Email hacking in the construction industry – who is liable?

Slightly different to my usual column – I have decided to write an article on email fraud as over the past couple of years, a number of clients have approached me who are concerned about email fraud; some because they have received electronic communications from fraudsters that appear convincing, whilst others have been the victim of fraud through their email accounts.

Payment by cheque is fast disappearing, replaced by electronic funds transfers (EFTs).  However, despite the clear advantages of EFTs, this new technology also brings in new challenges, not least email hacking.

Unfortunately, fraudsters hacking into email accounts is now not so uncommon – and it’s on the rise.  This has serious implications for companies that have lax internal procedures and poor IT security in place.

Hacked email – a case study

So, what are the victim’s legal rights when an email is hacked, resulting in fraud?  This grey area can be illustrated by a matter I was involved with in 2019, concerning a main contractor who had engaged a specialist contractor on a construction project.  The project was to run for several months and the specialist contractor’s input was required for much of the duration.  This meant that the specialist contractor was entitled to regular valuations and payments with the majority of communications, document exchanges and financial transactions carried out electronically.

Unbeknown to both parties, the specialist contractor’s email account had been hacked and software installed that was capable of reading all incoming and outgoing emails, flagging up certain words to the hackers like ‘bank’, ‘payment’, ‘monies’ and ‘invoice’.  By coincidence, part way through the contract the specialist contractor informed the main contractor that it was intending to change its bank which acted like a red flag to a bull to the hackers.  Having intercepted a valuation, the hackers subsequently advised the main contractor’s accounts department that a new bank account had been set up with all future payments to be paid into the new account. The main contractor’s accounts department duly complied having previously received internal authorisation of the amount to be paid by the contracts department, which were tens of thousands of pounds.  The scam was not discovered until the specialist contractor started to chase payment, by which time the fraudster’s account had been cleared of funds, bar £4.00.

So, in such circumstances, who is culpable for the loss?  From the main contractor’s perspective, it had complied with a request to make payment to a specific bank account, the request of which had been forwarded via an email that looked as if it had come from the specialist contractor’s own email account – it had even correctly addressed the accountant by his Christian name in the email.  From the specialist contractor’s perspective, it had carried out the works but had not received payment.

Reasons for liability

Harsh as it may sound, and despite the fact that it was the specialist contractor’s email account that had been hacked, the main contractor did not have grounds nor a valid defence for not making payment for the following reasons:

  • The specialist contractor had a strict contractual claim for the monies owed. In order to avoid that claim, the main contractor would need to establish either (a) a breach of contract; or (b) negligence so as to set-off the contractual claim.
  • An absence of clear evidence that (a) the specialist contractor was aware of the fraud and / or the overwhelming likelihood of fraud occurring; or (b) the fraud was carried out by an employee of the specialist contractor for whose actions it was vicariously liable, neither the contract or common law would impose a duty of care on the specialist contractor to maintain a cyber-security system capable of preventing an authorised push payment fraud of this nature. In fact, for such a duty to arise in circumstances of business to business transactions is very unusual.

The main contractor therefore, remained liable for payment.

Preventing email hacking

Prevention is of course better than cure; so just how does a construction business go about ensuring that it does not fall prey to email hacking?  Below are some tips:

  • Spam is the most likely cause of malware being installed onto a computer system, so make sure your system has a good security software system that protects against malware and viruses
  • Never click on unfamiliar links or download unfamiliar attachments.
  • When taking on a new supplier and setting up payment on EFT (such as CHAPS), always carry out a test by transferring a small and unique amount (say £1.01), and then asked the supplier to confirm receipt by telephone (not email).
  • Reconcile your bank account every day.
  • Have a written company policy on internet security and distribute it to all employees.

 Protecting against cyber crime

Contract terms -A business should also consider including terms in its contract of supply that sets out minimum standards of security software on the servers its suppliers use. This should include protection against malware and viruses and a firewall. Software should also be constantly updated, whilst any changes to the company bank account details should be confirmed in writing by post or hand delivered and signed.

Cyber liability insurance –Cyber liability insurance is available which will cover certain data breaches (including by hacking) and business interruption.  However, it will not cover losses where a business has voluntarily made a payment into a third-party bank account.

Ultimately, it’s important to remember that if a mistake is made through a business’s own negligence, the business will have to stand on its own and with no right of redress from the banks.  Therefore, do your homework and make sure your business is kept safe.

 © Michael Gerard 2020

The advice provided is intended to be of a general guide only and should not be viewed as providing a definitive legal analysis.

Author background

Michael is a Solicitor, Chartered Builder & Registered Construction Adjudicator, and is a director at Michael Gerard Law Limited, a solicitors practice regulated by the SRA