Who is liable for payment in an invoice redirection scam?

According to latest published digits in Europe businesses lost over €176 million to business email compromise scams in 2021. One example is the invoice redirection scam, which can involve a fraudster hacking into the system of the supplier or intercepting emails and sending altered invoices to customers with different banking details. Payments made to these accounts are likely never recoverable. With work becoming increasingly digital, it is imperative for businesses to protect themselves and their customers from such scams.

When businesses fall victim to an invoice redirection scam, a dispute often arises between the customer and the supplier. For example, the customer thinks that it has made payment and wants to keep the goods or services, but the supplier still hasn’t been paid and demands payment from the customer.

An example

In one case, the Plaintiff would order goods from the Defendant and pay a 30% deposit. The goods were then loaded on a ship and delivered to the Plaintiff’s nominated carrier. Once the goods had been transported, the Defendant would issue a further invoice for the remaining 70% and on receipt of payment, would direct the carrier to release the goods to the Plaintiff.

The Plaintiff and the Defendant only ever communicated by email.

During the course of one particular order, a fraudster intercepted the emails between the Plaintiff and Defendant and then interposed between the parties using very similar email addresses to the Plaintiff and Defendant’s real email addresses.

The fraudster sent a fake invoice to the Plaintiff in the amount of EUR 163,452.50 with its own bank account details. The Plaintiff attempted to make payment into that account, but payment was rejected at first as the account did not match the details of the Defendant. However, rather than attempting to contact the Defendant, the Plaintiff simply tried again and the funds were transferred to the fraudster’s account.

When the Defendant refused to release the goods on delivery to the Plaintiff, the Plaintiff commenced proceedings seeking relief to the effect that it was the proper owner of the goods and the goods should be released to it.

The Plaintiff argued that it had complied with the terms of the contract and made payment in accordance with the emails it received. In the alternative, it argued that the Defendant had a duty to the Plaintiff to ensure that it was not the victim of fraudulent emails.

Ultimately, the Court found in favour of the Defendant, concluding that the Plaintiff had not made payment to the Defendant and there were reasonable steps that the Plaintiff could have taken to protect itself, including contacting the Defendant to verify payment details.

Lesson for all

In the above case, the Plaintiff mistakenly thought that because it had made payment, it had complied with its obligations under the contract.

In the end it was an expensive lesson for the Plaintiff. Not only did it have to bear the loss of the amount paid to the fraudster, it also had to pay costs of the proceedings and was unable to claim the goods without paying the remaining 70% to the Defendant.

In those circumstances, a customer that makes payment to a fraudster may not have any proper defence to a claim by a supplier for the costs of goods or services supplied. In the absence of any deeming provisions in a contract around when payment is made, the position often taken is that a payment is not made unless it is received in the proper account of the Defendant in cleared funds.

Artefaktum Expert advice

Businesses can help protect themselves by having strong policies and procedures in place, including the following:

Ensure that email addresses and account details do not change during the course of a matter;
If any email addresses or account details do change for any reason, contact the other party through an alternative means, such as a phone or video call. It is important to make contact through the original details provided at the commencement of any dealings as the details in the email with the alternate bank account number could also have been changed;
Maintain a register of approved bank accounts and contact details, so the details in any email or invoice can be checked against the approved list;
Take out insurance against fraud where available;
Educate staff about cyber-fraud and the applicable policies and procedures in place; and
Inform customers that if bank account details change, they will be informed in a specific manner, and never simply by email.