According to the Australian Federal Police, more than $79 million has been lost to cybercriminals in the past 12 months through business email compromise, also known as BEC scams or payment redirection scams.
In such scams, cybercriminals trick victims by getting them to redirect their legitimate fund transfers, which victims think they are making to a business, into the criminals' own accounts.
The cyberthieves usually do this by intercepting legitimate emails sent from a business to a client. They then send a new email to the client, with a notice to send money, but changing the business's bank account details to their own.
The unsuspecting victim transfers funds to the fraudster and is unaware they've been tricked until the business contacts them, asking what happened to the payment.
Police say that business email compromise scams occurred at least 3,300 times last year. Unfortunately, the police managed to retrieve only $8.45 million, a fraction of the total lost. (See Business Email Compromise cost Australian victims more than $79 million in the past year, AFP, July 2021.)
BEC scams cheat farmers into paying for non-existent equipment
The ACCC's Scamwatch reports that the average loss from business email compromise is $30,000. However, one victim was reported to have lost $300,000 to a BEC scam.
Scamwatch says cybercrooks had recently been targeting farmers who were looking for a good deal on tractors and farm machinery. The scammers would advertise equipment at prices well below market value, then tell farmers they could not view the machinery prior to purchase due to Covid-19 government restrictions.
Farmers made payments to secure these special deals, when in reality the equipment never existed. As a result, they were conned out of $1.1 million. (See Payment redirection scams cost Australian businesses $128 million in 2020, Scamwatch, June 2021.)
Who is legally liable for money lost in a business email compromise scam?
So, who is responsible for the money that is stolen through business email compromise? Does the victim still have to pay the bill, even though they acted in good faith, paying the money to what they thought was a legitimate bank account?
It is a vexed legal position. Both sides are innocent victims - the business has not been paid and the victim has lost money.
There is legislation that covers business email compromise, contained in section 15 of the Electronic Transactions Act 1999 and section 14 of the NSW Electronic Transactions Act 2000. However, Australian law is not completely clear on the matter.
The legislation appears to lay responsibility on the person paying the bill, regardless of who sent the email with the false account.
While a few BEC cases have gone before the courts, none has yet resulted in judgements in a senior court. However, in countries with a similar legal system to ours, such as the UK and Canada, the law has generally favoured the unpaid business.
Imperative to check bank account details by phone before transferring funds
Here at Stacks Law Firm, we always include warnings in all client emails, as follows:
Cybercrime poses a significant risk for financial firms and their clients. For your protection, you should always verify our bank account details by phoning us before transferring any significant sum of money to us, as we cannot accept responsibility where money is transferred to an incorrect account.
So, if you receive an email that appears to come from a company, requesting you to transfer a large amount of money to their account, it is wise to first phone them, rather than replying to the email, to check that the email is genuinely from them and to verify the bank account details.
Also, make sure you obtain the phone number independently, not from the suspicious email.
Protecting your business and clients from the fallout of possible BEC scams
If you manage a business, it is important to seek legal advice on your contracts and terms and conditions, to ensure you are not liable in business email compromise events. Also check your insurance to make sure it contains adequate cybercrime cover and protects your clients from such losses.
It is also advisable to train your staff about the warning signs of business email compromise and to protect communication systems to mitigate possible security breaches. Installing good cyber security systems will help you avoid possible claims of negligence if your business email system is hacked.
Tony Mitchell
Disputes and litigation
Stacks Law Firm
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
