Spoofing and business compromise scams – what to do in a cyber-attack?

A part of modern life is developing a plan to protect ourselves and/or our businesses from the risk of a cyber-attack.  It is important to have plans and policies in place so you know how you will react and respond in the event you, or the person you are buying or selling goods or services to/from, fall victim to a cyber-attack. Contacting a lawyer should be on the top of your checklist, as should be gathering records you might need to resolve such situations.

Our recent experience

Coulter Legal has had recent, direct experience in advising and acting for a manufacturing business (the Business) whose transaction with a customer was disrupted by a cyber-attack.

The Business had provided an invoice, by email, to the customer for the provision of goods. Through no fault of the Business or the customer, the email was intercepted by a third party outside of the Business systems and spoofed by an attacker. The attacker then altered the bank account details on the invoice attached to the email to insert their own.  The customer then proceeded to pay the invoice without first calling the business to confirm the bank details, making a payment relying on the altered invoice. This resulted in the customer making a payment they believed to be to the Business for the goods, when in fact payment was never received by the Business.

The above circumstances were challenging for both the Business and the customer. As the customer had not made the payment for the goods the Business was not able to go ahead with delivering until the matter was resolved. Unfortunately, the dispute over the ‘missing payment’ ultimately had to be resolved by the Court.

Our client had an IT manager with a range of qualifications and industry experience. That put the Business in a strong position to be able to preserve and present relevant evidence to demonstrate to the Court that the invoice had left the Business before being attacked. The relevant records, reports and extracts that were gathered and presented included:

1.            Email logs;

1.            Firewall logs;

2.            Exchange logs;

3.            Back ups of servers; and

4.            Details of current security and prevention programs in place.

Being able to put these records to the Court and provide a witness with relevant qualifications and industry experience who had both collected the data and could explain the policies and procedures that stood behind them put the Business in a strong position to explain to the Court what they understood had happened.

There is a surprisingly lack of case law about these twenty first century disruptions. The Queensland case of Factory Direct Fencing Pty Ltd and Kong AH International Company Limited [2013] QDC 239 (Factory Direct) provides some insight into the issue of email spoofing and invoice tampering.

Our client’s position was like Factory Direct where, as happened in our dispute, the Court found that the customer had not properly discharged their payment obligations, and further payments had to be made to secure delivery and release of goods.

In Factory Direct, the Buyer and Seller had a history of corresponding with one another by email for the purchase and sale of fencing products. In that case, an attacker intercepted and impersonated the email addresses of both the Buyer and the Seller through a series of spoofed (false) emails using deceptively similar email addresses. The Buyer was tricked into paying invoice amounts to the attacker’s bank account, instead of the Seller’s account. The Seller’s invoice remained unpaid for the goods and so they refused to deliver them. This was the same position that our client found itself in.

The Buyer in Factory Direct argued that they had paid for the goods, as the Seller had provided the account details for payment by the spoofed email. In response, the Buyer tried to argue that the Seller had a duty of care to ensure that its customers did not receive spoofed emails.

As in our dispute, in Factory Direct the Court accepted that email address headers can be forged, agreed that the Seller did not direct the Buyer to pay into the attacker’s account, and found that payments by the Buyer to the attackers account did not constitute payment to the Seller.

Ultimately in Factory Direct, and in our case, the Court held that the payment obligation to the Seller by the Buyer was not discharged. In Factory Direct the Court found in favour of the Seller, concluding that the Buyer had not taken reasonable steps that it could have taken to protect itself, including contacting the Seller to verify the payment details.

Fortunately for our client, the Court considered and relied on technical witness evidence and historical data from the Business which demonstrated that the cyber-attack occurred on the customer’s end and not that of the Business.

How can Coulter Legal assist?

Our Litigation and Dispute Resolution Team at Coulter Legal are well equipped to provide advice surrounding the best cause of action if you or your business is disrupted by a cyber-attack.  We are also able to provide recommendations including what evidence and documentation to obtain.

If you or one of your customers is subject to an attack, you may need to gather relevant evidence to prove that the communication did not come from your trusted sources.

Records and evidence of practices and procedures are important and useful in legal proceedings.  The exact type of data, reports and expert opinions gathered at the time of the cyber incident can be highly significant if legal proceedings are commenced.

Notification requirements

If your business has suffered a cyber-attack, there are also important determinations to be made as to whether there are obligations to notify affected individuals, or regulators, that the attack has occurred.  Such obligation requirements are dependent on the type of attack and the outcome of the attack (for example a breach of data, financial damage or breach of privacy).

There is also the option to report a cybercrime, incident or vulnerability to the Australian Cyber Security Centre (ACSC) here.

Please contact our friendly team today on 03 5273 5273 to discuss your circumstances and how we may be able to assist you.