Steve Guild: Don’t expect phishing victim to pay for forgiveable error

If a bank has made a transfer on the instructions of a fraudster rather than genuine customer, the customer may be able to sue the bank for breach of mandate. But banks have tightened up their payment protocols to make this type of fraud much harder. In response, fraudsters have devised scams to deceive the bank’s customers into instructing the transfers themselves.

As a firm, we are seeing increasing numbers of online frauds in which clients have either been victim or unwittingly played a part. Recently I was asked by a client to defend a substantial claim from a firm of debt collectors threatening to sue on behalf of their Chinese client for payment for 3,000 sewing machines which purportedly had been supplied to our client in Uganda. However, our client operates only in the oil and gas sectors, did not place any such order, does not operate in Uganda and has no need for one sewing machine, let alone 3,000.

On investigation, it became apparent that a “domain spoof” had occurred. In other words, a fraudster set up a website purporting to belong to our client which suggested our client was a UK distributor of consumer goods such as sewing machines. The website contained some errors obvious to those with English as their first language, but not so obvious to non-native speaker. The website also displayed factually correct information about our client taken from UK Companies House which gave the website an air of legitimacy at first glance.

Despite high-profile campaigns designed to educate about online fraud, we have seen a number of instances where even sophisticated business persons and corporate clients, wrongly believing that they are corresponding with financial advisors, pension providers or trusted suppliers, have been duped by phishing e-mails into parting with substantial funds. The way to minimise the risk is for companies to implement strict payment protocols and properly train and instruct staff in their operation.

But let’s say you have put such protocols in place, and your employees have been trained in them. What if an employee has failed to exercise common sense or been careless – “negligent” – and inadvertently facilitates an online fraud? The employee is, of course, not a fraudster. He or she is arguably a victim. Can you sue the employee to recover your loss?

This was the interesting question before the court in the recent Scottish case of Peebles Media Group Ltd v Patricia Reilly (15 Nov 2019). Peebles sued Mrs Reilly, their credit controller, for £107K being the loss it suffered as a result of an online “whaling” fraud (the “whale” harpooned was the MD of Peebles).

While the Peebles’ MD was in Tenerife on holiday, the unfortunate Mrs Reilly was duped into believing that she was in e-mail correspondence with the MD. In fact, the e-mails were coming from a fraudster who managed to persuade Mrs Reilly to make various payments totalling £193K to the bank accounts of purported suppliers of Peebles. Of course, the accounts (under the control of the fraudster) promptly removed the funds with all but £85,000 proving untraceable. As the judge put it: “[Peebles] have suffered a major loss…[Reilly] has lost her employment. It is a tragic case.”

In the end the judge held that Mrs Reilly’s conduct was not sufficiently careless or egregious to amount to a breach of a duty of care. The claim failed.

So the answer is yes, you can sue an employee because they owe you a duty to exercise reasonable skill and care in the performance of their duties. However, in practice it is likely to be very difficult to persuade a court to order the employee to compensate, particularly where an employee is a junior member of staff.

Therefore be warned – don’t expect the courts to provide a safety net if an employee gets caught out by phishing.

Steve Guild is a partner, Burness Paull