How to protect your business from phishing and whaling scams

Do you know what e-mail phishing is? How about whaling? Or domain spoofing? Even if you can’t be precise, you probably have an inkling of what they are – catchy but rather confusing terms to describe types of online fraud.

At their heart, there is a deception: some trickery by a fraudster to obtain sensitive information such as supplier or banking details which are then used to transfer funds to the fraudster’s bank account. Before the victim knows it, the funds have been transferred away in a manner that makes them difficult or impossible to trace. The police are often powerless to help.

If a bank has made a transfer on the instructions of a fraudster rather than a genuine customer, the customer may be able to sue the bank for breach of mandate. But banks have now tightened up their payment protocols to makes this type of fraud much harder to carry out. In response, the fraudsters have devised scams to deceive the bank’s customers into instructing the transfers themselves.

Online frauds like phishing and whaling on the rise

As a firm, we are seeing increasing numbers of online frauds in which clients have either been victim or unwittingly played a part. Recently I was asked by a client to defend a substantial claim from a firm of debt collectors who were threatening to sue on behalf of their Chinese client for payment for three thousand sewing machines which purportedly had been supplied to our client in Uganda. The problem was: our client operates only in the oil and gas sectors; did not place any such order; does not operate in Uganda; and has no need for one sewing machine, let alone three thousand.

On investigation, it became apparent that a “domain spoof” had occurred. In other words, a fraudster had set up a website purporting to belong to our client which suggested our client was a UK distributor of consumer goods such as sewing machines. The website contained some errors that were obvious to those with English as their first language. But the errors would not have been so obvious to non-native speakers. The website also displayed factually correct information about our client taken from UK Companies House which gave the website an air of legitimacy – at least, at first glance.

How to minimise the risk of phishing and whaling attacks

Despite the high-profile campaigns designed to educate about online fraud, we nevertheless have seen a number of instances where even sophisticated business persons and corporate clients, wrongly believing that they are corresponding with financial advisors, pension providers or trusted suppliers, have been duped by phishing e-mails into parting with substantial funds. The way to minimise the risk is for companies to implement strict payment protocols and properly train and instruct their staff in their operation.

What if your employees fall victim to online fraud?

Let’s say you have put such protocols in place, and your employees have been trained in them. What if an employee has failed to exercise common sense or been careless – “negligent” - and inadvertently facilitates an online fraud like phishing or whaling? The employee is, of course, not a fraudster. He or she is arguably a victim too, in that they have been duped. Can you sue the employee to recover your loss? This was the interesting question before the court in the recent Scottish case of Peebles Media Group Ltd v Patricia Reilly (15 Nov 2019):

1. Peebles sued Mrs Reilly, their credit controller, for £107K being the loss it suffered as a result of an online “whaling” fraud (the “whale” “harpooned” here being the MD of Peebles).
2. At the time of the fraud, Peebles’ MD had gone to Tenerife on holiday. While on holiday, the unfortunate Mrs Reilly was duped into believing that she was in e-mail correspondence with the MD. In fact, the e-mails were coming from a fraudster who managed to persuade Mrs Reilly to make various payments totalling £193K to the bank accounts of purported suppliers of Peebles. Of course, the accounts under the control of the fraudster who promptly removed the funds with all but £85,000 proving untraceable. As the judge put it: “[Peebles] have suffered a major loss…[Reilly] has lost her employment. It is a tragic case.”
3. The e-mails are produced in full in the case report. They contain some errors and unusual features. For example, they were sent to Mrs Reilly at strange times outside office hours (around 5am); initially they requested payments in dollars, not pounds sterling, despite the purported payees being UK suppliers; there were spelling mistakes, including the name of one of the payees which Mrs Reilly actually queried by e-mail only to be corrected by the fraudster; the e-mails were signed off on behalf of the MD in a slightly unusual manner (‘Yvonne Bremner’, than the usual ‘Y’); Mrs Reilly did not actually have authority to process such payments (although unfortunately for Peebles, a colleague of Mrs Reilly did have authority and that colleague processed some of the payments and gave Mrs Reilly authority to process others herself); the standard fraud warnings (including those that caution the user to look out for spelling mistakes in e-mails) issued by Peebles’ bank immediately prior to processing the payments were overlooked by Mrs Reilly; and, on closer inspection, when Mrs Reilly sent replies to the fraudster, the fraudster’s actual e-mail address, which was materially different to the MD’s, was visible on screen (although Mrs Reilly did not notice it). In respect of one of the payments, Mrs Reilly had first to transfer money between Peebles’ accounts to allow her to make payment, something she clearly had no authority to do. In all, the evidence arguably painted a fairly damning picture of Mrs Reilly’s conduct.
4. That said, as the judge put it, “hindsight is a wonderful thing”. The judge noted that the e-mails had come in at a time when the MD had gone on holiday overseas (when communication by e-mail and at unusual times might be expected); at least in respect of incoming e-mails, the MD’s cloned e-mail address was accurately displayed on the screen. The e-mails looked legitimate. It also transpired that Mrs Reilly had gone to the trouble of leaving a voicemail with the MD asking the MD to call before the first payment was made. The MD failed to return the voicemail. When Reilly had then sought further assistance, a senior colleague with authority to make transfers had approved the payments. Furthermore, in respect of one of the payments, it would appear that Peebles’ bank manager had authorised the transfer notwithstanding he knew that Reilly lacked authority to make payments on behalf of Peebles (apparently the manager knew the MD was on holiday at the time).

In all the circumstances, the judge held that in respect of most of the transfers that Mrs Reilly’s conduct was not sufficiently careless or egregious to amount to a breach of a duty of care; and in respect of the payment that had been preceded by the unauthorised transfer of funds between Peebles’ accounts by Mrs Reilly, there was a breach of duty but she was not the cause of the loss and the loss was too remote in law as it was “exceptional and unnatural because of the fraud being perpetrated on her and [Peebles].” The claim failed.

So the answer is yes you can sue an employee because they owe you a duty to exercise reasonable skill and care in the performance of their duties, but in practice it is likely to be very difficult to persuade a court to order the employee to compensate - particularly where that an employee is a junior member of staff.

It is possible that the decision will be appealed, it could therefore be reversed and the appeal court may give definitive guidance. But the case is a useful reminder that the standard of care expected of a person in any given case will depend on their seniority, knowledge and experience. The judge appears to have placed great weight on the fact that Mrs Reilly was an inexperienced and junior employee who had been left “holding the fort for more experienced members of staff” which had “put her at a significant disadvantage”. The judge felt Mrs Reilly had been let down by more senior colleagues – first by the MD who had failed to return her call and by her more senior colleague who had consented to the payments being made – and in the circumstances it would be unjust for Mrs Reilly to carry the can for such a significant liability (which presumably could have grave personal consequences for Mrs Reilly).

Key steps to protect your business from phishing and whaling fraud

So be warned - don’t expect the courts to assist if an employee gets it wrong. The key takeaways from the case appear to be these:

• make sure your systems and protocols are very robust
• properly train and instruct your staff in them
• regularly refresh that training and instruction
• instigate and enforce a clear chain of command as regards authority to make payments.

As a firm, we have specialist teams who can make sure you are properly equipped to deal with the scenarios that may impact you and your business whether that be through dedicated training, one to one sessions, audits or reviews.

If you think your organisation would benefit from any of these, please contact me or Lynne Gray and we would be happy to help you put together and plan to keep the fraudsters at bay.