The Question
In today's digital world, email fraud is becoming increasingly common. One question arising more frequently is: If a hacker uses my email and tricks someone into sending money to the wrong account, who's responsible for the loss?
Two real-world examples of this include:
Example 1:
A business (Party A) is expecting a payment from a client (Party B). A hacker breaks into Party A's email and sends fake payment instructions to Party B. Party B follows those instructions and sends the money — but it ends up in the hacker's account; and
Example 2:
A client (Party A) has money invested with a wealth manager (Party B). The client's email gets hacked, and the hacker, posing as the client, asks for a withdrawal to a new account. The manager processes the request — and again, the money goes to the hacker.
In both situations, the parties are each innocent, and money has been lost. The key question becomes: who bears the loss — the sender of the money (Party B) or the person whose email was hacked (Party A)?
The Decisions
While Saskatchewan courts have not tackled this precise issue yet, courts in Ontario, B.C., and Nova Scotia have.
In the 2019 Ontario decision of St. Lawrence Testing & Inspection Co. Ltd. v. Lanark Leeds Distribution Ltd., the core question before the Court was: "Where a computer fraudster assumes control of Victim A's email account and, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster's account, is Victim A liable for the loss?" The Court concluded that Party A was not liable for the loss, unless one (or more) of the following circumstances were present:
- Contractual Agreement – If there was a contract between the parties that explicitly allowed Victim B to rely on email instructions from Victim A and included a clause shifting the risk of loss in such situations;
- Willful Misconduct or Dishonesty – If Victim A acted dishonesty; or
- Negligence – If Victim A was negligent in maintaining email or cybersecurity protocols.
In the 2022 Nova Scotia Small Claims decision of Jane Group Limited v. Heritage Gas Limited, a similar circumstance arose, where a company (Party B) paid an invoice to what they thought was their supplier (Party A), but it was actually a fraudster impersonating Party A via email. The Court applied this test, finding that no blameworthy conduct could be ascribed to Party A, and thus Party B (who had already paid the invoice once to the fraudster) was required to pay the invoice again, but this time to Party A.
The 2024 Nova Scotia Small Claims decision of Campbell v. Asaph also applied this test, and in doing so commented on what is considered 'blameworthy' conduct or negligence, noting that simply being hacked does not automatically equal negligence, as people are not required to have military-grade email security in order to take reasonable security precautions.
The Takeaway
Although this remains a developing area of law, and is novel in many Canadian jurisdictions, these decisions underscore the importance of establishing clear contractual terms and maintaining strong cybersecurity practices to protect against liability in cases of email fraud.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
