Cybercrime & financial fraud: the new reality

Print Friendly, PDF & Email

Cybercrime & financial fraud: the new reality

Cybercrimes come in all shapes and sizes. They vary in sophistication, but the most common types of cybercrime giving rise to civil liability are those that involve emails being intercepted and bank account details being changed or manipulated.

In our experience, cybercrimes typically involve fraudsters hacking into email accounts and monitoring those accounts, often over many weeks or months for an opportunity to arise.

When the sender (usually a business) sends the recipient (usually a customer) an invoice or bank account details with a payment request, fraudsters intercept the email and change the bank account details, usually using an account set up by the fraudsters with a name similar to the genuine account. Payment is made into the fraudulent bank account and the monies transferred to another account, often outside the UK.

So where does liability ultimately fall?

In this scenario, the bank (provided it has not been negligent in some way) tends to escape liability on the basis that it has simply made the payment on the payer’s instructions.

The first point to ascertain is whose email account or computer system was hacked. Whilst both parties are likely to contest liability for the data breach and any subsequent losses, suitably qualified experts can evidence this.

If the business’s email account was hacked, it could be argued that:

  • the contractual relationship between the parties implies that the business has adequate protection against third party breaches of its IT system for the ultimate benefit of its customers; and/or
  • the business owes a duty of care to implement a secure IT system for its customers and that, assuming it was at fault for the IT system being compromised, it caused the customer’s immediate and its own ultimate loss.

The next question is this: did the customer take sufficient steps to confirm the accuracy of the invoice/account details before making payment?

If the customer is a regular customer, they will have made previous payments to the business, in which case the customer should be extremely cautious if account details suddenly change, particularly where large payments are concerned. Businesses generally don’t change their banking arrangements regularly.

Account details should always be verified verbally over the telephone with the individual handling the matter or someone in the finance team before making payment.

If the customer makes payment to the new account details without verbally verifying those details, the customer could be liable, even if it transpires that the business’s email account has been hacked.

Clearly all cases of cybercrime are fact specific, but cyberattacks can cause financial damage, a breach of data protection laws and reputational damage. Businesses of all sizes should therefore prioritise cybersecurity on their risk registers.

Recent Posts

Whistleblower Protection Following Nicol V World Travel And Tourism Council
May 13, 2024
To Tip Or Not To Tip? How The Employment (Allocation Of Tips) Act 2023 Will Impact The Hospitality Industry
May 13, 2024
Reform Of The Sick Note
May 13, 2024
The legal risks posed by Artificial Intelligence in the workplace
AI: An automated workforce or… a very complicated calculator?
May 1, 2024
Unlocking The CQC’s Quality Statements – How And Why “Co-Production” Must Become A Cornerstone Of Your Service
April 26, 2024
Court Of Appeal Rules On Damages Award Following A Breach By The NHS Of Its Procurement Obligations – Braceurself Limited v NHS England
April 23, 2024



Skip to content