During an initial consult, a client presented the following scenario:
The client had engaged a local small business in Melbourne (Business) to complete a service at their home. The service was completed to the client’s satisfaction and the Business emailed an invoice to the client for $3,000.00 from the only email address that was used for all communications with the client. The invoice provided their bank account details and requested the client transfer the payment accordingly.
The next day, from the Business’ same email address, the client received another email requesting the client make payment to the Business’ secondary bank account. The reason for this sudden change, according to the information provided in the email, was that the previous bank account was under audit.
At the time, the client thought this was odd and requested confirmation. The client received an immediate reply from the Business’ email address confirming the payment to the secondary bank account. The client promptly made payment of $3,000.00 to the secondary bank account.
Shortly afterwards, the Business contacted the client to inform them that they had not received payment. The client responded that they had made the payment promptly to the secondary bank account, following the Business’ email that requested the payment to the secondary bank account.
The Business immediately informed the client that the client had been scammed. No employee had sent an email to the client requesting payment to a secondary bank account. The Business further stated that the client should have been aware that it was a scam. The Business’ position was that the email did not conform to the Business’ previous emails, of which the client should have been vigilant.
The Business then continued to demand payment for their services, which had accrued interest.
The client had already taken the appropriate steps to notify Consumer Affairs, the Police, their bank and the respective banking institution of the Business and the second bank to whom they had transferred the payment of $3,000.00. The client was provided with very little information and informed by the banks that an internal investigation was underway, the details of which could not be provided to the client.
This did not assist the client in with dealing with the Business’ owner who continued to demand payment.
The client inquired whether the Business had notified their insurer and whether their policy covered such a situation.
The Business responded that they had notified their insurer and the insurer’s position was that the client had fallen for a “phishing” scam and accordingly, as it was not deemed a “hacking” scam, and therefore not covered by the insurance, and the client was responsible for the payment to the Business.
By the time the client sought legal assistance from our office, the Business was demanding $33,000.00 and requesting a response within one day of receiving the demand letter.
The client sort legal advice to determine their position and whether they owed the Business the full amount of $33,000.00.
The situation describes what is known as a Business Email Compromise (BEC) scam.
A BEC scam typically occurs when the business email address is compromised and the fraudster impersonates the business in order to lure a third party (or another employee of the business) into making a payment to their bank account. For all intents and purposes, it can look exactly like an email you would receive from the company, and be from the company’s domain email address. With technologies increased sophistication, fake invoices and websites are becoming harder to detect, even to the trained eye. These can be differentiated from emails sent from a similar domain email address, e.g., email@example.com versus firstname.lastname@example.org (no “.au”).
The case between the client and the Business was probably deemed a ‘’phishing scam’’ by the Business’ insurer because access to the Business’ email address had likely occurred through ‘phishing’ and not ‘hacking’ (which the insurer covered).
By gaining access to the Business email address through phishing, a separate incident occurred which later led to the successful completion of a BEC scam. As the BEC scam was the result of a phishing scam to access the Business email account, the insurer would not cover the loss incurred by the third party from the BEC scam.
The small business had likely misunderstood the insurer’s explanation of the difference between phishing and hacking, as the small business had incorrectly blamed the client for their lack of vigilance and consequently pursued the client relentlessly for costs. In this situation, the client was, however, an innocent third party and a fellow unsuspecting victim, who was also deprived of $3,000.00. To hold the client liable for a Business’ failure to guard against their own access to email addresses, would be unjust. That said, there is yet to be a test case within Australia, of this particular nature.
In either scenario, hacking and phishing scams are offences under the Cybercrime Act 2001 (Cwlth). There is near uniformity with respect to the implementation of such laws across Australia.
An oversimplification to describe hacking and phishing would be to say that a phishing scam occurs when the cybercriminal deceives another into providing their personal information, such as a pop-up advert on a website requesting the entry of personal information in order to claim a prize. Whereas hacking occurs in a variety of ways, including password cracking or downloading malicious software or viruses.
