Updated: Nov 6, 2021
Trying to work out who is responsible for business email compromise is an increasing problem for Australian businesses and their customers.
Who is at fault (also known as being 'liable') when a business's email system is compromised by hackers, bank details manipulated and a customer pays money to the hacker, rather than the business?
In this article, we take a look at who bears the responsibility for business email compromise and what you can do if you have been the victim of business email compromise.
Author: Farrah Motley, Legal Principal of Prosper Law.
The Problem of Business Email Compromise
Since the start of the global COVID-19 pandemic, the attack, damage and unauthorised access of information and technology systems has significantly increased. Jürgen Stock, the INTERPOL Secretary General has been quoted as saying:
“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”
And it's not slowing down. In fact, cybercrime is expected to significantly increase into the future.
Ms Abigail Bradshaw, Head of the Australian Cyber Security Centre has said “In 2019-20 financial year there were 4,255 reports of BEC scams reported through the ACSC’s ReportCyber tool, representing losses of over $142 million.”
If you want more information, visit this link for more information on cybercrime in Australia.
Business email compromise is a problem because it usually involves the manipulation of invoices. A cybercriminal pretends to be the trusted supplier and sends a fake invoice to the customer or intercepts a real email, changes the bank details on the invoice, and sends it on to the customer.
Sometimes the scam is so sophisticated that the cybercriminal is able to mimic the supplier's real email address so that even if the customer double-checked the email address of the sender, they would still be unable to determine on the face of the email whether the invoice has been legitimately sent by the supplier.
Next, the customer pays the money into the hacker's bank account. Often, by the time either the supplier or the customer realise what has happened, the funds have already been debited from the hacker's bank account.
In this scenario, both the supplier and the customer lose out. The supplier hasn't received payment and the customer hasn't received their goods and/or services.
What is 'Business Email Compromise'?
Incidents of business email compromise / email account compromise / email compromise fraud are on the rise. Business email compromise is a subset of cybercrime. It is the abuse of trust in a business' email systems to procure the transfer of data or money, either by social engineering, hacking, or spoofing.
You can find out more about the IT jargon here.
So, who is at fault - or, to put it another way - who bears the loss if a hacker fraudulently intervenes in a legitimate business transaction between two innocent parties and one of those parties suffers loss?
Publicly available email accounts (usually belonging to employees who have authority to receive or make payment transfers) are either spoofed or compromised through keyloggers.
A keylogger is a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information.
An email account can also be compromised through a phishing attack. A phishing attack is a practice of sending fraudulent communications that appear to come from a reputable source. The hacker uses the guise of trust to do carry out the fraudulent behaviour, resulting in loss to the unwitting victim(s).
Business email compromise is generally also accompanied by a data breach. If it is, your business should also consider whether it is required to notify the Office of the Australian Information Commissioner of the data breach.
Click here to find out more about data breach notifications in Australia.
The law that is relevant to business email compromise
To answer the question 'who is liable for business email compromise', we must turn to the law of negligence and figure out:
was a duty of care owed from one party to the other?
did that party fail to exercise their duty of care?
as a result of that failure, did the other party suffer loss or damage?
Now let's look at how these concepts are dealt with in the context of business email compromise in Australia.
There are two scenarios when it comes to figuring out who is responsible for invoice manipulation:
the business's emails have been 'spoofed'
the business's emails have been hacked
You need to work out which one applies before you can determine who is legally responsible.
Next, let's look at the difference between spoofing and hacking in the context of the law.
Who is legally responsible for a 'spoofed' email?
First, let's recap on spoofing. Spoofing happens when a cyber criminal pretends to be someone they are not. They do this by overlaying their actual email address with the email address of the person or business they are pretending to be.
For example, their email address might be email@example.com, but they have 'covered' the email so that when the recipient receives the email, it looks like trusted firstname.lastname@example.org. The only way to confirm whether an email has been spoofed or not (before assuming it has actually been sent by the legitimate sender) is to check the source code of the email.
If the business's email has been spoofed, the business is unlikely to be legally responsible for any loss suffered by the customer who has paid into the wrong account. The customer is still liable to pay the outstanding amounts to the supplier before they can receive the goods and/or services.
Who is legally responsible for a hacked email?
Hacking and spoofing are different.
Hacking versus spoofing
Hacking occurs when a cybercriminal has gained access to a business's email or IT systems and is impersonating someone at the supplier's business. The business may be completely unaware that its systems have been compromised. Unlike spoofing, checking the source code of the email will not uncover any indication that you are dealing with a hacker on the other end, because the email will have come from the business.
If a business's email or IT systems have been hacked, and that has led to an invoice being manipulated, the business may be legally responsible for the loss that the customer has suffered.
Unfortunately (or fortunately [insert groundbreaking legal opportunity here]), there is very little in the way of legal precedent in Australia.
Currently, there is a matter before the Victorian Supreme Court involving Mills Oakley Lawyers. This incident allegedly involved a hacker pretending to be Mills Oakley's client, Mr Chua, requesting the transfer of settlement funds to an overseas bank account. Mills Oakley transferred the sum (to the tune of nearly $1 million) to the hacker's account.
More information about the case is available here.
In any event, the case isn't settled. The lack of legal precedent continues.
