By Elena Nelyubina and Eduard Barskyi
In recent weeks, cybercriminals have been pivoting their methods to take advantage of the COVID-19 pandemic. Here we shed light on the legal position of businesses that fall victim to online scams and in particular to invoice fraud, which has become an increasingly popular type of online scam.
An invoice fraud scheme usually involves a cybercriminal masquerading as a trusted supplier, and sending a fake invoice to that supplier’s customers. In these scams, the cybercriminal often has control of the supplier’s email account and can access legitimate invoices. The cybercriminal changes these invoices to include new bank account details and then sends the invoices to customers from the supplier’s email account. The customer pays the invoice into the cybercriminal’s bank account, and the actual supplier’s invoice for services provided or goods delivered remains outstanding.
The legal position of a businesses whose email was hacked or identity imitated
The general position at law is that the hacked party is usually the one at fault. There is, however, a distinction between cybercrime carried out through:
- an actual hack of a business’s server (and sending an email from that server); or
- spoofing a business’s email address.
The distinction between ‘spoofing’ v ‘hacking’
- Spoofing is all about making it appear that the email is coming from a trusted sender, while in reality the email originates from an external source that could be on the other side of the world. Unfortunately, spoofing an email account today is an easy task for someone with the right skills – any email server can be configured to send mail from any given domain. Even in the absence of equipment or know-how, there are websites that can send one-off emails using the email address of choice.
- On the other hand, hacking involves a hacker gaining access to a business’ email or IT system and impersonating a member of staff. The company will have no idea that the hacker is actively using its email for a fraudulent purpose, and the fraudulent email sent by the hacker is almost indistinguishable from legitimate business emails.
From a legal point of view, if it is simply a case of spoofing, there should be no liability or responsibility on part of the supplier whose email address and invoices were spoofed. The customer is still liable to pay the outstanding amounts to the supplier. If it is a case of an actual hack, the level of liability would depend on the circumstances. There is yet to be a case in Australia that directly deals with who bears the loss in a hack situation.
Urgent actions to be taken by victims of cybercrime
The Australian Cyber Security Centre provides the following advice to businesses who have fallen victim to an online scam:
- If any of your email accounts have been compromised, notify your clients
(or, at a minimum, your affected clients)
- Consider putting up a notice on your website
- Contact your IT team so they can alert the affected parties and secure the email account
- Report scams to the ACCC’s Scamwatch
- If you have been a victim of a cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).
Measures by all businesses
To mitigate your legal risk, your business should put in place a number of measures to reduce the chance of being hacked. Whether a business has done all that is reasonably expected to protect itself from being exploited by a cyber hacker in an invoice fraud situation would impact the assessment of the levels of liability of and the potential distribution of liability between the affected parties.
ACSC advises businesses to employ the following techniques to minimise the risk and loss of falling for cyber scams:
- Purchase appropriate insurance: as the responsibility remains at all times with the business to protect their systems and mitigate losses, you want to ensure that your business has the broadest insurance covering all cyber scams.
- Educate your staff:
- Teach your staff to be on the lookout for the warning signs, for instance:
- Emails that are unexpected, come from a different contact or someone who wouldn’t usually send payment requests;
- Emails that ask for instant payment or threatens severe consequences;
- Emails with a different email address (e.g. “.com.au” vs “.com”);
- A supplier has provided new bank details or is requesting a different payment amount.
- Safeguard your internal information: avoid sharing internal company knowledge that could be exploited by scammers, such as the individual contact details of employees most likely to be targeted, particularly those working in accounts or finance.
- Strengthen your IT security: protect your networks, develop and maintain proper security controls, block spoofed emails, configure your email server to reject emails that do not originate from the email servers approved by the sender’s organisation, use strong multi-factor authentication to prevent scammers from using your email login details.
- Consider including the following wording to the email signatures of staff sending invoices:
- “FRAUD ALERT: There has been an increasing occurrence of fraudsters intercepting emails and inserting their bank account details in place of the intended account details. We will never send changes to bank account details or request sensitive information by email. If you receive any email of this nature, phone (do not email) our office immediately.”
Key to preventing cybercrime is to ensure that both ends of a transaction implement sufficient checks and balances. Businesses that fail to have precautionary measures in place are more likely to be liable for any losses that incur in the event of being hacked.
Contact Elena Nelyubina for assistance with legal matters, including legal liability in the face of online fraud.
You can download a copy of this article here.