Estimated to result in worldwide losses in the millions every year, invoice fraud and business email compromise are scams which should now be identified in every cyber security risk register. The key legal problem arising from such scams is: who bears the responsibility when an email address is hacked and money is unwittingly sent to a fraudster?

In the fifth instalment of our 'data and cyber school series', we explore the current legal position, offering tips on how to limit the chances of falling victim to these email compromise scams.

What is business email compromise?

Business email compromise is a form of cybercrime where a threat actor intercepts and/or impersonates the legitimate email address of a business. The aim is to trick someone into sending money to a fraudulent account or divulging confidential and/or sensitive data and information. Hackers can gain access to an email address via phishing links or obtaining passwords. This allows them to gain information about a target company's operations and upcoming invoices, making any fraudulent emails seem genuine.

Invoice fraud is a common form of business email compromise. The threat actor impersonates the legitimate business, requesting that funds be sent to an alternative bank account. Once sent, these funds can be difficult to track or recover, affecting both the party who has transferred the funds, and the party whose email has been compromised and often for whom the money was originally intended.

Current approach to liability in England and Wales

Although an increasingly prevalent threat, business email compromise and invoice fraud have only been addressed by the courts a handful of times, and the decisions have been on very case-specific facts.

Generally, the courts consider both the paying party and the party whose email was hacked as victims. Where money is transferred to a third-party account because of fraudulent instructions from a compromised email address, and neither party was aware that it had been compromised, the paying party will likely remain liable to make a further payment to the legitimate recipient as their payment obligation stands. If one party is alert to the fraud, it is more likely the court will find them responsible for any resulting loss.

The following cases indicate the court's current approach to liability following this type of fraud.

J Brazil Road Contractors v Belectric Solar Ltd [2018] WL01 993147

J Brazil Road Contractors (the "contractor") carried out work for Belectric Solar Ltd (the "customer"), and the parties exchanged emails about an invoice due to be paid. During this exchange the email address of the contractor was hacked. The third-party fraudster provided new bank account details for payment, and money was sent by the customer to a third-party account rather than to the contractor. When the contractor made a claim for the money it hadn't received, the customer argued that the payment had already been made, and that:

  • They were entitled to rely on the details provided as the email address appeared to be that of the contractor; and
  • As the email address was the same as the contractor's, emails sent from this address could be taken as on behalf of and with the authority of the contractor.

The court did not accept these arguments. It found that the third party communicating through the hacked email address was neither the contractor nor someone acting on its authority. It was well known that emails were not secure, and the use of a standard email in the course of a commercial transaction did not amount to any representation by the owner of the email address that it was secure. The customer was therefore still liable to make payment to the contractor.

Sell Your Car With Us v Sareen [2019] EWHC 2332

Mr Sareen (the "seller") sold his car to Sell Your Car With Us (the "buyer"), and the parties exchanged emails regarding the transfer of the sale funds. During these exchanges, the email address of the seller was impersonated by a fraudster using a very similar but not identical email address, changing the bank account details to which funds were to be sent. The bank account details were verified by a number provided by the fraudulent email address, and the buyer sent the money to the fraudster rather than to the seller.

The court found that the buyer was solely responsible for the scammed money and remained liable to pay the seller the amount owed. The court rejected that there was an implied term in the contract for the sale that the seller would take reasonable care over the security of their emails. It also found that the buyer was 'sufficiently alert' to the fraud as the email addresses were similar but not the same, and the buyer had failed to follow its own policies and procedure regarding notification of a changing email address.

Tips to avoid falling victim to business email compromise Scams

Whilst hackers become more sophisticated, and emails become harder to keep secure, there are steps you can take to reduce the risk of falling victim to a business email compromise scam.

  1. Train employees to recognise and report suspicious emails

    Whilst a compromised email address may be difficult to detect, emails may on their face give clues that they are not genuine and that it is a third party on the other side. Train your employees to recognise suspicious email activity, for example a tone dissimilar to previous communications, spontaneous requests to share passwords, suspicious or unnecessary links within emails, or an unfounded sense of urgency.
  2. Verify bank account details verbally via an independently obtained phone number

    Bank account details provided via email should be verified verbally. Do not use the phone number provided via email or in the email signature of the email providing the bank account details. If the email address has been hacked, it could be the hacker verifying the details at the other end. Best practice is to use an independent switchboard number, which can often be found on a company's website.
  3. Encourage routine compliance

    Where policies on changing bank details or email addresses are in place, ensure that people in the business follow them routinely. Encourage habit-forming through checklists and reminders, the allocation of responsibility regarding enforcement of policies, and regular training.
  4. Use technical controls to keep email accounts safe

    Keep email accounts secure through technical controls such as multi-factor authentication and encryption on emails (which keeps information secure by only allowing access through an encryption key). Regularly review any controls in place to ensure they are being utilised properly.
  5. Consider adding controls into your contracts

    Try to include protections against business email compromise in your contracts, particularly where the relationship involves regular invoicing. Including obligations to proactively monitor and maintain email security could help to establish responsibility should an email address be compromised. Similarly, clear payment terms which specify a nominated account for payment and a change of account policy can help to outline the steps should a request to change bank account details be received.

I've sent money to a fraudster…now what?

As soon as you realise that you have sent money to a fraudster, you need to act quickly and calmly. The first step is to contact your bank or payment provider. There are several actions which the bank might take, including preventing the transaction from completing or blocking your account completely. If the money has already been taken, the bank may be able to claw it back or may reimburse you directly (depending on the nature of the fraud). It is a good idea to record everything that happened leading up to the fraud so that you can provide the bank with evidence and increase the likelihood of your money being returned to you. If the bank fails to act quickly, you can complain to them and if a response is not received within 8 weeks, the complaint can be escalated to the Financial Ombudsman.

The government has recently proposed new laws to extend the time that payments can be delayed by 72 hours where there are reasonable grounds to suspect a payment is fraudulent and more time is needed for the bank to investigate.

Ensure that you report the fraud or attempted fraud to Action Fraud (AF). AF is the UK's national reporting centre, and they have both an online reporting service and a telephone number. Not only will they be able to help advise you on how to try to get your money back, AF will also be able to help advise on how to prevent a reoccurrence.

Remember to communicate with those individuals within the organisation who are responsible for making payments (or who otherwise might carry out tasks which could be the subject of further similar fraudulent attacks). Those individuals will need to be vigilant, and it may be that additional training is required and/or an amendment to your organisational controls to tighten security and avoid a reoccurrence.

Finally, consider whether you might be insured and whether you should notify your insurers.

If you think you may have been a victim of business email compromise or invoice fraud, or would like further advice on how your contracts can provide protection and allocate responsibility, please contact Amber Strickland or Patrick Arben

With thanks to Alicia Dominique, Associate and Freya Jamieson, Trainee Solicitor for their contributions to this article.