If your business pays a fraudulent invoice by mistake, do you understand the legal position and what practical steps you should immediately take?
Banks and cyber authorities have long been warning businesses to be vigilant when paying supplier invoices, but the threat of supplier invoice fraud has only been increasing. This type of fraud now accounts for approximately 55% of all fraud in the UK, with UK businesses losing an average of £295,000 a year to the scams.
As businesses continue to adjust to the difficult economic climate, recent increased staff turnover combined with sometimes outdated internal controls and systems has left many businesses more exposed than ever to supplier invoice fraud. In light of this heightened risk, we explain the legal background and some of the key practical steps a business should take if it is impacted by this type of fraud.
What is supplier invoice fraud?
Supplier invoice fraud involves fraudsters impersonating a business's suppliers and sending a purchaser fake invoices, or even intercepting and changing genuine ones.
This could be by way of sending a purchaser a payment request through either:
- Scenario A - a "phishing" email, from a spoof email address similar to the supplier's, or
- Scenario B - an email from a hacked, but genuine, supplier email address.
We explore both these scenarios in this article.
Using one of these methods, the fraudster usually tells the purchaser that its payment details have changed and provides new account details (or provides a fake invoice from a real or fictitious supplier) and the purchaser then – unwittingly – makes payment to the fraudster instead of the supplier. A payment could also be requested for a legitimate invoice but for a higher amount. Unfortunately the fraud often only comes to light when the real supplier seeks payment.
In these scenarios, those affected will likely seek to recover funds – the supplier might demand the purchaser to pay again, or the purchaser might demand that its bank repays the funds transferred. The key legal question will be how, on the facts, the risk of fraud is allocated between the supplier and the purchaser (and, in some cases, other parties).
This article explains some of the, potentially complex, options available to businesses in both scenarios. However, we recommend seeking legal advice as soon as possible as there are a range of tactical considerations that will differ depending on the individual circumstances.
The law (such as it is)
Despite the steep rise in email-based supplier invoice fraud over the last decade, there remains very little legal authority on the subject. We are therefore left to consider older English cases – dealing with post and cheques instead of email and bank transfers – to analyse how the English courts would approach these matters. The common law position may be important because, as explained further below, commercial contracts often do not allocate the risk in these situations.
The precedents which appear most relevant are from the nineteenth and early twentieth centuries. For example, the case of Norman v Ricketts (1886) determined that a purchaser was deemed to have made payment by placing a cheque in the post (even though the cheque was stolen and did not reach the supplier). Given that email is the modern equivalent of post, and a bank transfer that of a cheque, purchasers may look to this case to help them argue that the risk of fraud should rest with the supplier.
On the other hand, London Joint Stock Bank Limited v Macmillan (1918), found that: (i) a customer owes a bank a duty to write cheques taking reasonable care to prevent fraud, and (ii) if, owing to a neglect of this duty, forgery takes place, it is the customer who is liable for the loss. Applying this reasoning to our scenarios (and leaving aside the Quincecare duties and the recent Supreme Court judgment in Philipp v Barclays discussed here), it is possible that today's courts may find that there is, in fact, a duty on a purchaser to protect itself against fraud.
Given the lack of direct authority, it is difficult to predict with any certainty how the English courts would allocate the risk of supplier invoice fraud if faced with litigation in this area.
It is worth noting the legal approach in the United States, where there have been more recent developments. Notably, in Beau Townsend Ford Lincoln Inc v Don Hinds Ford Inc (2017), a case involving supplier invoice fraud by email, the US District Court held that liability rested with whichever party "was in the best position to prevent the fraud". This appears to be analogous to the US Uniform Commercial Code's position on forged signatures: "the party who was in the best position to prevent the forgery by exercising reasonable care suffers the loss". This approach does not of course directly apply under English law (and the decision is not binding on an English court), but it may be instructive as to how the English courts might consider similar scenarios.
First response by a purchaser
This limited legal precedent aside, when a purchaser falls victim to supplier invoice fraud, there are a number of practical steps that it should promptly take.
