Australia:
Legal liability when your business email has been hacked
To print this article, all you need is to be registered or login on Mondaq.com.
In recent weeks, cybercriminals have been pivoting their methods
to take advantage of the COVID-19 pandemic. Here we shed light on
the legal position of businesses that fall victim to online scams
and in particular to invoice fraud, which has become an
increasingly popular type of online scam.
Invoice Fraud
An invoice fraud scheme usually involves a cybercriminal
masquerading as a trusted supplier, and sending a fake invoice to
that supplier’s customers. In these scams, the cybercriminal
often has control of the supplier’s email account and can
access legitimate invoices. The cybercriminal changes these
invoices to include new bank account details and then sends the
invoices to customers from the supplier’s email account. The
customer pays the invoice into the cybercriminal’s bank
account, and the actual supplier’s invoice for services
provided or goods delivered remains outstanding.
The legal position of a businesses whose email was hacked or
identity imitated
The general position at law is that the hacked party is usually
the one at fault. There is, however, a distinction between
cybercrime carried out through:
- an actual hack of a business’s server (and sending an email
from that server); or - spoofing a business’s email address.
The distinction between ‘spoofing’ v
‘hacking’
- Spoofing is all about making it
appear that the email is coming from a trusted sender, while in
reality the email originates from an external source that could be
on the other side of the world. Unfortunately, spoofing an email
account today is an easy task for someone with the right skills -
any email server can be configured to send mail from any given
domain. Even in the absence of equipment or know-how, there are
websites that can send one-off emails using the email address of
choice. - On the other
hand, hacking involves a hacker
gaining access to a business’ email or IT system and
impersonating a member of staff. The company will have no idea that
the hacker is actively using its email for a fraudulent purpose,
and the fraudulent email sent by the hacker is almost
indistinguishable from legitimate business emails.
From a legal point of view, if it is simply a case of spoofing,
there should be no liability or responsibility on part of the
supplier whose email address and invoices were spoofed. The
customer is still liable to pay the outstanding amounts to the
supplier. If it is a case of an actual hack, the level of liability
would depend on the circumstances. There is yet to be a case in
Australia that directly deals with who bears the loss in a hack
situation.
Urgent actions to be taken by victims of cybercrime
The Australian Cyber Security Centre provides the following
advice to businesses who have fallen victim to an online scam:
- If any of your email accounts have been compromised, notify
your clients
(or, at a minimum, your affected clients) - Consider putting up a notice on your website
- Contact your IT team so they can alert the affected parties and
secure the email account - Report scams to the ACCC’s Scamwatch
- If you have been a victim of a cybercrime such as fraud, report
it to the Australian Cybercrime Online Reporting Network
(ACORN).
Measures by all businesses
To mitigate your legal risk, your business should put in place a
number of measures to reduce the chance of being hacked. Whether a
business has done all that is reasonably expected to protect itself
from being exploited by a cyber hacker in an invoice fraud
situation would impact the assessment of the levels of liability of
and the potential distribution of liability between the affected
parties.
ACSC advises businesses to employ the following techniques to
minimise the risk and loss of falling for cyber scams:
- Purchase appropriate insurance: as the responsibility
remains at all times with the business to protect their systems and
mitigate losses, you want to ensure that your business has the
broadest insurance covering all cyber scams. - Educate your staff:
- Teach your staff to be on the lookout for the warning signs,
for instance:
- Emails that are unexpected, come from a different contact or
someone who wouldn’t usually send payment requests; - Emails that ask for instant payment or threatens severe
consequences; - Emails with a different email address (e.g. “.com.au”
vs “.com”); - A supplier has provided new bank details or is requesting a
different payment amount.
- Emails that are unexpected, come from a different contact or
- Safeguard your internal information: avoid
sharing internal company knowledge that could be exploited by
scammers, such as the individual contact details of employees most
likely to be targeted, particularly those working in accounts or
finance. - Strengthen your IT security: protect your
networks, develop and maintain proper security controls, block
spoofed emails, configure your email server to reject emails that
do not originate from the email servers approved by the
sender’s organisation, use strong multi-factor authentication
to prevent scammers from using your email login details. - Consider including the following wording to the email
signatures of staff sending invoices: - “FRAUD ALERT: There has been an increasing occurrence
of fraudsters intercepting emails and inserting their bank account
details in place of the intended account details. We will never
send changes to bank account details or request sensitive
information by email. If you receive any email of this nature,
phone (do not email) our office immediately.”
Conclusion
Key to preventing cybercrime is to ensure that both ends of a
transaction implement sufficient checks and balances. Businesses
that fail to have precautionary measures in place are more likely
to be liable for any losses that incur in the event of being
hacked.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Criminal Law from Australia