a further payment of £75,200 was made. Reilly ignored a fraud warning on the online banking system but spoke to her employer's bank manager before processing the payment. The fraudster sent further emails and managed to obtain two further payments of £56,750 and £36,500 before the fraud was detected. In total £193,250 had been paid out of which the bank was only able to retrieve £85,000.
The plaintiff sacked Reilly and then sued her for the unrecovered balance arguing that she was in breach of her contractual obligation to exercise reasonable skill and care and arguing that the emails were "obviously fraudulent". The plaintiff asserted that Reilly ought to have known the emails were fraudulent and that she should have confirmed with her boss that the requests for payment were genuine before making any payments. The plaintiff also argued it was not part of Reilly's job to make payments and so she had strayed beyond her duties that she was authorized to perform.
Issues for determination
The Court had to determine whether on the facts of the case the plaintiff was entitled to recover its loss. The Court acknowledged that employees have an implied obligation to exercise reasonable skill and care in the performance of their duties. Further that in principle, if the plaintiff were able to establish the requisite breach of contract by Reilly they would be entitled to obtain damages.
The Court found in favour of Reilly. The Court examined each payment to determine whether Reilly had breached her implied obligation to exercise reasonable skill and care with respect to that payment. The Court ruled that whilst Reilly was in breach of her contractual obligation to exercise reasonable skill and care with respect to some of the payments, the Court did not consider that the loss that ensued was the natural consequence of the breach because the loss was "exceptional and unnatural because she was ignorant of the fraud being perpetrated on her and on the pursuers"
The Court expressed regret that whoever was behind the fraud had not been caught. The Court stated that the fraudster was the real culprit. The plaintiff had suffered a major loss and the defendant had lost her employment. The Court described the circumstances as "a tragic case".
Preventing or limiting exposure to BEC
There are number of steps that your business can take with respect to BEC:
- Check your contracts and terms and conditions – consider including clauses in your contracts to exclude liability for losses arising from BEC events, as in the case of Du v Jameson Bank.
- Check your insurance cover–make sure that your business has adequate cover.
- Train your staff – educate your staff about BEC and the warning signs to look out for.
- Implement sound business systems – establish consistent processes for validating payments.
- Implement good cyber security systems- develop and maintain good security controls, block spoofed emails and use strong multi-factor authentication.
- Note that if the Privacy Act 1988 applies to your organization you must have regard to the mandatory reporting requirements to the Office of the Australian Information Commissioner under the notifiable data breaches scheme5.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.