How does cyber invoice fraud work?
A criminal hacks the system of, say, a supplier, intercepts an invoice and changes the account number. The customer then unsuspectingly pays the fraudulent invoice and the supplier is left unpaid.
But in this situation, who is the aggrieved party? Is the buyer bound to pay the supplier one more time? Or is the hack at the supplier's own risk? And what about the liability of the IT supplier in such an issue? This article answers these questions. In addition, a number of practical tips are provided regarding invoice fraud due to an IT hack.
Who is the aggrieved person?
We previously wrote a blog about who is liable in the case of invoice fraud. Briefly, this boils down to the following. By law, payment to a third party does not discharge the debtor. If you pay the wrong person, you are in principle obliged to pay again. Only in case of special circumstances can this be different. It must then be such carelessness on the part of the creditor that the incorrect payment cannot be attributed to the debtor.
Special circumstances in cyber invoice fraud
A number of these special circumstances have now emerged in case law regarding cyber invoice fraud. For example, what matters is whether the invoice sent was from the correct email address or whether the fraudulent emails had the same attachments and subject line as the previously sent correct emails.
In addition, under circumstances the wrong payment cannot be imputed to the debtor if the parties are doing business for the first time and the debtor therefore had no comparables(ECLI:NL:PHR:2020:1128). Finally, an important role is played by the question within whose sphere of influence the fraud could have occurred.
IT vendor liability.
Should investigations reveal that the hack was caused by a leak in your company's security, it is interesting to investigate whether you can hold your IT supplier liable for this. Whether you can hold the IT supplier liable depends on the agreements with this supplier. For example, what matters is whether the IT supplier is responsible for maintaining up-to-date security and whether the supplier should have warned you in case of an unauthorized login attempt.
It is also possible that the IT supplier only provided a system to you, where you yourself were responsible for ensuring adequate security and monitoring it. What the obligations of your IT supplier are is defined in the agreement entered into and any applicable general terms and conditions.
In addition to the obligations of the IT supplier, the contract and general terms and conditions are also important with respect to the assessment of liability. In fact, liability is often limited. For example, the IT supplier may only be liable for direct damages, liability may be limited to a maximum amount, or the IT supplier's liability may be excluded altogether.
3 practical tips
- Of course, prevention is always better than cure. When your creditor's bank account number changes (unexpectedly), ask for confirmation of the bank account number by phone . If you ask for the confirmation by e-mail, there is a good chance that the hacker is also among them and thus the confirmation is also fraudulent.
- If you do encounter cyber invoice fraud, always have an IT investigation conducted by an independent party. Such an investigation will reveal what caused the fraud and allow the leak to be plugged as soon as possible.
- Make clear agreements with the IT vendor. Is the supplier responsible for security? Then make sure this is clearly included in the agreement. Also check whether the (possible) limitation of liability is acceptable for your company. If such a security obligation is not included in the agreement, take your own security measures so that your company is adequately protected against a hack.
Read more practical tips on preventing invoice fraud or acting after fraud this article.
