Who pays in a business email compromise (BEC) situation?
Both CERTNZ and Netsafe are reporting significant upticks in business email compromise (BEC) scams. Even that growth is thought to represent the tip of iceberg because of underreporting. But what is the legal position? Who bears the cost – payer or payee?
BEC is where a hacker alters an invoice or payment instruction, and the payer, thinking the change is legitimate, sends the money to the hacker’s account. Generative AI and the increase in remote working from home, with computer systems that are less secure, can only exacerbate the problem.
BEC is best illustrated by way of an example: a construction materials company (let’s call them Basil’s Building Supplies Ltd – because the construction industry is a particular target) contracts to sell $200,000 worth of supplies to Janice’s Commercial Construction Ltd. Unbeknown to Basil or Janice, Basil’s email systems have been infiltrated by a hacker, who generally will have been sitting watching email traffic, waiting for a large transaction to eventuate. All emails in and out will have been monitored. At the right moment, the hacker then alters and replaces the payment instruction from Basil to Janice, by changing the bank account number in an email or invoice. No-one is the wiser. From Janice’s perspective the email actually has come from Basil’s email system. Basil is unaware the fraudulent email has been sent. The hacker will use the same email format, signoff and language as the sender that they are impersonating, which they (assisted by AI) are easily able to copy from Basil’s prior email traffic, to which they have access. Janice, unaware of the fraud, then makes the payment to the hacker’s bank account. The sophisticated hacker continues the ruse for a few days afterwards, sending receipts and thank you emails backwards and forwards and deleting any legitimate emails from Janice and Basil to each other, so that the hacker gains time to fragment and shift the funds to a jurisdiction where it is harder to track and retrieve.
The prevalence of internet purchase and payment methods, ease of shifting funds through jurisdictions, including via non-banking channels, combined with the increasing sophistication of online hackers and AI, creates the perfect storm. In these situations, usually the original hacker (and the money) is never found. Hackers tend to target high value transactional businesses, so the construction industry as well as intermediaries like lawyers, real estate agents and share and boat brokers are obvious targets.
The big question is what happens next. Is Basil still required to supply the building materials contracted and (from her perspective) paid for by Janice, or does the fact that payment has not actually been received by Basil mean that Janice must pay again, to get the materials?
Resources to help
There is no immediate answer in New Zealand and no binding caselaw (although we are aware of a Disputes Tribunal decision as well as examples that have been settled between the parties often involving insurers). There are a range of online resources such as those from CERTNZ, Netsafe, the New Zealand Law Society, and the Government's Consumer Protection guidance. However, beyond a summary of prevention measures, behaviour to be aware of, and various reporting agencies to contact in the event of a scam being detected, these resources do not address the question of legal liability.
The facts have it
The underlying question will inevitably be determined on a case-by-case basis. However, while BEC legal liability is an evolving issue, several principles come through from overseas judgments, which will be relevant in New Zealand as we look to develop our own body of case law.
Commonwealth courts have looked at “who is best placed to prevent the fraud.” Is the victim responsible for acting on the scam? Does a business have the obligation to protect the consumer? Or is it the person whose email system has been compromised? Sympathy will naturally lie with the most vulnerable person in each case, which can often be the customer despite the fact that in less sophisticated BEC situations they may have been in a position to identify the fraud.
Nowadays however, with the “expertise” that hackers bring to bear, and the longstanding public warnings of the dangers in not properly securing business systems and training staff properly, focus is shifting to the business itself – Basil’s in our example. Netsafe’s guidance above, for example, is 9 years old, so businesses have no excuse for ignoring the issue.
Failure to comply with cybersecurity precautions has proved detrimental to litigants overseas and will be considered in the context of a negligence claim on the part of the business. A failure to exercise reasonable care means that the business will be increasingly likely to be liable. Insurers are also requiring that businesses take reasonable precautions. While we are not discussing breach of privacy specifically here (although that may also be relevant in a BEC situation) the strong warning by the New Zealand Office of the Privacy Commissioner, that any business not instituting multifactor authentication is not adopting best practice and would be liable under the Privacy Act, will be persuasive where a business fails to do so and that enables a hacker to initiate a BEC scam.
So, business liability will often be the default starting point, perhaps with some small percentage reduction on the basis of fault (“contributory negligence” in legal parlance) on the part of the customer - Janice’s in our example - if there was something obvious that should have raised a red flag.
In the US, similarly, the “imposter rule” in Article 3 of the Uniform Commercial Code, adopted in some states, assesses how the parties’ respective failure to exercise ordinary care contributed to the hacker's success, and assigns loss according to their comparative fault.
New Zealand
In New Zealand, we have seen such claims made in negligence for failure to exercise due care and skill or, where goods and services are supplied to a consumer, as a breach of section 28 of the Consumer Guarantees Act 1993. The CGA also requires that services are carried out with reasonable care and skill, and so will require a careful evaluation of the conduct of both parties. As we note above however, now that BEC is well known and the chances of a customer spotting it is decreasing, the onus is clearly on businesses to step up their game or be found liable.
For example, in a New Zealand Disputes Tribunal decision of QL v GT Ltd [2022] NZDT 129, GT was reported as sending a carpet quote to QL, but a hacker intervened in their emails so that QL sent her $5,000 50% deposit payment to the hacker instead of GT. The fraud was discovered but the funds could not be recovered. QL paid the 50% balance (to the real account) and the carpet was installed. However then GT began to send demands to QL for payment of the deposit. QL brought the case before the Disputes Tribunal. The Tribunal considered the case on the basis of the question: “which party was better placed to prevent the fraud?” and determined that the carpet supplier GT was liable because GT was a business dealing with the public and owed a duty to be aware of BEC fraud and to take precautions against it, and/or to warn its customers. This duty was said to arise out of the CGA. The Tribunal Referee noted that the extent of a business’s cybersecurity is entirely within the control and knowledge of that business and its chosen IT consultants, not its customers, and it makes more sense for the default position to be that a business bears the risk of its own systems being compromised. Also, businesses are in a better position than consumers to insure for the risk of BEC fraud.
We have acted on claims on this basis and achieved significant success for payers who have made payment to a hacker based on altered details sent from a payee’s compromised email system.
However, it was also noted in QL v GT Ltd that if a customer is shown to have been negligent, the responsibility may be shared, or the business may even be fully exonerated from responsibility. Examples of this were given such as if the fraudulent emails were full of spelling mistakes and grammatical errors, but devoid of personal detail, or asking the consumer to click on a link that goes to a clearly unrelated site.
Decisions of the Disputes Tribunal are not binding on the higher courts, but the decision is a useful indicator of the analysis a New Zealand court would adopt if a payer and payee came before it arguing liability in BEC situation.