WTF – I’ve been scammed, can I recover my loss from the counterparty?Apr 2023 | Litigation & Dispute Resolution Cyber Risk
Wire Transfer Fraud (WTF), also commonly known as Business Email Compromise (BEC), typically involves a third party (the fraudster) infiltrating the IT systems of a business and waiting for the opportune moment to trick an unknowing recipient into giving money or sensitive information to the fraudster rather than the intended party.
BEC can be difficult for the victim to detect, as the fraudster will often employ language and details specific to the parties involved in the legitimate transaction. In the 2022 financial year, Australians reported losses of more than $98million as a result of BEC, with only a fraction being recovered.
Whether you can recover the loss
Recovering lost funds is fraught with difficulties. This is especially so in circumstances where both parties to the transaction may be victims - ie where the payor has paid funds to the fraudster, and where the intended payee has not received payment (usually for goods or services already supplied).
The ability to recover lost funds from cybercriminals themselves is limited, and largely depends on banking institutions and police action.
As to the scope for recovery from the other party to the transaction, this turns on the particular facts of the fraud and any relevant contractual terms (including provisions that may allocate the risk of BEC).
Some preliminary judicial guidance
At the time of writing, there have not been any decisions of a superior court offering definitive guidance as to when recovery from a counterparty to a transaction may be possible.
In Arrows Truck Sales v Top Quality Truck & Equipment Inc 2015 WLD 4936272, the United States District Court applied a principle from banking cases that ‘the party who was in the best position to prevent the forgery by exercising reasonable care suffers the loss.’ However this test has not been adopted in Australia, and it may also be difficult to apply in practice.
Recently, in a decision of the New Zealand Disputes Tribunal (QL v GT Ltd  NZDT 129), the Tribunal found in favour of a consumer was not required to make a payment a second time. In this decision:
- A consumer (QL) engaged GT Ltd (GT) to undertake some carpeting at her home.
- An initial quote was sent, following which the scope of the work changed and QL sent an email requesting a requote (i.e. the opportune moment).
- The fraudster stepped in and sent an email to QL, using GT’s email address and signature, stating that it was updating its payment system, with a later email providing the ‘bank details’ for GT (the BEC).
- QL paid $5,007.83 (being a 50% deposit for the work) to the account in the BEC email.
- Five days later, GT’s bank contacted QL to inform her that GT’s email had been compromised and that the funds could not be recovered.
- GT sought the 50% deposit from QL, following which QL sought declaratory relief that she was not liable to pay.
- In finding in QL’s favour, the Tribunal recognised that the law was unclear and still developing. However it considered that:
- A business in GT’s position has a duty to be aware of BEC and to take precautions against it and/or to warn customers.
- This duty arises out of s28 of the Consumer Guarantees Act 1933, which requires services supplied to a consumer to be provided with reasonable care and skill.
- GT’s cybersecurity is entirely within its, rather than its customers’, control and knowledge.
- The fraud email involved hacking, rather than spoofing, making it more difficult for QL to detect.
- GT chose to send its quotations by email, which could be considered as a representation that its email is secure.
- A consumer cannot be expected to have the same awareness of BEC as businesses might. The Tribunal was not persuaded that one of the emails from the fraudster should have rung alarm bells and caused QL to call GT to confirm the details. It did, however, note that if the fraud email had been more like many unsophisticated spam emails (full of spelling and grammatical errors and devoid of personal detail), the outcome may have been different.
- The small amount of money involved meant that QL could be less vigilant.
- Businesses are in a better position than consumers to insure for the risk of BEC fraud.
In a world where many business communications occur via email, we would be surprised if a superior court would find that the mere sending of a quote amounts to a representation as to the security of the email system itself.
The outcome in that decision can be contrasted with a decision of the ACT Civil & Administrative Tribunal in The Trustee for the DRB Group ACT Trust v Canberra Hydraulic Engineering Services  ACAT 30, in which it was held that responsibility for correct payment of a debt rests with the payor, and the payor was ordered to pay the funds a second time. In this decision:
- The respondent agreed to purchase a machine from the applicant, with collection of the machine occurring after receipt of payment.
- The applicant’s MYOB accounting system sent an email to the respondent on 24 March 2021 at 3.11pm (i.e. the opportune moment). However that email was not received by the respondent.
- Rather, on the following morning at 7.34am, the respondent received an email (which was not sent from the applicant’s MYOB system) attaching an invoice for $5,829 and with the fraudster’s bank details (the BEC). Payment was made to the fraudster’s account.
- The applicant, having never received the payment, and after the respondent’s bank indicated it was unable to recover the funds, sought orders for the debt to be paid.
- Both parties agreed the invoice was intercepted and altered by a third-party, however there was no evidence to determine how or when this occurred.
- Importantly, this decision was concerned with a debt claim, and the only defence available was to prove payment by discharge.
- Based on the evidence before it, the Tribunal accepted that:
- the applicant did not send the BEC invoice;
- the BEC email was the doing of a third-party intercepting the legitimate email from the applicant (although there was no evidence as to which system was compromised); and
- the respondent had no reason to question the BEC invoice, and the arrival of an invoice was anticipated.
- The Tribunal found that the responsibility for correct payment rested with the respondent, and it was incumbent upon the respondent to exercise care in ensuring payment was made. It held that as the money was paid into an account that did not belong to the applicant, it remained unpaid.
What can you do?
Ensuring your IT systems are up to date and that your company follows the ASCS’s Essential Eight are great places to start. However, relying on technology alone will not provide 100% protection.
Training employees, and ensuring that appropriate policies are in place (such as confirming account details via phone on an independently verified number before payment is made) are also important tools in the battle against BEC.
Finally, you should give consideration to contractual obligations that impose risk mitigation obligations and allocate risks in respect of BEC, as they may prevent incidents or facilitate recovery if an incident occurs. For example, the Canadian case of Yunsheng DU v Jameson Bank, 2017 ONSC 2422 found no liability on the part of a bank that authorised payments to a fraudster pursuant to emails sent to it, because it was expressly agreed that the customer could give instructions via email and therefore there was no obligation on the bank to make further inquiries.