1. Business email compromise scam – what are they?
A business email compromise (BEC) scam is a form of cybercrime that occurs where a hacker gains access to a business email account to scam organisations out of money or goods.
The receptionist for a large heavy equipment dealer (Seller) clicked on a link in an email that advised her that her ATO account had been suspended. The link contained malware which was downloaded onto the Seller’s server. The malware then collected login details for the Seller’s employees and sent it to the hacker in West Africa. The hackers were able to redirect incoming and outgoing emails to their own external email accounts (which were temporary and anonymous).
The hackers worked out who in the Seller was responsible for sending invoices (an employee named Graham) and for receiving payments (Alice). When the Seller made a sale of a $250,000 bulldozer to a contractor business (Buyer), the hackers intercepted the invoice, changed the payment bank account details to their own account, and resent it to the Buyer, from Graham’s legitimate account.
The Buyer paid the $250,000 to the bank account nominated on the invoice (the hacker’s account), and sent confirmation of payment (a bank deposit notice) to Alice. The hackers intercepted the notice to Alice and amended the bank account details to the correct ones for the Seller, and resent it to Alice. Alice duly noted that the payment had been made to the correct account, and authorised release of the bulldozer for delivery to the Buyer.
The Buyer received the bulldozer and thought that it had paid the Seller the $250,000. From the payment confirmation, the Seller also thought the Buyer had paid the $250,000 to the Seller. After a few days, the Seller realised the money had not reached their account.
Who is liable for the loss?
The Seller argued that the Buyer should be liable because it should have known, from its previous dealings with the Seller, what the usual invoice payment details were and should have taken steps to verify those new details. Conversely, the Buyer argued that the Seller should bear the loss because it was the Seller’s system that was compromised.
2. Legal position
There is currently no case law in Australia clarifying the position on liability arising from BEC scams.
BEC scams have been considered in the United States, where the Courts have determined that to assess liability ‘the party who was in the best position to prevent the forgery by exercising reasonable care suffers the loss’. This position comes from the case of Arrow Truck sales v Top Quality Truck & Equipment Inc 2015 WL 4936272, involving a contract for purchase of trucks where the transaction was conducted over email and a hacker impersonated the seller to send fraudulent ‘wiring instructions.’ While the Court ultimately found that neither party was negligent in handling their email accounts, they determined liability on the basis that the buyer should have attempted to verify the fraudulent wire instructions.
This position can be compared with the limited case law in Canada. In the case of St. Lawrence Testing & Inspection Co. Ltd. v. Lanark Leeds Distribution Ltd 2019 CanLII 69697, the Court adopted a contractual approach to determine liability in the event of a BEC scam. In this case, there was a payment in settlement of proceedings brought for the defendant to make payment to the plaintiff, but a hacker impersonated the plaintiff to send fraudulent ‘wiring instructions.’ The Court held that there was no contract between the plaintiff and defendants allowing the defendants to rely on email instructions from the plaintiff, and there was no negligent or wilful misconduct of the plaintiff, thus the liability for the loss fell to the defendant.
These cases make the practical challenges clear: there are limited avenues of recourse where there is a masked cybercriminal sitting behind the scheme, and two innocent parties subject to loss. This leaves the courts in a precarious position to determine where that loss ought to fall.
In Australia, we have yet to see the same fall-out from business email compromise scams in our courts. If the courts in Australia apply the same line of reasoning as the courts in the US and Canada, then in circumstances where there have been previous dealings between the parties, the recipient of the fraudulent email will be liable for the loss where they have failed to verify new payment instructions. This would align with the argument of the Seller in the case study above.
3. Key take aways
While we wait for a settled position in Australia with respect to BEC scams and the capacity for losses to be recuperated, we recommend that all businesses take steps to protect themselves from the significant loss that can flow from these scams.
Our three key tips to reduce the risk of losses arising from BEC scams are:
- implement training for staff, including sound business systems that require double-verifications for payments, to ensure that warning signs of a business email compromise scams is identified early;
- review your contracts for any exclusions of liability for loss arising as a result of business email compromise scams and seek advice on how to protect yourself in the current climate; and
- consider whether your Insurance covers you for social engineering fraud, and evaluate the possible risk against any premiums for gaining such coverage.
This article was written by Bill Singleton, Partner and Alexandra Trezise, Associate.