Business email compromise and the law of tort
A long time ago in a galaxy far, far away...
there might be some legal precedent that can answer the question...
[vague Star Wars reference]
BUT - we have the shining beacon of our 16th-century cause of action - the tort. Specifically, negligence may offer a remedy to... drum roll... the customer. Also, State and Territory legislatures have somewhat codified (I say "somewhat" because the various legislation does go to pains to state that it is not intended to codify) the law of negligence in their respective Civil Liability (and equivalent) Acts.
Taking Queensland as an example, the Civil Liability Act 2003 (Qld) states that (in summary):
you need to establish that the other party (in this context, the business) failed to take precautions against a risk that was foreseeable, not insignificant, and, in the circumstances, a reasonable person would have taken precautions against;
that last point (refer to bold text) requires that the "reasonable person" would have taken into account the probability and likely seriousness of the loss or damage, the burden of taking precautions and the social utility of the thing that gave rise to the risk of loss or damage;
in deciding whether a breach caused the particular loss or damage, it needs to be established that the breach was a necessary precondition of the loss or damage and that it's appropriate for the scope of liability of the person in breach to extend to the loss or damage;
if the case is exceptional (which, given the dearth of legal precedent, one may argue is the case), whether or not and why the party in breach should be held liable; and
always, the onus of proof rests with the plaintiff (in this context, the customer) to establish on the balance of probabilities (i.e. more likely than not) the facts giving rise to the cause of action.
"In a dark place we find ourselves, and a little more knowledge lights our way"
If we apply the law of negligence to business email compromise, a business owes its customers and suppliers (and others who could foreseeably suffer a loss) a duty of care and must take reasonable steps to avoid business email compromise hacking scams.
For a business to do this, it must ensure that it is aware of the risks that may come from cybercriminal activity and business email compromise. In the face of the increasing sophistication of cyber-attacks and cybercriminal activity, businesses cannot afford to become complacent.
It is important for businesses to put procedures and systems in place to ensure the business is less likely to be a victim of cybercrime and business email compromise.
If a business fails to do this, it may breach its duty of care owed in negligence to its clients and suppliers and a court may find that the business is liable for the damage caused by cybercriminal behaviour due to the negligence in failing to safeguard the business from the cybercriminal activity.
What Should you do if you are a Victim of Business Email Compromise?
If you or your business have been the victim of a business email compromise scam, you should:
(either yourself or through a third party, such as CIA Solutions) conduct a forensic examination of email headers and log files required to prove the email fraud
negotiate with the likely source of the scam, which is usually a solicitor, a real estate agent, a conveyance, or some other business that has requested payment into their business bank account
failing negotiation, commence proceedings against the likely source of the business email compromise scam (this will enable you to utilise the court's discovery processes and compel the other party to disclose documents and other records)
engage a well-known forensic IT expert to give an expert opinion on the business email compromise scam, such as Schatz Forensic Digital Evidence Experts.
How Can You Avoid or Prevent Business Email Compromise?
You can reduce the risk of business email compromise by ensuring you have robust security and IT systems in place. However, this sometimes isn't enough to prevent stealthy and expert hackers from gaining access to your business' emails.
In that case, you should seriously consider investing in cyber insurance. Although the insurance premiums for cyber insurance can be costly, it is often worth every penny. This is because not only can the insurance make you whole, but you can pass the benefit onto your customer who may also have fallen victim, and thereby ensure that you're keeping your customer happy and preventing some negative reviews of your business.
If your business is still compromised, it's possible that the cybersecurity system you have installed at your workplace has failed or the cyber security expert you have engaged to monitor your systems and alert you of an issue has failed to do their job.
If this happens, your business may have a case against the company that installed your cybersecurity system or against the relevant software company.
Business Email Compromise Case Study
We recently advised an individual customer who had purchased marine equipment. The customer had paid the invoice in two installments (due to the daily bank transfer limit). Those invoices amounted to $18,000. A short period of time after the second invoice was paid, the merchant business confirmed they had not received payment and the bank details were checked over the phone.
It soon became apparent that the business's invoice had been intercepted and the bank details changed to those of the hacker. My client telephoned the bank, advised that the account the money was paid into was suspected of being fraudulent.
The bank advised my client to wait until the funds had cleared (up to three business days) and confirm that the merchant business had not received the funds. If they hadn't, my client was advised to call the bank again.
On the face of the documents, it appeared that the business's email system had been compromised. However, to be able to prove this, my client would need to hire a forensic IT expert to examine both my client's systems (and email), as well as the business's.
Additionally or alternatively, my client could pursue the bank for alleged negligent advice in telling my client to wait a further period of time before the bank made an attempt to recover the funds. My client opted to pursue the bank initially and we submitted a formal (and successful) complaint to the Australian Financial Complaints Authority on my client's behalf.
How can Prosper Law help?
Prosper Law is managed by Farrah, an expert business lawyer based in Brisbane. Farrah helps businesses with commercial and legal issues, right across Australia. Farrah has experience dealing with matters involving business email compromise.
Contact Farrah using the details below and arrange a free consultation with a business lawyer to discuss your legal matter today.
Author: Farrah Motley | Legal Principal
PROSPER LAW - A Law Firm for Businesses
M: 0422 721 121
A: Suite No. 99, Level 54, One One One Eagle Street, Brisbane, Queensland, Australia