Business Email Compromise Scams - Who is Liable?
Recent data has shown that in 2022, Australians have lost more than $72 million in scams.
Historically, scams were easier to detect in that they were usually a poorly worded email or a suspicious phone call. However, cybercrime has evolved and now Australians are having their personal information put at risk as well as losing their hard-earned money every day.
In recent times there has been an alarming increase in the number of scams and attempted scams resulting from business email compromise (“BEC”). Here, cybercriminals seek to infiltrate the networks (including email accounts) of businesses and corporate entities in order to use those accounts to obtain payments or personal information from clients of that business.
These cybercriminals can be very convincing, leading unsuspecting victims to believe they are communicating with a business or corporation that they are familiar communicating with, often leading to the victims making the payment to the cybercriminal’s account, or sending the personal information requested.
BEC scams understandably leave both the business and the consumer properly considering themselves as innocent victims.
So, who is to blame?
At present, no Australian Court has made a definitive decision as to liability for payments made as a result of a BEC scam, meaning that a careful consideration of the particular facts of each case is necessary.
An analysis of cases involving BED scam losses from other jurisdictions (including Canada and the USA) suggest that there is a general willingness of the courts in those jurisdictions to hold the business liable for money paid by a consumer in reliance on a BED scam where:
sufficient care was not taken by the business to secure its email or computer networks (as evidenced by the fact that those systems were compromised by cybercriminals);
no reasonable grounds exist for a consumer suspecting that the request for payment was not coming from the business. Such grounds may arise where the request is unusual or lacking in any commercial common sense (for example, a request that a payment be made to a different account to the one a consumer usually makes payment), or where a consumer has not followed prior warnings or cautions from the business not to make payment to any account advised by email without first obtaining phone confirmation.
In cases where some blame or fault rests on both the business and the consumer, it is possible that liability could be appropriately apportioned by a court.
Tips for Prevention
Some ways that a business can protect itself against liability include, but are not limited to:
Engaging in constant reviews of security and authentication of the business’ computer network and email accounts;
Review and update any or all of their contracts, terms and conditions and online/email disclaimers to ensure that notice is given to consumers as to how payment details will be conveyed by the business, and warning that no payment should be made to an account advised by email without first calling the sender to confirm authenticity of the email and account details; and
Review the businesses insurance policies to understand whether liability arising from BEC scams are covered, and what steps need to be implemented by the business to comply with that policy. Given that allowing a cybercriminal access to your email is all it may take for significant liability to accrue for your business, we consider insurance to be crucial if your business regularly requests or deals with large transfers.
In respect of consumers, best practice is to ensure that account details are confirmed by telephone or in person with a known member of the requesting business prior to undertaking any payment requests received by email.
If you have experienced any loss by reason of a BEC scam, or wish to obtain advice about how to best protect your business, please do not hesitate to contact the team at Palisade Corporate for more information.