Why you should not be the victim when a business falls for e-mail fraud
Large companies often refuse to accept liability for failing in their duty of care when e-mail accounts are hacked
All companies have a duty of care to act with diligence when making payments, especially when they receive notice of a change in the bank account details of a supplier or contractor, since this is a well-known source of scams.
Yet after impersonation fraud, also known as business e-mail compromise (BEC), large corporates often refuse to accept liability for failing in their duty of care.
BEC takes place when a fraudster hacks into a corporate e-mail account and impersonates the real owner of the account to con the company into sending money to the fraudster’s bank account.
According to US software company Digital Guardian, while anyone in a company can be targeted in such a scam, high-level executives and people working in the finance department are the most likely targets.
Earlier this year IT security company Mimecast reported that BEC fraud increased 30% in the first 100 days of the Covid-19 outbreak. So you would expect large corporates to be on high alert for this type of fraud. But apparently not.
In August one of SA’s biggest retailers became a victim of BEC fraud when it received an e-mail ostensibly from a contractor giving notice of a change in his banking details. Though this sensitive e-mail appears to have been sent from the contractor’s regular e-mail address, it was sent an hour after the contractor had submitted his invoice and the “new” bank account is not in his name but is a permutation of his name, which is misspelt.
But this went unnoticed and no-one from the company phoned the contractor to authenticate the instruction. So his salary was paid into a fraudster’s bank account.
As soon as it became apparent what had happened, the bullying began. Sorry for you, the employer told the contractor, your e-mail was compromised and false information was provided to us “which caused a payment on a fraudulent basis into another account”. You need to report the fraud to the police. In other words, it’s your fault. You were defrauded, the employer said.
The law is trite and stipulates that if payment is not received, the onus is on the debtor to prove payment,Mark Heyink
But when he reported the case to the police, the contractor was told he shouldn’t be reporting it since he wasn’t defrauded, his employer was.
Having worked for the company for the past 30 years, he doesn’t want to name and shame the company. He’s hoping the matter can be amicably resolved possibly with the help of an independent mediator.
In this case, the employer apparently has an extremely weak case:
- It owns the computer used by the contractor and it is responsible for the maintenance and security of software installed on the computer;
- The contractor uses an e-mail address which is controlled by the employer;
- The week before the breach occurred, he was required to send the computer in for maintenance. He says it can’t be ruled out that it was at that time that malware necessary to perpetuate the breach may have been installed on the computer he uses; and
- Despite repeated requests, the company has failed to produce the full or unabridged mail header, which provides a detailed log of the network path taken by the message between the mail sender and the receiver.
Mark Heyink, an attorney who specialises in information security law, says the company cannot escape liability in the absence of it showing that the contractor was a party to the fraud.
“Quite simply the payment due to him has not been received and he has done nothing to prevent payment, nor can it be said that he has been negligent in not receiving payment. The law is trite and stipulates that if payment is not received (easily proved by reference to the relevant bank accounts), the onus is on the debtor to prove payment,” he says.
Even if there was negligence on the part of the contractor, Heyink says the cause of the loss was the payment by the employer into a bank account controlled by the fraudsters and not to the contractor. “This is a classic BEC which has been around for several years already and banks have expressly warned payers to take care in making payments and to verify that bank accounts of payees are correct,” he says.
He says for the company to allege that it’s not liable is disingenuous and smacks of the type of bullying behaviour that many large organisations indulge in when dealing with claims made by the man in the street.
[The legal route] is risky. It's like suing your spouse, which is demonstrative of the relationship being over.Brendan Guy
There is case law that sets a precedent for parties “mixed up” in a cybercrime, even unknowingly, to provide the victim with information relating to the crime that they may have in their possession.
The contractor’s contention is not that he is a victim of cybercrime, but rather a victim of the wrongful and unlawful behaviour by his employer in not paying him when it became a victim of cybercrime, and attributed the blame for the loss to him.
Labour lawyer Brendan Guy says that though the protection provided by our labour law extends to employees only, the Commission for Conciliation, Mediation and Arbitration (CCMA) is likely to consider this contractor an employee based on the nature of the relationship.
The problem, however, is that even if deemed an employee, he earns above the CCMA threshold of R17,120 which will lead to the matter being referred to the labour court. Therefore, he has to rely on a legal claim against the employer, the cost of which is inhibitive.
It’s also risky, Guy says, because it’s like suing your spouse, which is demonstrative of the relationship being over. If you want to continue the relationship, you don’t want to litigate.
“It’s a terrible shock,” says the contractor. “I have responsibilities. We need to live. I’ve worked for that money. It’s important to me that I am treated in a just and fair manner. I’m a long-time and loyal employee,” he says.
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.