In the recent case of Sell Your Car With Us Limited v Sareen  EWHC 232 (Ch) the Insolvency Court were asked to determine whether the ultimate victim of an email hacking fraud, Mr Sareen, was liable in contract and/or tort to Sell Your Car With US Ltd (the “Company”) for causing the fraud by failing to take reasonable care over the security of his emails and/or take reasonable control over his email security.
This was quite a remarkable position for the Company to adopt given the evidence. Mr Sareen had contracted with the Company to sell his Maserati Levante and in return for a small fee the Company was bound under its terms to pay him the purchase price. A buyer was found and the Company was due to pay the sum of £51,800 to Mr Sareen but the money never arrived in his bank account. It subsequently transpired that a third party had intercepted the email exchanges between them. The third party, impersonating Mr Sareen over email and telephone, induced the Company to wrongly divert £30,000 to a different bank account under the control of the fraudster. The Company refused to pay up and Mr Sareen served a statutory demand. The Company issued an injunction to restrain the presentation of a winding up petition.
An application to restrain a winding up petition will succeed if the petition constitutes an abuse of process. A petition founded on a disputed debt on “genuine and substantial grounds” would be an abuse. The Company argued that there was a genuine and substantial dispute between the parties as to who was responsible for the fraud. Although there was no assertion that Mr Sareen was in any way involved in the fraud himself the Company argued that they had a genuine counterclaim against Mr Sareen equal to the debt on the basis that:
- There was an implied term in the contract that Mr Sareen would take reasonable care over the security of his email communication which he had failed to do. As Mr Sareen accessed his Gmail account through his mobile phone it was inherently more likely that his account had been hacked rather than the Company’s corporate server. This was quite a remarkable position to take as there was evidence adduced that the Company had been hacked twice in the week prior to this fraud. Conversely there was no evidence against Mr Sareen.
- There was an implied representation by Mr Sareen that he had reasonable control over the security of his emails. If he did not this amounted to a negligent misrepresentation. As above, the fact he accessed his emails on his phone and travelled internationally regularly made it inherently more likely his security had been compromised not the Company’s.
The court rejected both arguments notwithstanding that the legal threshold to establish a genuine and substantial claim is very low.
- There was no basis to imply a term. It was well established law that a court should only imply a term if it was necessary to make the contract work i.e. the term was so obvious it went without saying it should be implied or it was necessary to give the contract business efficacy. Although there was no express term dealing with security requirements the contract could work without implying any such term.
- The mere agreement by Mr Sareen to accept communications by email did not imply any representation about the security of his email account or control he exercised. It represented no more than he was contactable at that address. Even if supplying his email address did amount to a representation, there was no evidence the Company had relied upon any such representation or that any alleged representation was false at the time it was given.
- The Company alone was solely responsible for paying the monies to the wrong account. Mr Sareen was owed an undisputed debt and had every right to petition for the Company’s winding up.
The result in favour of the consumer, Mr Sareen, is perhaps unsurprising given there was no evidence before the court he had done anything wrong whereas the Company, although equally a victim, had arguably missed several “red flags” and could be said to be the more responsible of the two. Perhaps the Company’s submissions may have found more favour if the defendant was a non-consumer business or a professional services firm. One can envisage a court might readily imply duties on more sophisticated corporate entities with the resources to invest in IT security than on individual consumers.
Otherwise, this case highlights the common “red flags” that can be missed in these types of frauds that companies and employees should be alert to:
- Change of email address - The email address held on file by the Company for Mr Sareen differed to the email address containing the fraudulent instructions albeit the difference was very subtle. In this case the legitimate suffix was email@example.com and the fake account was firstname.lastname@example.org.This is a common theme in Authorised Push Payment email frauds and can be easily missed. If the Company’s employees had been trained to be extra vigilant to these practises and noticed the change of email address and/or if the Company had specialist software installed that flagged impersonation attempts automatically the fraudulent emails may never have been responded to and the fraud avoided.
- Change of bank details – The bank details provided to the Company changed on two different occasions from the details on the Company’s systems. These new bank details were all sent from the fraudulent email account. Not only did the account number and sort code differ but on one occasion the new details provided included an IBAN (International Bank Account Number) and BIC (Business Identifier Code) commonly used for international payments whereas the details originally provided were for a UK bank account. The other attempt to change the bank details was to an entirely different UK bank. On both occasions the name of the account holder provided bore no resemblance to Mr Sareen’s name – for the international account the name “T soyanov” was provided and “Mr O’byrne” for the other UK account. The Company did appear to pick up on these clear discrepancies and the heightened risk but its own security procedures still appears to have failed. Rather than only calling Mr Sareen directly on the contact number recorded on their system to confirm the change of details and waiting for confirmation from their bank that the test £1 transfer had been returned, they appear to have relied on a call from the fraudster (posing as Mr Sareen) confirming the same to authorise the eventual payment. If this fraud had been carried out post 31 March 2020 when the new Confirmation of Payee checks come into force it is questionable if the Company’s bank may have helped prevent the fraud. That said, the Company had already spotted the discrepancy themselves and still proceeded to pay so the added confirmation by their bank that the payee details did not match may still not have helped.
- Change of grammar/structure of emails – Spoofed accounts can often contain poor English, poor grammar and misspellings. The formatting can also change e.g. large spaces in between lines or errant paragraphs which did not appear previously, subject headings may also change with prefixes changing from “RE” to “Fwd” or email signatures can be changed. Whilst there was nothing unusual in the use of English, the spelling or grammar of the fraudulent emails here, many of the fraudulent emails did bear the prefix “fwd” whereas the genuine emails were usually “re” i.e. direct replies. The fake and genuine emails also had different email signatures and the fake emails had some errant spacing. Whilst not determinative of fraud on their own, taken together with the other red flags above, if these had been spotted it should arguably have raised enough suspicion for the Company’s employees to question if the instructions they were receiving were legitimate.
For further information, please contact Daniel Staunton or a member of our Dispute Resolution team.
For further related blogs click here to read Mary Young’s blog on the implementation by several UK banks from 31 March 2020 of Confirmation of Payee (COP) checks and the impact this might have on preventing these type of frauds or click here to read Fiona Simpson’s and Rebecca Ryan’s blog on the mechanisms companies can put in place to prevent and detect similar frauds in the first place.