In a phishing scam, the victim has provided access by divulging personal information, whereas, under hacking, the malware or spyware is either used to break into your systems or monitor and record your moves and keystrokes to gain access. With that said, there is a further struggle to define what the word “access” means, according to the Australian Institute of Criminology.
It is possible that the Business entered their email address and password into a fraudulent link or through some other means of a phishing scam. This allowed the cybercriminal to gain access to their email address and monitor its activity for an opportunity to strike. When the Business invoiced the client, it provided the perfect instance to impersonate the business and request a direct payment to their bank account. As a precautionary note, business emails should not be used for anything but business.
If a business is a victim of a BEC scam, whether or not it occurs through a phishing scam, it is probable that the business will be responsible for the damage; potentially even to the consumer. Scam protection is a given, and undoubtedly a duty of the business in today’s technological times. If a business so much as uses emails for even the generalist of communication, they need to have insurance coverage for these particular types of cyber-attacks. It is extremely important to ensure the business insurance policy covers BEC scams, including other potential hacking and phishing scams.
If it does happen to your small business, you want to ensure you have the broadest insurance coverage. This means confirming that the purpose of cybercrime insurance is to also protect third parties against such losses. The responsibility remains at all times with the business to adhere to a reasonable standard to protect their systems and have appropriate measures to mitigate their losses.
The importance of cybercrime insurance cannot be emphasised enough. In the United States, Medidata Solutions, Inc. was a victim of a BEC scam in 2014. The company filed a claim against its insurer, Federal Insurance Co. for losses that amounted to $4.8 million However, the claim was denied on the basis that a BEC scam did not constitute “computer fraud” under the companies’ insurance policy. Accordingly, the company filed a lawsuit again the insurer to determine whether the companies’ policy covered the BEC scam the company had experienced, Medidata Solutions, Inc. v. Federal Insurance Co., No. 15-CV-907 (U.S.D.C., S.D.N.Y. July 21, 2017). Medidata Solutions, Inc. prevailed, and Federal Insurance Co. was ordered to pay damages.
There is yet to be a similar case within Australia, however, the outcome of such a case could still have an impact on insurance practices and interpretation of policies within Australia, particularly given the size and globalisation of large-scale insurance firms.
According to the Australian Competition and Consumer Commission’s Targeting Scams: Report of the ACCC on scams activity 2016 (2017) (“Report”), business scams significantly rose, by almost 31 percent, in 2016. Nearly 6000 businesses reported being targeted, resulting in around a $3.8 million loss in total. BEC scams, in particular, saw a significant increase. BEC scams fell under the category of hacking in the report, however, which accounted for a total loss of $2.9 million dollars in 2016. As discussed previously, a classification of a BEC scam may not be so straightforward, at least for insurance purposes, and the exact figures are unknown.
In the United Kingdom, consumer groups have discussed holding businesses accountable to ensure customers are not victims of scams, as well as compensating customers should the business fail to protect their systems. 
In Australia, that form of business accountability could amount to further protections for consumers under Australian Consumer Law. Given the significant increase in cyber-attacks and the increased sophistication of scams, it is highly likely that this will become a focus of law reform. However, before any form of accountability can occur, a reasonable standard among business practice should be established when it comes to implementing cybersecurity. Such a standard ought to be the primary focus of law reform. For any new law to be successful, it requires a strong emphasis on education during its implementation.
Businesses are under a duty to protect their own systems and train staff to be aware of the fraudulent activity, however, it should also extend to educating consumers to contact the business if there are any doubts when they receive correspondence from the company, particularly when making payments.
The key to prevention of cybercrime is ensuring both ends of a transaction implement sufficient checks and balances. Develop a sufficient system within your own business to manage your transaction history and ensure you have verification steps in place to monitor client payments, that your client is also aware of and familiar with.
Originally written by Alicia Chisholm
Should you be the victim of a business compromise email scam or cybercrime, please contact us to discuss your legal options.
 See Australia’s Privacy Act 1988 (Cth) and https://www.oaic.gov.au/privacy-law/privacy-act/