Business Email Compromise (BEC) also known as email account compromise (EAC) attacks exploit our collective reliance on email to conduct business and personal affairs. While there are many variations on this cyberattack, the most difficult to detect are situations where an attacker gains control over a supplier’s email address and uses it to request a seemingly legitimate business payment. The fraudster will request a payment be sent electronically to a new account that they control. This is what makes it so effective, because to the recipient, the compromised email is authentic since it originates from a known authority figure from a supplier. Many employees will fail to realize that it is a cyberattack.

These attacks can be extremely costly to the target organization. An Austrian aeronautics company lost €42 million to BEC attack. On a smaller scale, the Dublin Zoo lost €500,000 and Save The Children USA lost US$1 million to a similar attack.

Legal options if you have been the victim of a Cyberattack

If your organization is a victim of a cyberattack and transferred money to an illegitimate account, you may not realize it until a supplier asks for a payment that your organization believed it had already paid. The first step is to notify your financial institution as soon as possible to determine if there are any options to recall the funds. This is sometimes possible if the cyberattack is detected quickly. Unfortunately, the window for financial institutions to recall or reverse payments is small.

Who Bears the Loss?

There is a dearth of case law dealing with BEC cyberattacks in Canada. In a recent Quebec decision in Concessions Caravane 1986 Inc. v. Toronto Dominion Bank 2020 QCCS 3426 involving a phishing attack, the court decided that both parties should bear the loss in proportion to each party’s contribution to the loss.  In St. Lawrence Testing and Inspection Co. v. Lanark Leeds Distribution Ltd. 2019 CanLII 69697, an Ontario Small Claims Court ruled in 2019 that it is the payor who bears the risk of loss (and must therefore pay twice) unless:

  1. the contract governs how payments are made and it shifts liability for a loss resulting from fraudulent payment instructions;
  2. there is evidence of wilful misconduct or dishonesty by the other victim; or
  3. there is negligence on the part of the other victim.
What to do to prevent a Cyberattack?

Cyberattacks require a robust defense. Clear procedures regarding payments are a must and the decision to transfer a large sum of money should not be left to a single person. In addition to standard spoofing and phishing awareness, users and decision makers should be trained to look out for:

  • High-level executives of your company asking for unusual information or requesting a payment through unusual channels
  • Suppliers requesting unusual information, or payment to new accounts, or through unusual channels
  • Requests to keep the email confidential, or to only communicate through email
  • Requests that carry a high level or extreme urgency
  • Requests that ask to bypass normal procedures and channels

We provide advice to businesses that have been a victim of a cyberattack. We can also assist reviewing your internal policies and procedures before a cyberattack occurs.

* With thanks to Teng Rong  for his assistance in preparing this article.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael Nowina Michael Nowina

Michael Nowina’s litigation practice focuses on a broad range of commercial disputes including advising on the recovery from fraudulent investment schemes, mortgage fraud and credit fraud. Michael’s fraud-related and investigations experience includes representing victims of a Canada-wide investment fraud and ultimately securing recovery…

Michael Nowina’s litigation practice focuses on a broad range of commercial disputes including advising on the recovery from fraudulent investment schemes, mortgage fraud and credit fraud. Michael’s fraud-related and investigations experience includes representing victims of a Canada-wide investment fraud and ultimately securing recovery of a majority of the proceeds from the fraud, advising numerous creditors in proceedings commenced to recover fraudulent conveyances and preferential payments in multi-jurisdictional litigation, and representing financial institutions in identity fraud cases and in proceedings to recover funds from fraudulent borrowers. Michael also frequently advises clients on insolvency matters involving fraud.

Photo of John Pirie John Pirie

John Pirie leads Baker McKenzie’s Canadian litigation and government enforcement group and is a member of the North American group’s Steering Committee. A Chambers ranked trial lawyer, he handles complex business disputes, investigations and white-collar matters, particularly those with multi-jurisdictional aspects. John’s focus…

John Pirie leads Baker McKenzie’s Canadian litigation and government enforcement group and is a member of the North American group’s Steering Committee. A Chambers ranked trial lawyer, he handles complex business disputes, investigations and white-collar matters, particularly those with multi-jurisdictional aspects. John’s focus includes a significant fraud and financial recovery component, having pursued and defended a range of leading cases in the area. He has deep experience with emergency relief measures, including global asset freeze orders and remedies available in bankruptcy and receivership. John has acted for governments, banks, investors, multinational corporations, officers and directors, a stock exchange, a securities regulator, members of the judiciary and an array of professionals. Clients interviewed by Chambers Global say: “John Pirie has an excellent command of the law and clients’ needs and expectations” and “he is an experienced courtroom advocate who is particularly well regarded for his civil fraud expertise.”