Business Email Compromise (BEC) Scams – Who is Responsible?

Home » Business Email Compromise (BEC) Scams – Who is Responsible?

Written by: Natashia Blank, Litigation Solicitor

A Business Email Compromise (BEC) scam is when a scammer intercepts emails between businesses and their customers to alter bank details and redirect payments.

Allocating responsibility for lost funds in BEC scams will depend on whether the compromised email was ‘spoofed’ or ‘hacked’.

As a starting point, the party who made the payment to the fraudulent account remains liable to pay the other party for the debt owed. This is because payment is not considered complete unless it is received by proper recipient.

 

Two business professionals walking in park

Difference Between Spoofing and Hacking

Spoofing is when cybercriminals mimic a legitimate email address to deceive the recipient. In such cases, the business may not be held liable if customers fall victim to fraudulent transactions.

Hacking involves unauthorised access to a business’s email or IT systems. Here, the business may be accountable for losses suffered by customers due to compromised security.

Spoofing = Customer Responsibility

While the onus is on business to prevent hacking scams, customers are responsible for ensuring they do not become the victim of a spoofing email.

 

Factory Direct Fencing Pty Ltd v Kong AH International Company Limited

In Factory Direct Fencing Pty Ltd v Kong AH International Company Limited [2013] QDC 239, the court held, in relation to a ‘spoofing’ scam, that a customer bears responsibility to verify payment details, particularly if they change.

In that case, Factory Direct Fencing Pty Ltd (Factory Direct) ordered goods from Kong AH International Co Ltd (Kong), paying a 30% deposit. The goods were shipped, and Kong issued an invoice to Factory Direct for the remaining 70%. A scammer intercepted the emails between the parties, sending Factory Direct a fake invoice with altered bank details.

Factory Direct attempted to pay the fraudulent account, and when Kong did not receive the payment, it refused to release the goods to Factory Direct. Factory Direct sued Kong for breach of contract.

The Court ruled in favour of Kong, stating that Factory Direct had not made payment to the correct account despite being on notice that the change in payment details was unusual. In fact, the bank initially declined the transfer because the payee details did not match the account number before Factory Direct amended the payee details with the scammers nominated entity.

Ultimately, the court found that Factory Direct’s loss was bought about by their repeated failure to verify the changes directly with Kong.

Hacking = Business Responsibility

Businesses owe a duty to their customers to implement reasonable cybersecurity measures to mitigate risks posed by cybercriminal activities. If a business fails to have appropriate safeguards in place to prevent hacking, they may lose their right to seek payment from a customer that has been scammed because of that failure.

To combat BEC hacking and other cyber threats, businesses must implement adequate cybersecurity measures. What is adequate will depend on the size and nature of the business.

 

Minimum adequate cybersecurity measures

At minimum, minimum cybersecurity measures include:

  • Having robust email security protocols in place that all employees are bound to follow
  • Informing clients that banking details will never change
  • Educating employees on cyber security and fraud prevention
  • Investing in cyber insurance to mitigate financial losses from cyber incidents

Due Diligence for Customers and Businesses

While customers often bear the primary responsibility for verifying payment details, businesses have a duty of care to implement reasonable cybersecurity measures. The specific circumstances of each case will determine liability.

Get Trusted Legal Advice

For trusted advice on Business Email Compromise Scams (BEC), contact the experienced Litigation team at Greenhalgh Pickard. Our Litigation experts can guide you through the complexities of legal disputes and litigation.

Disclaimer: The information contained in this newsletter is provided for informational purposes only and should not be construed as legal advice on any subject matter. Readers should not act or refrain from acting on the basis of any content included in this newsletter without seeking appropriate legal or other professional advice. The content of this newsletter contains general information and may not reflect current legal developments, verdicts, or settlements. We expressly disclaim all liability in respect to actions taken or not taken based on any or all the contents of this newsletter.

    Blogs & News

    Discuss Your Case

    Get in touch with us today to see how our team can help you.