Email hacking or to give it its proper name business email compromise (‘BEC’), is unfortunately relatively common. The most common scenario is one of a phishing attack where criminals hack a business’s email, and contact their customers or suppliers pretending to be that business and asking them to make payments to the fraudster’s bank account.
These types of attacks are particularly common for solicitors firms, often referred to as ‘Friday afternoon fraud’. They can take place at any time, but they are called Friday afternoon fraud because many conveyancing transactions take place on a Friday afternoon.
Aside from the potentially serious financial and reputational ramifications of such an attack, there is the thorny question of who is liable for that payment.
Unfortunately, as cybersecurity is a relatively new area (and the law is not always that quick at keeping up) there is surprisingly limited case law. This may also be attributable to insurance policies which mean that many of these cases are dealt with without the need for litigation.
The first step will be to determine the factual position i.e. who got hacked. This may be a matter for expert IT investigation, but many of the cases deal with businesses dealing with consumers, where it is in fact the business that has been hacked.
The next step is to deal with the terms of the contract. Contracts may deal specifically with liability for BEC, or may require the parties to maintain a minimum standard of cybersecurity. If this is the case, the contract may decide the position, particularly if the hacked party failed to maintain the standard agreed in the contract.
If the contract does not specifically deal with BEC, many do specify how and when payment should be made, commonly by specifying a nominated bank account. This gives rise to the question as to whether, by making payment to a nominated account (albeit nominated by a fraudster) the paying party have discharged their obligation to pay and are therefore under no obligation to make further payment notwithstanding the fact that payment has not reached the recipient. In the days of pre-online banking and email, where a customer is asked to pay by cheque, their obligation was fulfilled by the act of putting the cheque in the post, meaning they weren't liable to make further payment even if the cheque was lost or stolen in transit. If the paying party has complied with all of their obligations, there may be a case to suggest that by making payment to a nominated account, they are under no further obligation to continue making payment.
Duty of Care
In addition to the contractual position, one must consider whether a duty of care is owed to prevent fraud. Again, the law on this matter has not really kept up with modern technology and we are often left trying to draw analysis from case involving cheques to see if any analogy can be made. With cheques, it is the payer who has the responsibility to ensure that the cheque cannot be altered or forged. On the basis of these old authorities, there may be an argument that where a creditor instructs a debtor to make payment in accordance with instructions provided by email, the creditor owes a duty to take reasonable care to ensure that a dishonest person could not intercept their communication and cause payments to be sent to the wrong bank account. Accordingly, the paying party may be able to establish an implied duty of care in contract or tort.
Decisions in the UK Courts
There are remarkably few decisions in the UK Courts concerning BEC fraud. The main ones are:-
Sell Your Car With Us v Sareen  BCC 1211. In this case which related to the sale of a car for £51,800, the seller’s email was hacked and Sell Your Car With Us Ltd sent £30,000 of the purchase money to a fraudsters account. Mr Sareen sued for the money and the buyer counterclaimed that Mr Sareen was response, relying on an alleged implied terms that Mr Sareen would take reasonable care over the security of his email communications, and an implied misrepresentation by Mr Sareen that he had reasonable control of the security of his emails. The judge determined that Sell You Car With Us Ltd were solely responsible. However, the terms of the contract between the parties will be relevant. In this case, the Judge found that the company was alert to the risk of fraud, and failed to follow it own antifraud procedures.
In J Brazil Road Contractors v Belectric Solar Ltd 2018 WL01 993147 J Brazil's email was hacked and, on the instructions of the hacker, Belectric sent money to a fraudulent account. Belectric argued that the hacker was in effect an agent of J Brazil and Belectric were entitled to rely on those instructions. This argument was also rejected and the Judge stated that both parties were innocent victims of the hack, but nonetheless Belectric remained liable for the payment to J Brazail which they had never received.
The limited case law that we do have therefore suggest that in such cases, the paying party remains liable to the receiving party to make payment, notwithstanding the fact that they have lost money. There may be a clearer argument that the hacked party may be responsible where the hacker has accessed their server and used a genuine email address, than in cases where there has been a replication of confusingly similar emails, where there is more of an onus on the paying company to spot that a fraud is taking place. Further, in the J Brazil case, the Judge did comment that Belectric’s argument might have succeeded if they could have shown that J Brazail were aware their email had been hacked and done nothing about it. However, there was no evidence to suggest that this was the case.
Overall, allocation of fraud in BEC cases is something that companies may wish to start thinking about when preparing terms and conditions of business, or alternatively they may wish to start agreeing minimum standards of cybersecurity if fraud is a concern. Moreover, in such cases prevention is usually better than cure. The cases show that even where parties are both ‘innocent victims’ of fraud, the consequences can be pretty disastrous for at least one of the parties. You should ensure that you have good standards of cybersecurity in place, and that your staff are trained on spotting common scams and frauds and that you have antifraud procedures which are followed.
If you have any queries regarding business email fraud claims, please do hesitate to contact Charlotte Braham on 01494 893529