Business Email Compromise (BEC) also known as email account compromise (EAC) attacks exploit our collective reliance on email to conduct business and personal affairs. While there are many variations on this cyberattack, the most difficult to detect are situations where an attacker gains control over a supplier’s email address and uses it to request a seemingly legitimate business payment. The fraudster will request a payment be sent electronically to a new account that they control. This is what makes it so effective, because to the recipient, the compromised email is authentic since it originates from a known authority figure from a supplier. Many employees will fail to realize that it is a cyberattack.
These attacks can be extremely costly to the target organization. An Austrian aeronautics company lost €42 million to BEC attack. On a smaller scale, the Dublin Zoo lost €500,000 and Save The Children USA lost US$1 million to a similar attack.
Legal options if you have been the victim of a Cyberattack
If your organization is a victim of a cyberattack and transferred money to an illegitimate account, you may not realize it until a supplier asks for a payment that your organization believed it had already paid. The first step is to notify your financial institution as soon as possible to determine if there are any options to recall the funds. This is sometimes possible if the cyberattack is detected quickly. Unfortunately, the window for financial institutions to recall or reverse payments is small.
Who Bears the Loss?
There is a dearth of case law dealing with BEC cyberattacks in Canada. In a recent Quebec decision in Concessions Caravane 1986 Inc. v. Toronto Dominion Bank 2020 QCCS 3426 involving a phishing attack, the court decided that both parties should bear the loss in proportion to each party’s contribution to the loss. In St. Lawrence Testing and Inspection Co. v. Lanark Leeds Distribution Ltd. 2019 CanLII 69697, an Ontario Small Claims Court ruled in 2019 that it is the payor who bears the risk of loss (and must therefore pay twice) unless:
- the contract governs how payments are made and it shifts liability for a loss resulting from fraudulent payment instructions;
- there is evidence of wilful misconduct or dishonesty by the other victim; or
- there is negligence on the part of the other victim.
What to do to prevent a Cyberattack?
Cyberattacks require a robust defense. Clear procedures regarding payments are a must and the decision to transfer a large sum of money should not be left to a single person. In addition to standard spoofing and phishing awareness, users and decision makers should be trained to look out for:
- High-level executives of your company asking for unusual information or requesting a payment through unusual channels
- Suppliers requesting unusual information, or payment to new accounts, or through unusual channels
- Requests to keep the email confidential, or to only communicate through email
- Requests that carry a high level or extreme urgency
- Requests that ask to bypass normal procedures and channels
* With thanks to Teng Rong for his assistance in preparing this article.