0370 1500 100

Online payments always carry a risk – but hackers have developed a new type of scam that all manufacturers must be mindful of. 

Paranoid, or justified?

Nathan Blecharczyk, the American billionaire and co-founder of Airbnb, is quoted as having said that, “with commerce comes fraud.” Sadly, this appears to be universally true and, despite the commonly held belief that we can rely on the security of our trusty email accounts, the reality is that this level of paranoia may be justified.

In a society that’s more dependent on technology than ever before, countless businesses are falling victim to the latest trend in the scam operations of online hackers. Moving away from more ‘traditional’ operations, these online con-artists have taken to the interception of emails containing payment details that are routinely sent between businesses. Once in possession of such an email, the hacker replaces the intended recipient’s bank details for the hacker’s own, which then leads to the victim unwittingly transferring their payment of a legitimate invoice directly into the hacker’s bank account.

In the majority of cases, the money transferred to the hacker cannot be recovered. Furthermore, the original invoice remains unpaid and the victim of the fraud is still legally liable for payment.

The recent decision of J Brazil Road Contractors v Belectric Solar Ltd [2018] (Case No: C1EQ331C2 County Court at Canterbury 22 January 2018 WL
01993147) demonstrates the position and is one of only a few reported cases on this type of fraud (despite the frequency of its occurrence).

The customer received an invoice from their contractor but, unbeknown to the customer, the contractor’s email account had been hacked. The payment details on the contractor’s invoice were changed and sent to the customer on a separate email from the same email account by the hacker. Relying on the payment information they’d received, the customer subsequently paid the invoice amount to hacker and not the contractor. Due to non-payment, the contractor later made a claim against the customer for the full amount of the invoice which, in the view of the contractor, remained outstanding.

The customer argued that they were entitled to rely on the instructions for payment as stated on the email from the contractor’s email address, and that the law of agency applied.

The Court found that both parties were innocent victims of the scam but, nevertheless, held that the customer remained liable for payment of the invoice. The customer appealed but the case was dismissed.

In dismissing the appeal, the appellate judge commented that the law of agency didn’t apply in these circumstances. Furthermore, whilst estoppel wasn’t pleaded, in order for an estoppel argument to succeed there must exist a representation by words or conduct of the payee that the content of its email was secure.

What should you take away from this judgement?

Despite being the innocent victim of a crime, if you’re duped by fraudulently amended payment details it’s unlikely that the Courts will release you from your obligations to make payment on the terms agreed between you and a third party. You should therefore exercise caution and be mindful of the fact that email accounts are not secure (unless otherwise stated) and are susceptible to hacking.

Protection to be introduced by banks to combat fraud

As recently as October 2018, The Guardian reported that in an attempt to, “halt the rising tide of bank transfer fraud,” many (but not all) UK banks will soon begin to check the names of UK bank customers against the name on their bank account when money transfers are made. Effectively this will close the current procedural loophole whereby banks only verify the payee’s account name, account number and sort code; any disparity between the payee’s account name against the payee’s name is not currently checked.

The new “confirmation of payee” system requires customers to confirm that the identity of the recipient is correct in the event that the name of the payee and the name of the payee’s bank account do not match. This welcome innovation presents a further impediment to the fraudsters and will, hopefully, lead to a sharp decline in the incidence of such cases.

Tips for customer protection

  1. Consider the circumstances of the email. Was an invoice expected at this stage? Have the payment details changed without notice? If so, contact the individual/business directly over the phone to confirm the payment details are correct
  2. Insist that payment information is sent via a secured or encrypted email
  3. Always exercise caution when dealing with the transfer of money.