Michael Gerard of construction and engineering law firm Michael Gerard Solicitors looks at the legalities and liabilities around the issue of email fraud
Technology may have revolutionised many areas of the construction industry but is has also created a whole new set of problems around cybercrime such as email fraud. Construction companies are particularly vulnerable to scams such as phishing due to the number and value of invoices involved in paying for subcontractors and labour, as well as materials and equipment.
This issue has come up for several clients and areas around culpability and liability can be confusing. Companies owed money were once protected by the cheque rule, which offered protection to the payee in that once a cheque was issued to the payee, it became a separate contract between the customer and the supplier to the contract that was previously entered into for the supply of the goods and/or services.
Except in very limited circumstances, such as counterfeit or stolen cheques, there is no defence to stopping a cheque. Once the cheque has been signed and handed over then a legally binding contract has been entered into and the customer has to honour the debt. Hence when a cheque was returned unpaid, the supplier could elect to bring a claim either under the supply contract or the separate contract entered into when the cheque was issued to the supplier – this is referred to as the “cheque rule”.
Although the cheque rule still applies, payment by cheque is fast disappearing, replaced by electronic funds transfers (EFTs). However, despite the clear advantages of EFTs, this new technology also brings in new challenges, not least email hacking.
Unfortunately, fraudsters hacking into email accounts is now not so uncommon – and it’s on the rise. This has serious implications for companies that have lax internal procedures and poor IT security in place.
Hacked email: A case study
So, what are the victim’s legal rights when an email is hacked, resulting in fraud? This grey area can be illustrated by a recent matter I was involved with concerning a main contractor who had engaged a specialist contractor on a construction project. The project was to run for several months and the specialist contractor’s input was required for much of the duration. This meant that the specialist contractor was entitled to regular valuations and payments with the majority of communications, document exchanges and financial transactions carried out electronically.
Unbeknown to both parties, the specialist contractor’s email account had been hacked and software installed that was capable of reading all incoming and outgoing emails, flagging up certain words to the hackers like ‘bank’, ‘payment’, ‘monies’ and ‘invoice’.
By coincidence, partway through the contract the specialist contractor informed the main contractor that it was intending to change its bank, which acted like a red rag to a bull to the hackers. Having intercepted a valuation, the hackers subsequently advised the main contractor’s accounts department that a new bank account had been set up with all future payments to be paid into the new account. The main contractor’s accounts department duly complied, having previously received internal authorisation of the amount to be paid by the contracts department, which was tens of thousands of pounds. The scam was not discovered until the specialist contractor started to chase payment, by which time the fraudster’s account had been cleared of funds, bar £4.00.
In such circumstances, who is culpable for the loss? From the main contractor’s perspective, it had complied with a request to make payment to a specific bank account, the request of which had been forwarded via an email that looked as if it had come from the specialist contractor’s own email account – it had even correctly addressed the accountant by his Christian name in the email. From the specialist contractor’s perspective, it had carried out the works but had not received payment.
Reasons for liability
Harsh as it may sound, and despite the fact that it was the specialist contractor’s email account that had been hacked, the main contractor did not have grounds or a valid defence for not making payment for the following reasons:
- The specialist contractor had a strict contractual claim for the monies owed. In order to avoid that claim, the main contractor would need to establish either (a) a breach of contract; or (b) negligence so as to set-off the contractual claim.
- An absence of clear evidence that (a) the specialist contractor was aware of the fraud and/or the overwhelming likelihood of fraud occurring; or (b) the fraud was carried out by an employee of the specialist contractor for whose actions it was vicariously liable, neither the contract or common law would impose a duty of care on the specialist contractor to maintain a cybersecurity system capable of preventing an authorised push payment fraud of this nature. In fact, for such a duty to arise in circumstances of business to business transactions is very unusual.
The main contractor therefore remained liable for payment.
Preventing email hacking
Prevention is, of course, better than cure; so how does a construction business go about ensuring that it does not fall prey to email hacking? Below are some practical tips:
- Spam is the most likely cause of malware being installed on a computer system. To prevent this, install a good security software system that protects against malware and viruses, and also installs a firewall that monitors network traffic and connection attempts into and out of a network or computer, and determines whether or not to allow it to pass. The more sophisticated the security system is, the better the protection will be. And keep the system updated.
- Never click on unfamiliar links or download unfamiliar attachments.
- When taking on a new supplier and setting up payment on EFT (such as CHAPS), always carry out a test by transferring a small and unique amount (say £1.01) and then asking the supplier to confirm receipt by telephone (not email). The same applies to an existing supplier that changes its bank details. The same will also apply in reverse when the business is receiving monies from a client.
- It is a good skill to have if you are able learn how to read message headers and trace IP addresses, which will then allow you to cross-check a particular IP address with a previous IP address in order to authenticate.
- Reconcile your bank account every day.
- Have a written company policy on internet security and distribute it to all employees.
Protecting against cybercrime
Contract terms: A business should consider including terms in its contract of supply that set out minimum standards of security software on the servers its suppliers use. This should include protection against malware and viruses, and a firewall. Software should also be constantly updated, while any changes to the company bank account details should be confirmed in writing by post or hand-delivered and signed.
Cyber liability insurance: Cyber liability insurance is available, which covers certain data breaches (including by hacking) and business interruption. However, it will not cover losses where a business has voluntarily made a payment into a third-party bank account.
Ultimately, it’s important to remember that if a mistake is made through an organisation’s own negligence, the business will have to stand on its own and with no right of redress from the banks. Therefore, the very best advice is to do your homework and make sure your business is kept safe.
Michael Gerard
Founding partner
Michael Gerard Solicitors
Tel: +44 (0) 1858 414290