These steps aim to provide the purchaser with the best chance possible of retrieving the fraudulently transferred funds. The steps should be incorporated into a "playbook" or action plan for the purchaser's employees to follow:
- First and foremost, the purchaser should notify its bank immediately after becoming aware of the fraud and request that the bank make an immediate recovery request via SWIFT.
- Following this, the purchaser should notify Action Fraud (the UK's cyber crime reporting centre) and obtain a crime reference number. This will: (i) assist the bank's efforts to recover funds, (ii) support insurance recoveries and (iii) demonstrate that the purchaser took steps to mitigate any losses.
- If the purchaser or supplier has relevant insurance cover (for example, crime or cyber coverage), it should notify its insurers.
- Both the purchaser and the supplier should conduct interviews with those employees who (most likely innocently) in some way facilitated the fraudulent payment. These interviews should be conducted by lawyers who will take notes for the purposes of any potential litigation – this should ensure that, so far as possible, legal privilege is maintained over any documents produced. We would also recommend that the interviews are not conducted by HR (although the HR team may be present) in order to make clear that the interviews are not for disciplinary purposes. This will hopefully encourage employees to be as open as possible about what has happened.
What are the purchaser's options for recovery?
This will depend on the nature of the fraud and whether it involves Scenario A - the phishing of a purchaser, or Scenario B - the hacking of a supplier. We have set out a diagram of the steps available to the purchaser, with a fuller explanation below.
Scenario A - Phishing of a purchaser
We know from our clients that phishing or spoof emails are becoming ever more common yet harder to spot. With the rise of AI technologies such as ChatGPT, criminals are able to create much more sophisticated phishing emails and can easily deceive a purchaser.In this scenario, as the fraudster has simply impersonated the supplier and the supplier has not been hacked, the supplier is not itself "at fault". As a result, there are limited remedies available to a purchaser against the supplier directly.
On discovering that payment has been made to a fraudster, the purchaser should ask its bank to contact the beneficiary bank (i.e. the bank to which funds were paid) immediately. The purchaser's bank will hopefully act quickly, but we note the Supreme Court's comment in Philipp v Barclays Bank Plcthat how promptly a bank should respond to such requests depends on the facts (and is a matter for further consideration in that case). Further, as discussed in Scenario B, beneficiary banks are not always able and/or willing to provide information about the beneficiary account.
For the purchaser, this is a matter of utmost urgency. This is because the funds may be recoverable in the first few hours following a fraud, but we know from experience that they are often dissipated all too quickly.
If the funds are not recoverable, the purchaser may wish to consider requesting its bank to reimburse it on the basis that its bank should:
- not have processed the payment; and/or
- have spotted that the payment was being made to a fraudster.
However, given the increase of all types of cyber fraud, banks now make real efforts to warn their customers of fraud risks, and will not refund customers who ignore these warnings. Often, a bank's terms and conditions will exclude the bank's liability for fraud claims where the bank relied on its customer's instructions.
An alternative option potentially available to a purchaser is to claim under its insurance. However, this will be dependent on: (i) the terms of the policy cover, and (ii) the facts (especially the nature of the phishing email received, and the extent to which the purchaser followed its internal processes). The more legitimate a phishing email appears, and the more closely employees followed the purchaser's internal processes, the easier it may be for the purchaser to claim monies back.
Scenario B – Hacking of a supplier
This scenario (known as a business email compromise attack) deals with the case where a supplier has been hacked and a fraudster is able to access the "real" email accounts of the supplier and make direct contact with purchasers (while appearing to be the supplier) to instruct that payments be made. The fraudster's payment instruction will most likely explain a reason as to why payment needs to be made to a different account (for example as part of a standard bank account change). The purchaser duly makes the payment, unknowingly into the fraudster's account.
As a result, the supplier will not receive the monies it is owed, while the purchaser will have made the payment it owes the supplier to the fraudster. The supplier may allege that the purchaser is in breach of contract for failing to pay the invoice amount to the correct recipient, and seek to bring a claim against the purchaser for the outstanding amount.
