Business Email Compromise Scams or Hacking of Business Emails - Who is Liable?
Has a hacker accessed your business email? Have they sent emails to clients asking for money without your permission? Unfortunately, these days hacking scams are commonplace. In 2019 business email compromise scams were responsible for $132 million in business losses according to the Australian Competition and Consumer Commission’s (ACCC) Targeting Scams report.
A few examples of business email hacking scams are the following:
- Cyber criminals hack a business’s computer system, and through this, they identify the contact details of clients. They send messages to clients stating that the bank details of the company have changed. They then provide alternative details and ask clients to send money to the new account/s.
- Cybercriminals hack a business’s computer system and steal valuable intellectual property.
- Cybercriminals hack a business’s computer system and prevent it from working. They then demand that the company pays a ransom before they restore the system to working order.
Cybercrime can cost a business a lot of money and even be the cause of a business failure or closure.
Who is Liable for Business Email Scams?
The general principles of duty of care and negligence apply to this field of law.
Your business must fulfil its duty of care to clients and suppliers and others who could suffer a loss due to business email compromise hacking scams. To do this, you must stay on top of the risks that may come from cybercriminal activity and the hacking of business emails. Cybercriminals are forever becoming more sophisticated with the methods they use to hack sensitive data. Procedures and systems must be put in place to ensure your company is less likely to be a victim of cybercrime and hacking. If you do not, a court may find that your company is liable for the damage caused by cybercriminal behaviour due to your negligence in failing to safeguard your business from such attacks.
Some general principles to follow to minimize the chances that your company is the victim of a hacking scam are the following:
- Do not act on emails which ask you to transfer money to a bank account with new details without first verifying the details via a telephone call with the relevant person;
- Provide your clients and suppliers with information about hacking scams and advise them not to act on emails providing new bank account information until they have verified the details over the telephone with the relevant person; and
- Have your computer system regularly reviewed for its level of cybersecurity by a cybersecurity professional or firm.
If your company is still compromised, there is a chance that the cybersecurity system you have installed at your workplace has failed. In this event, your business may have a case against the company who installed your cybersecurity system or against the cybersecurity software company.
It is important that you obtain appropriate insurance that covers you for cybercriminal activity in the event that cybercrime does take place within your company, and your company suffers a loss because of it. It is important when purchasing insurance for your business to ensure that business email compromise or cyber hacking scams are not excluded in your cover. It is also important that you understand what your company will be covered for by the insurance in the event that a hacking event does occur.
The Queensland Government provides some useful information on its website to assist with safeguarding your business against cybersecurity threats.
Scamwatch provides news and alerts about new scams that have been reported or identified –
The ACCC also provides a service to which small business owners can subscribe. This is called the Small Business Information Network. By signing up to this, you can receive email updates about, among other things, scams that may be relevant to your business.
So far, in Australia, there have not been many court decisions about the hacking of business emails. One case currently before the Victorian courts involves the Law Firm Mills Oakley. It is alleged by the claimant that Mills Oakley’s computer system was hacked and, as a result, almost $1 million was sent from Mills Oakley’s trust account to an incorrect address. The firm alleges that in fact, it was the client’s email account that was hacked and not its firm’s and as such that the firm is not liable for the loss. This case is currently before the common law division of the Supreme Court of Victoria. It will be interesting to see what the outcome is in this case.
If you require legal advice or representation in any legal matter, please contact Armstrong Legal.