In a recent Ontario Small Claims Court decision, a deputy judge was faced with a situation where a business e-mail compromise resulted in settlement funds being redirected to a fraudster rather than the intended recipient.
The case raised the following novel question:
Where a fraudster assumes control of Victim A’s e-mail account and then, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster’s account, is Victim A liable for the loss?
The underlying claim was simple and traditional. The plaintiff was seeking an unpaid balance for environmental assessment services in the total amount of $15,670.54. The defendant acknowledged the debt but claimed insolvency. The plaintiff issued a small claims action on April 27, 2018. The parties reached a settlement agreement on August 1, 2018.
The relevant terms of settlement were:
Mark Schokking on behalf of the Corporate Shareholders shall pay to [the Plaintiff] the sum of $7,000 as follow as full and final settlement of the claim.
Mark Schokking and/or the Corporate Shareholders will deposit $7,000.00 into the Trust account of McDonald, Duncan LLP, account number XXXXX-773, Bank of Montreal no layer than August 8, 2018….
Between August 1, 2018 and August 8, 2018, a fraudster struck. The fraudster gained access to the workplace e-mail of the paralegal representing the plaintiff. Her e-mail credentials were obtained either via a “phishing” attack or possibly a “brute strength" attack. The fraudster changed the e-mail “rules” for the paralegal’s account that had the following consequences:
- Specific incoming e-mails would be forwarded to an external Gmail account and the original incoming e-mail would automatically be deleted.
- The fraudster was then able to send e-mails from the paralegal’s account to the specific accounts. If the recipient e-mailed back, it would be re-directed.
- The paralegal would have no way of knowing the correspondence was taking place.
With these redirections in place, the fraudster sent revised instructions to Mr. Schokking on August 1, 2018. The e-mail requested Mr. Schokking deposit the money to a Credit Union account in Medicine Hat, Alberta. Mr. Schokking replied by e-mail asking for the physical address. The fraudster, still masquerading as the paralegal, provided the information. Ultimately, Mr. Schokking sent the money to the Medicine Hat account. The fraud was subsequently discovered but the money was never recovered.
The plaintiff brought a motion to enforce the settlement, arguing that the defendant had failed to comply with the settlement terms. The defendant took the position he had satisfied the terms of settlement.
After noting a lack of jurisprudence and the need for legislative intervention in this specific area, the deputy judge concluded that as a default rule, the subject of a fraud (Victim A) that results in another entity (Victim B) diverting funds properly meant for Victim A will not be liable for the loss unless:
- Victim A and B had a contract which authorized B to rely on e-mail instructions from A, and the contract shifts liability for a loss resulting from fraudulent payment instructions to A; or,
- There is evidence of willful misconduct or dishonesty by Victim A; or,
- There is negligence on the part of Victim A.
In the present case, the deputy judge found none of these exceptions applied. There was no contract between the two parties beyond the initial terms of settlement, and there was no evidence of misconduct, dishonesty, or negligence by the paralegal or her firm.
The deputy judge accordingly found that by sending the settlement funds to the Medicine Hat account as opposed to the trust account, the defendant failed to follow the terms of the settlement. The deputy judge ordered the Defendant to pay $7,000 in settlement of the claim.
The old adage of “an ounce of prevention is worth a pound of cure” still holds true in the world of e-mail fraud. Proactive risk management practices like employee training, responsive procedures and properly enforced office policies can be an inexpensive and effective way to manage the continued risk of business e-mail compromise and similar cyber breaches.
This case is a prime example of how it takes multiple errors from multiple parties to result in a loss. In an era where the human element continues to make up the bulk of cyber claims managerial controls and employee training are essential in addressing these risk exposures. In this specific case, there were two ways the likelihood and the severity of this breach could have been modified.
The first is the need for organizations to proactively train their employees on the ongoing risk of cyber breaches. The firm’s IT professional noted that the paralegal’s e-mail password was considered “strong” and therefore likely resistant to a brute force attack. This suggests that her credentials were obtained via a “phishing” scam. Frequent password changes and a scrutiny of e-mails with the hallmarks of a “phishing scam” could had avoided an e-mail compromise in the first place.
The second take-away is that in the age of convenient e-transfers, organizations must have policies and procedures in place to verify any changes in deposit instructions. This is especially true when those new instructions include a transfer to an extra-provincial account with no apparent connection to the parties. In the present case, had the defendant made a phone call after receiving the e-mail, they could have reduced the impact of the paralegal’s e-mail compromise and avoided having to pay out twice on a claim they thought settled.
See: St. Lawrence Testing & Inspection Co. Ltd. v Lanark Leeds Distribution Ltd., 2019 CanLII 69697 (ON SCSM)