Passing the buck: who is responsible for a fraudulently-diverted payment?Date: 15/07/2020 Type: Articles Topic: FIRE | Civil Fraud | International | Author: Matthew McGhee - Twenty Essex
A form of fraud which FIRE practitioners are often asked to advise on starts with a contract, where one party is required to pay the other. For example, the paying party might be a buyer under a sale contract. The dispute arises where a fraudster has induced the buyer to pay the fraudster instead of the seller.
Various options are available to the parties in this instance. Sometimes commercial parties have insurance coverage. Alternatively, they may decide to take legal action – either against the fraudster directly (e.g. CMOC v Persons Unknown  Lloyd’s Rep FC 62 and AA v Persons Unknown  3 WLR 35) or against third parties who are alleged to be legally responsible for the loss (a commonly-targeted class is the banks which handled the fraudulently-misdirected payment, though such claims have their own set of challenges).
However, in the first instance, there is normally a disagreement between the buyer and seller as to which of them is at fault and (they argue) must therefore bear the loss. Does the buyer have to pay the price twice, or does the seller have to forgo payment from the buyer for the goods? This apparently simple question bears different answers in different circumstances. This note highlights some of the main considerations that bear on this question.
What is the contractual obligation? Generally, the buyer must grant the seller “unconditional and unfettered right to the immediate use of the funds”: K v A  EWHC 1118 (Comm). However, the specific terms of the contract warrant careful consideration. The obligation may, for example, only be to pay as instructed by the seller’s servant. The buyer should consider whether, as a matter of construction, they have performed their obligation.
Who is the fraudster? They may be the seller’s employee, in which case they are likely acting outside of their actual authority but may still be within their apparent authority. The buyer can discharge their debt by paying the seller’s apparent agent (Barrett v Deere (1828) 173 ER 1131), unless the buyer is on notice that the employee may be acting outside the scope of their agency (Midland Bank v Reckitt  AC 1). The buyer may need to exercise reasonable care before they can rely on apparent authority: East Asia v PT Satria  UKPC 30.
How does the fraudster contact the buyer? They may use an email address which is confusingly similar to the seller’s to send payment instructions. Frequently, the address uses replacement letters or numbers (e.g. @se11er.com vs @seller.com), but the use of punycode is also encountered (e.g. @xn--seler-85a.com is generally rendered @selĺer.com). The confusingly similar email address is identifiable by the buyer alone; this attack by a fraudster takes place without any fault or involvement of the seller. The buyer in this case has simply paid the wrong account and likely remains liable to the seller.
Alternatively, the fraudster may have compromised the seller’s email server and used a genuine email address. In this case, the question is whether the fraudster (not the email address, which is not a legal person) has the seller’s apparent authority. The difficulty is in identifying the seller’s representation that the person (i.e. fraudster) with access to the email address had the seller’s authority. Apparent authority was dismissed in J Brazil Road Contractors v Belectric Solar (22 January 2018, unreported), where a party’s email address had been compromised. However, it may be arguable (by analogy with Barrett) that apparent authority can be conferred relying on the seller’s control over its email domain.
What if the fraudster tricks an agent, who passes on the false instructions? If the agent is the seller’s agent, the buyer probably discharges their debt. Even if the agent is not authorised to change payment instructions, they may be authorised to communicate that the seller had changed the payment instructions: First Energy v Hungarian International Bank  2 Lloyd’s Rep 194. If the agent was the buyer’s agent, the situation is the same as if the buyer was contacted directly. Likewise, if the agent was a ‘pure intermediary’ with no agency function then the message is treated as being passed directly to the buyer: The Mercedes Envoy  2 Lloyd’s Rep 559. In the unusual case of a jointly-authorised agent, it is likely that the agent is acting in his capacity as the buyer’s agent at all material times (for complex reasons discussed in (2017) 3 LMCLQ 435).
Does it matter if one party was hacked? The buyer and seller will often claim that the other was responsible for the fraud (e.g. due to poor cyber-security). However, this may be difficult to prove and, in any event, is of limited legal relevance. Various arguments have been raised before, such as:-
- It was an implied term of the contract that the party at fault would take reasonable care to maintain cyber-security. This argument is specific to every contract, but failed in Sell Your Car With Us Ltd v Sareen  EWHC 2332 (Ch) and Rijksmuseum Twenthe v Simon C Dickinson Ltd (unreported, 30 January 2020). Even if the term can be implied (or is, unusually, express), there will be difficulties in proving breach and causation.
- The party at fault impliedly represented that its emails were secure, with this either establishing apparent agency or (on being false) giving rise to a claim for misrepresentation or tortious liability. For this argument to succeed, a clear representation is required – and found wanting in Sell Your Car With Us Ltd v Sareen  EWHC 2332 (Ch).
- On discovering a previous fraudulent email and not notifying the buyer, the seller impliedly represented that the historic fraudulent email was genuine. For this argument to succeed, the buyer must demonstrate the requisite knowledge on the seller’s part, which was absent in Rijksmuseum Twenthe v Simon C Dickinson Ltd (unreported, 30 January 2020).
- The party at fault assumed a tortious duty of care to the counterparty to protect them from this form of fraud. For the argument to succeed, the buyer must demonstrate a voluntary assumption of duty by the seller, which was found wanting in Rijksmuseum Twenthe v Simon C Dickinson Ltd (unreported, 30 January 2020).