Business email compromise is an increasing problem for Australian businesses. Who is [at fault / liable] when a business' email system is compromised by hackers, bank details manipulated and a customer pays money to the hacker, rather than the business? Let's take a look.
Author: Farrah Motley, Solicitor of the Supreme Court of Queensland, Australia
The Problem of Business Email Compromise
Since the start of the global COVID-19 pandemic, the attack, damage and unauthorised access of information and technology systems has significantly increased. Jürgen Stock, the INTERPOL Secretary General has been quoted as saying:
“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”
And it's not slowing down. In fact, cybercrime is expected to significantly increase into the future.
Ms Abigail Bradshaw, Head of the Australian Cyber Security Centre has said “In 2019-20 financial year there were 4,255 reports of BEC scams reported through the ACSC’s ReportCyber tool, representing losses of over $142 million.”
If you want more information, visit this link for more information on cybercrime in Australia.
What is Business Email Compromise?
Also on the rise are incidents of [business email compromise / email account compromise / email compromise fraud]; a subset of cybercrime. Business email compromise is the abuse of trust in a business' email systems to procure the transfer of data or money, either by social engineering, hacking or spoofing. You can find out more about the IT jargon here.
So, who is at fault - or, to put it another way - who bears the loss if a hacker fraudulently intervenes in a legitimate business transaction between two innocent parties and one of those parties suffers loss?
Publicly available email accounts (usually belonging to employees who have authority to receive or make payment transfers) are either spoofed or compromised through keyloggers (a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information) or phishing attacks (the practice of sending fraudulent communications that appear to come from a reputable source) to do fraudulent transfers, resulting in loss to the unwitting victim(s).
Business email compromise is generally also accompanied by a data breach.
To answer this question, we must turn to the law of negligence and determine:
was a duty of care owed from one party to the other?
did that party fail to exercise their duty of care?
as a result of that failure, did the other party suffer loss or damage?
Now let's look at how these concepts are dealt with in the context of business email compromise in Australia.
Unfortunately (or fortunately [insert groundbreaking legal opportunity here]), there is very little in the way of legal precedent in Australia. Currently, there is a matter before the Victorian Supreme Court involving Mills Oakley Lawyers. This incident allegedly involved a hacker pretending to be Mills Oakley's client, Mr Chua, requesting the transfer of settlement funds to an overseas bank account. Mills Oakley transferred the sum (to the tune of nearly $1 million) to the hacker's account. More information about the case is available here.
In any event, the case isn't settled. The dearth of legal precedent continues.
A long time ago in a galaxy far, far away...
there might be some legal precedent that can answer the question...
[vague Star Wars reference]
BUT - we have the shining beacon of our 16th century cause of action - the tort. Specifically, negligence may offer a remedy to... drum roll... the customer. Also, State and Territory legislatures have somewhat codified (I say "somewhat" because the various legislation does goes to pains to state that it is not intended to codify) the law of negligence in their respective Civil Liability (and equivalent) Acts.
Taking Queensland as an example, the Civil Liability Act 2003 (Qld) states that (in summary):
you need to establish that the other party (in this context, the business) failed to take precautions against a risk that was foreseeable, not insignificant and, in the circumstances, a reasonable person would have taken precautions against;
that last point (refer to bold text) requires that the "reasonable person" would have taken into account the probability and likely seriousness of the loss or damage, the burden of taking precautions and the social utility of the thing that gave rise to the risk of loss or damage;
in deciding whether a breach caused the particular loss or damage, it needs to be established that the breach was a necessary precondition of the loss or damage and that it's appropriate for the scope of liability of the person in breach to extend to the loss or damage;
if the case is exceptional (which, given the dearth of legal precedent, one may argue is the case), whether or not and why the party in breach should be held liable; and
always, the onus of proof rests with the plaintiff (in this context, the customer) to establish on the balance of probabilities (i.e. more likely than not) the facts giving rise to the cause of action.
"In a dark place we find ourselves, and a little more knowledge lights our way"
If we apply the law of negligence to business email compromise, a business owes its customers and suppliers (and others who could foreseeably suffer a loss) a duty of care and must take reasonable steps to avoid business email compromise hacking scams. For a business to do this, it must ensure that it is aware of the risks that may come from cybercriminal activity and business email compromise. In the face of the increasing sophistication of cyber attacks and cybercriminal activity, businesses cannot afford to become complacent.
It is important for businesses to put procedures and systems in place to ensure the business is less likely to be a victim of cybercrime and business email compromise. If a business fails to do this, it may breach its duty of care owed in negligence to its clients and suppliers and a court may find that the business is liable for the damage caused by cybercriminal behaviour due to the negligence in failing to safeguard the business from the cybercriminal activity.
What to do if you are a Victim of Business Email Compromise
If you or your business have been the victim of a business email compromise scam, you should:
(either yourself of through a third party, such as CIA Solutions) conduct a forensic examination of email headers and log files required to prove the email fraud
negotiate with likely source of the scam, which is usually a solicitor, a real estate agent, a conveyancer or some other business that has requested payment into their business bank account
failing negotiation, commence proceedings against the likely source of the business email compromise scam (this will enable you to utilise the court's discovery processes and compel the other party to disclose documents and other records)
engage a well-known forensic IT expert to give an expert opinion on the business email compromise scam, such as Schatz Forensic Digital Evidence Experts.
How to Avoid Business Email Compromise?
You can reduce the risk of business email compromise by ensuring you have robust security and IT systems in place. However, this sometimes isn't enough to prevent stealthy and expert hackers from gaining access to your business' emails.
In that case, you should seriously consider investing in cyber insurance. Although the insurance premiums for cyber insurance can be costly, it is often worth every penny because not only can the insurance make you whole, but you can pass the benefit onto your customer who may also have fallen victim, and thereby ensure that you're keeping your customer happy and preventing some negative reviews of your business.
If your business is still compromised, it's possible that the cybersecurity system you have installed at your workplace has failed or the cyber security expert you have engaged to monitor your systems and alert you of an issue has failed to do their job. If this happens, your business may have a case against the company who installed your cybersecurity system or against the relevant software company.
How can we help?
Prosper Law is managed by Farrah, an expert business lawyer based in Brisbane. Farrah helps businesses with commercial and legal issues, right across Australia. Farrah has experience dealing with matters involving business email compromise. Contact Farrah using the details below and arrange a free consultation with a business lawyer to discuss your legal matter today.
Author: Farrah Motley | Legal Principal
PROSPER LAW - A Law Firm for Businesses
M: 0422 721 121