Contact the banks
As noted above in Scenario A, the purchaser's first step on discovery that a payment has been made to a fraudster should be to contact its bank to ask that it urgently take steps either to block or reverse the payment to the fraudster's account. This will involve the purchaser's bank working with the beneficiary bank to which funds were transferred.
Beneficiary banks will be conscious of their customer confidentiality and other duties, and may be unable to provide information about the beneficiary account or onward transfers. In this case, the purchaser may consider applying to court for a Norwich Pharmacal Order (NPO) in order to obtain information to support a potential contributory negligence argument in a dispute with the supplier. An NPO is an order for the disclosure of documents or information. This is an equitable remedy and so the terms of any order will be adapted to fit the case (i.e. the court would order the beneficiary bank to disclose information about the fraudulent payment to the party requesting the order).
Proportionality should always be considered when taking this course; NPOs can be costly and time-consuming, but they may potentially be useful for contributory negligence claims against the supplier. Any such claims will require detailed information as to when funds were dissipated and whether this dissipation could have been prevented if the supplier had alerted the purchaser to the fraud more quickly. We discuss the contributory negligence point further below.
What about the contracts?
If the funds do not appear to be recoverable, the purchaser should consider whether its contract expressly deals with payment mechanics and allocates the risk of fraudulent payments.
While contracts between customers and banks may expressly allocate risk in the case of fraudulent payment, it is uncommon to see this in commercial contracts with suppliers. On this point, we note that Lord Legatt in Philipp v Barclays observed that allocation of this risk could also be a matter for future legislation and regulation, and we are of course monitoring any developments in this regard.
Contract deals with payment process
A commercial contract may however provide for a nominated bank account for purchaser payments and/or a process for nominating/changing that bank account. The contract might, for example, require that any change of bank account details must be notified to the purchaser in writing. If the contract contains such provisions, the purchaser should check whether it followed the correct process.
If the purchaser correctly followed the contractual procedure in directing payment to a new account, then the purchaser will have a defence to a claim by the supplier for the outstanding sum: the purchaser can argue that it acted on the basis of the supplier's ostensible authority.
If, however, the purchaser did not follow the contractual procedure, then the purchaser may be deemed to have failed to perform its obligations under the contract by making payment otherwise than in accordance with its terms. That being said, even in the circumstances of a purported breach of contract by the purchaser, a purchaser may still argue that the supplier was contributorily negligent. This is especially the case if: (i) the contract requires the supplier to have adequate security in place; and/or (ii) the supplier was aware, but did not inform the purchaser, of the hacking sufficiently promptly for the funds to be recovered.
Contracts silent as to payment process
It is, however, more likely that the commercial contract is silent as to payment mechanics. In these circumstances, the purchaser should consider whether it can argue that it has satisfied its obligations by making payment, albeit inadvertently to a fraudster. This will involve analysis of: (i) any contractual obligations on the supplier that could be relevant to this scenario, such as any failure to comply with technical and security measures (as mentioned above); and (ii) whether the purchaser has followed its own processes when making the payment.
Other tactical considerations
Feelings understandably run high when businesses fall victim to fraud. This may mean that suppliers take legal steps against purchasers rather than attempting to find a more constructive solution. The key consideration for all parties should be that the wrongdoer is the fraudster – not the supplier or the purchaser. All attempts should be made to cooperate where possible in order to reverse the transfer of the funds or to seek recoveries. It is also often true that supplier-purchaser relationships are vital to the parties in the longer-term and should be preserved even in the face of the fraud.
Although there is little formal legal authority in this area, it is clear that businesses face the threat of supplier invoice fraud and must be prepared to protect themselves. This should include ensuring that they have processes in place to act immediately and take practical steps should they fall victim to fraud.
The increase of supplier invoice fraud is consistent with a wider trend for an increase of fraud before the English courts, which we track through our proprietary Court Intelligence Database (see our post here).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.