Liability for Hacking and Spoofing Attempts
A business will be liable if they are ‘hacked’ by a third party which often leads to businesses paying invoices to the wrong bank account or having a customer pay money to an account other than that of the business.
If you are hacked, then typically the business will still be unable to require the customer to pay their invoices, as the customer has the defence of being misled into making incorrect payment.
Another way in which fraudsters may attempt to impersonate a colleague or staff-member is through ‘spoofing’, which is the practice of using a fake email address to imitate a genuine email address to typically trick recipients into paying money to the spoofer. At law, generally speaking, a business that has been ‘spoofed’ will not be liable for any false invoices issued by the ‘spoofed’ email address, and will still be able to recover money from a customer even if the customer has paid money to the wrong bank account.
Practical Tips
Below are some helpful tips that businesses can use both to reduce the chances of them being hacked, and also to limit their liability in the event they are hacked:
1. Take out appropriate insurance policies to cover losses arising from them being hacked, as doing so can reduce the costs to businesses such as suppliers being unable to recover money from customers;
2. Take measures to protect the emails and other personal identifiers of members of their accounting and payments teams, as well as the details of others who handle sensitive information and/or company finances;
3. Take care to educate staff members about the risks posed by both hacking and spoofing-based scams, and warn them against automatically obliging extreme requests or using updated payment information contained in unexpected emails. Train staff always to double-check any type of money transaction, especially when it involves email instructions by calling suppliers to double check their account details;
4. Businesses should consider using an email sign-off that warns recipients that the sender will never send account or invoice information, nor request payment, via email and that mentions the increase in frauds involving either hacked or spoofed email addresses.
The Australian Cyber Security Centre offers helpful information regarding how to respond if a business has been hacked or spoofed, so it is worth visiting their website to learn more about the advice they offer.
