Cyber fraud and the hacking of email accounts is an increasingly common occurrence nowadays. The shipping and international trade industries, where large sums of money are regularly remitted, has become an increasingly attractive target for cyber fraudsters. The question that arises where there is cyber fraud and monies are intercepted while in transit between payor and payee is between the two innocent victims, who should bear the loss? The recent English High Court decision of K v A  EWHC 1118 (Comm) (“K v A”) provides an insight into how these cases may be determined by the Courts.
Facts of the case
K v A arose out of a contract of sale of sunflower meal where K was the buyer and A was the seller. The transaction was made through a broker, Vicorus SA. Most of the communications between K and A were though Vicorus in its capacity as broker.
The contract incorporated the terms of GAFTA Form 119 and the relevant provisions in the contract and in GAFTA are as follows;
“100% Net cash within 2 banking days to Sellers’ bank upon presentation of scan/fax copies of the following original documents to [Buyers].
Commercial Invoice …”
Clause 18 of GAFTA Form 119 provides as follows;
All notices required to be served on the parties pursuant to this contract shall be communicated rapidly in legible form…..A notice to the Brokers or Agent shall be deemed a notice under this contract.”
After the cargo was loaded, A sent an email with the attached invoice to Vicorus. The invoice indicated A’s bank account details with Citibank NA, New York. Vicorus’ email account showed that it forwarded the email to K. However, K’s email records showed that it did not receive that email from Vicorus. Instead, K received another email which appeared to come from Vicorus attaching A’s invoice but with a different account number and directing payment to Citibank NA’s London branch instead (referred to below as the “Fraudulent Account”).
After the first email was sent, A sent another email to Vicorus with a revised invoice to correct the invoice date. As with the first email, Vicorus forwarded it to K. However, K received an email which appears to be from Vicorus but the attachment was an invoice with the revised date but still directing payment to the Fraudulent Account.
As the revised invoice did not reflect K’s correct name, K emailed A to ask that it be revised again, but this time to reflect K’s name correctly.
On the following day, A sent a third email, now addressed to both Vicorus and K with a further revised invoice to correct the name of K reflected on the invoice. However, the email that was received by K had an invoice which reflected K’s name correctly but the payment detail still reflected that of the Fraudulent Account.
Eventually K made payment to the Fraudulent Account.
What is amazing about this case is that there were 3 emails sent and each time the invoices attached to the emails were somehow intercepted by the fraudsters and replaced with a forged invoice containing the bank details of the Fraudulent Account.
Fortunately for the parties in this case, the bulk of the funds were recovered leaving a shortfall of US$161,646.93. A claimed against K for the shortfall and the dispute was referred to arbitration based on the prevailing GAFTA rules.
The GAFTA First Tier Tribunal decided in favour of K on the basis that the loss should be borne by the party whose email account was hacked. The matter went on appeal to the GAFTA Board of Appeal who reversed the decision of the First Tier Tribunal. K then filed an application for leave to appeal to the English High Court.
The Board made an express finding that although it was likely that an email account was hacked, there was insufficient evidence as to when, or how, or which email account was hacked. As such, the Board declined to make any finding as to who was at fault. It proceeded to determine the allocation of liability based on risk.
Firstly, it found that the invoices sent by A to Vicorus contained the correct bank details. By virtue of clause 18 of GAFTA 119, any notices sent to the brokers constituted good notice under the contract.
The Board went on to find that under the contract, it was K who bore the risk of receiving the incorrect bank details. The basis for that finding was because K’s obligation under the contract was to transfer the price into the account nominated by A, and since K failed to do so, K was in breach of contract.
The Board went on to find that even though K had paid 100% of the purchase price, that was insufficient. K’s obligation was to ensure that 100% of the purchase price was received into A’s nominated bank account.
In the application to the English High Court for leave to appeal, the Court noted that the payment obligation under the contract was to pay in “net cash”. The Court recognized that in the background of modern banking practice, payment in cash would include the usual methods of transferring funds, and that payment in cash is effected when the payee has the unconditional and unfettered right to the immediate use of the funds.
The Court also held that payment to the payee’s bank is not equivalent to payment to the payee. It has to be payment into the payee’s bank account with the bank in order for it to be regarded as good payment. Presumably this was to deal with the argument that the funds were paid to Citibank NA, which was A’s bank even though it was not paid into A’s nominated account.
The Court dismissed K’s application for leave to appeal.
For cases where emails are hacked and funds diverted to fraudulent accounts, the payor and payee are normally described as innocent parties to the fraud. However, it is not always so clear whether either or both parties may be guilty of any fault, and the word “fault” is used here in a very loose sense.
For example, if ABC has installed anti-hacking software, firewalls and adopted all recommended cyber security measure, but XYZ does not even have any anti-virus software installed, and if XYZ’s email server was hacked, would XYZ be as innocent a victim as ABC in such a situation?
If XYZ is the paying party, should XYZ have called ABC over the phone to try to verify the bank details before it remits the funds? What then would be the extent of due diligence required of XYZ?
What if the broker was the one who failed to install the necessary cyber security software and it was the broker’s email server that was hacked. If the broker was the agent of XYZ, should XYZ be held responsible for the fault of its agent?
In the case of K v. A, unfortunately there was insufficient evidence adduced to determine whose fault led to the hacking of the emails which allowed the fraudsters to replace the correct invoices with the forged ones.
But for the fact that there was insufficient evidence to ascertain whose fault resulted in the remittance to the Fraudulent Account, this case would otherwise have presented a good opportunity for the Court to consider whether the fault of one party would have affected the outcome of the case.
What this case does show, is that the starting point for the analysis of who ought to bear the loss in such a situation, is to ascertain the allocation of risk as set out in the contract. Hopefully there may be a suitable case in future where the Court is able to address the issue of whether the fault of one party is able to displace the contractual allocation of risk, and if so, what is the degree of fault required before the Court will displace the contractual allocation of risk.
Please do not hesitate to contact us if you have any queries in relation to the above.
Disclaimer : This article is for general information only and not intended to constitute legal advice. We shall not be liable for any errors or omissions, nor shall we be liable for reliance on the contents of this article.