Cybercrime & financial fraud: the new reality
Cybercrimes come in all shapes and sizes. They vary in sophistication, but the most common types of cybercrime giving rise to civil liability are those that involve emails being intercepted and bank account details being changed or manipulated.
In our experience, cybercrimes typically involve fraudsters hacking into email accounts and monitoring those accounts, often over many weeks or months for an opportunity to arise.
When the sender (usually a business) sends the recipient (usually a customer) an invoice or bank account details with a payment request, fraudsters intercept the email and change the bank account details, usually using an account set up by the fraudsters with a name similar to the genuine account. Payment is made into the fraudulent bank account and the monies transferred to another account, often outside the UK.
So where does liability ultimately fall?
In this scenario, the bank (provided it has not been negligent in some way) tends to escape liability on the basis that it has simply made the payment on the payer’s instructions.
The first point to ascertain is whose email account or computer system was hacked. Whilst both parties are likely to contest liability for the data breach and any subsequent losses, suitably qualified experts can evidence this.
If the business’s email account was hacked, it could be argued that:
- the contractual relationship between the parties implies that the business has adequate protection against third party breaches of its IT system for the ultimate benefit of its customers; and/or
- the business owes a duty of care to implement a secure IT system for its customers and that, assuming it was at fault for the IT system being compromised, it caused the customer’s immediate and its own ultimate loss.
The next question is this: did the customer take sufficient steps to confirm the accuracy of the invoice/account details before making payment?
If the customer is a regular customer, they will have made previous payments to the business, in which case the customer should be extremely cautious if account details suddenly change, particularly where large payments are concerned. Businesses generally don’t change their banking arrangements regularly.
Account details should always be verified verbally over the telephone with the individual handling the matter or someone in the finance team before making payment.
If the customer makes payment to the new account details without verbally verifying those details, the customer could be liable, even if it transpires that the business’s email account has been hacked.
Clearly all cases of cybercrime are fact specific, but cyberattacks can cause financial damage, a breach of data protection laws and reputational damage. Businesses of all sizes should therefore prioritise cybersecurity on their risk registers.