Rapidly becoming one of the most common and difficult scams to detect, invoice fraud targets businesses and their customers alike. It is estimated that, in 2020, the total value of these scams was around £82 million*, with less than half that amount being recovered and reimbursed. Business owners are advised to take as many steps and precautions as possible to protect themselves by minimising the risk of fraud, as well as the risk of liability for negligence.
Commonly, invoice (or mandate) scams target payments between an organisation and a legitimate payee. Invoices or instructions for payment sent by email, are intercepted by the scammer and then resent with different bank details, so that any payment of the invoice is sent straight to the scammer’s bank account.
If a customer makes the mistake of paying into the scammer’s pocket, the question then turns to who must take the loss – the customer who paid the funds or the business whose invoice has not been paid?
Unfortunately, both the individual and the business are victims of this fraud, and it is not clear where the fault lies. Case law on the matter offers limited guidance, but analogies can be drawn from it, nonetheless.
Earlier cases dealing with forged cheques between a customer and their bank, can help to establish where liability lies when a creditor (business) gives written instructions to a debtor (customer) to make payment, and the written instructions are then altered by a scammer. It can be inferred that in these circumstances the creditor, owes a duty to take reasonable care to make sure their communications are not intercepted so that the subsequent payment is not sent to the wrong account. All businesses are expected to take reasonable steps to prevent fraud and owe a duty of care to their customers.
A court case between a company, Sell Your Car With Us Ltd and a customer whose car the company was selling, provides some direct guidance on the matter. An invoice for payment from the company to the customer was diverted by a scammer and the company subsequently paid monies intended for the customer into the scammer’s account. The company tried to dispute that money was still owed to its customer and argued that it believed the customer would take reasonable care to secure his emails. ICC Judge Burton found Sell Your Car With Us to be responsible for sending the money to the unknown third party.
Interestingly, Sell Your Car With Us was alert to the risk, even including in its terms and conditions procedural requirements for a customer wishing to change their email or bank details. Unfortunately, the company failed to be vigilant to changes in the email address and did not follow its own fraud procedures. Making sure procedures are in place and, crucially, followed, will substantially reduce a business’s liability.
However, an appeal case between road contractors J Brazil and solar energy company, Belectric muddies the water on liability. Belectric paid monies due to J Brazil to the wrong account after J Brazil’s email was hacked by a scammer. It was considered here that hacker was not the claimant’s agent and that both parties were the innocent victims of the scam. Regardless of this decision, the customer was still liable to pay the contractor.
Ultimately, it is unclear exactly the extent of the liability a business might incur for the actions of the customer who has been unwittingly scammed and there is no default position, with each matter depending on its individual factors and circumstances.
Protection from scammers
Businesses must take steps to avoid falling victim to invoice fraud, and to minimise the risk of liability for negligence if a scammer succeeds, and a payment is made to an incorrect account.
If you are confident that your technology offers you the right level of protection from scammers, putting payment policies in place and implementing them effectively is the next safety barrier to erect. Cooperation between suppliers and customers reduces risk of invoice fraud, and this should be reflected in your policy documents. A business’s standard terms and conditions should deal with the allocation of the risk of loss incurred through invoice fraud.
Businesses should also ensure that they have suitable policies and procedures for their staff including by having a disciplinary policy, a code of conduct and an anti-fraud policy in place. All policies should be reviewed annually to enable your business to stay current in this ever-changing environment.
Training also plays a key role. Providing staff with regular training to help them identify fake invoices and respond to such scams in line with the business’s policies and procedures, is the most effective way to stop the criminals succeeding. If all staff who deal with invoices are properly trained, then avoiding invoice fraud will become second nature. Businesses should therefore consider carrying out random mock scam tests, similar to phish testing. Staff who fail to spot the mock scam invoice should be required to attend further training to reduce the risk of them falling victim to this in a real situation.
Businesses and their staff are encouraged to double check bank account details, email addresses, phone numbers, and even the logo on any invoices received for subtle differences. Even the slightest doubt should be clarified by checking the details by telephone. This means calling a previous number or contact who you have an established relationship with or independently searching for the company’s contact details and using that information to make the call – do not use any of the details on the (possibly fake) invoice or email you have received.
Businesses should also make their customers aware of the potential risks when settling invoices. A business cannot guarantee the security of its customer’s emails, but it can reduce its risk of liability by educating its customers on how to protect themselves from invoice fraud.
Mistakes happen
If, despite diligently checking payment requests and communications details, invoice fraud does occur, then contact the bank that has received the money to try to get it frozen as soon as possible. If you are not able to freeze the monies, civil action is the next advisable step for the party who mistakenly made the payment.
An urgent freezing injunction to secure the money and a disclosure order to identify the scammer are also an option in suitable cases with sufficiently large sums. This gives both parties the best chance of recovering the monies mistakenly paid out. The police should also be contacted, and all parties are advised to consider whether they have insurance to cover the situation.
The business should also undertake internal investigations to discover where and how the breach occurred. Staff are required to use reasonable care and skill in carrying out their role, and if following an investigation, it is found that a member of staff is repeatedly falling a victim to invoice fraud (despite having received regular training to be able to spot such scams and appropriate procedures being in place), or is knowingly paying false invoices, disciplinary action may be reasonable and justified depending on the circumstances. In addition, the business should then identify any changes which could be made to the company’s policies and practices to reduce the likelihood of this happening again.
Preparation and response are key to preventing invoice fraud being successful. Taking positive steps as set out above will reduce the risk of your business being a victim of invoice fraud.
*UK Finance report: Fraud – the Facts 2021, page 66
Sell Your Car With Us Ltd v Sareen [2019] BCC 1211
J Brazil Road Contractors v Belectric Solar Ltd 2018 WL 01993147
Article by: Clare Mackay, Senior Associate, and Molly Hart, Para Legal in SA Law’s Commercial Litigation and Dispute Resolution team.
