Spoofed email account costs a firm £30k in  – The Maserati Fraud – this is why encryption is important

The £30k “Maserati Fraud” highlights the common “red flags” employees should be alert to, these red flags include:

1. Change of grammar/structure of emails –
2. Change of bank details –
3. Change of email address –

These are “red flags” are discussed later in this article.  And while not determinative of fraud on their own, taken together with the other red flags above, if they were spotted it should arguably have raised enough suspicion for the Company’s employees to question if the instructions they were receiving were legitimate.

Introduction

1. In the recent case of Sell Your Car With Us Limited v Sareen [2019] EWHC 232 (Ch) the Insolvency Court were asked to determine whether
   1. the ultimate victim of an email hacking fraud, Mr Sareen, was liable in contract and/or tort to Sell Your Car With US Ltd (the “Company”) for causing the fraud by failing to take reasonable care over the security of his emails and/or take reasonable control over his email security.
2. This was quite a remarkable position for the Company to adopt given the evidence.

Key facts

3. Mr Sareen had contracted with the Company to sell his Maserati Levante, and in return for a small fee, the Company was bound under its terms to pay him the purchase price.
4. A buyer was found, and the Company was due to pay the sum of £51,800 to Mr Sareen, but the money never arrived in his bank account.
5. It subsequently transpired that a third party had intercepted the email exchanges between them.
6. The third-party, impersonating Mr Sareen over email and telephone, induced the Company to wrongly divert £30,000 to a different bank account under the control of the fraudster.
7. The Company refused to pay up, and Mr Sareen served a statutory demand.
8. The Company issued an injunction to restrain the presentation of a winding-up petition.

The submissions

1. An application to restrain a winding-up petition will succeed if the petition constitutes an abuse of process. A petition founded on a disputed debt on “genuine and substantial grounds” would be an abuse.
2. The Company argued that there was a genuine and substantial dispute between the parties as to who was responsible for the fraud.
3. Although there was no assertion that Mr Sareen was in any way involved in the fraud himself, the Company argued that they had a genuine counterclaim against Mr Sareen equal to the debt on the basis that:
   1. There was an implied term in the contract that Mr Sareen would take reasonable care over the security of his email communication which he had failed to do.
      1. As Mr Sareen accessed his Gmail account through his mobile phone, it was inherently more likely that his account had been hacked rather than the Company’s corporate server.
      2. This was quite a remarkable position to take as there was evidence adduced that the Company had been hacked twice in the week prior to this fraud. Conversely, there was no evidence against Mr Sareen.
   2. There was an implied representation by Mr Sareen that he had reasonable control over the security of his emails.
      1. If he did not this amounted to negligent misrepresentation.
      2. As above, the fact he accessed his emails on his phone and travelled internationally regularly made it inherently more likely his security had been compromised not the Company.

The finding

1. The court rejected both arguments notwithstanding that the legal threshold to establish a genuine and substantial claim is very low.
   1. There was no basis to imply a term.
      1. It was well-established law that a court should only imply a term if it was necessary to make the contract work i.e.
         1. the term was so obvious it went without saying it should be implied or it was necessary to give the contract business efficacy.
      2. Although there was no express term dealing with security requirements, the contract could work without implying any such term.
   2. The mere agreement by Mr Sareen to accept communications by email did not imply any representation about the security of his email account or control he exercised. It represented no more than he was contactable at that address.
      1. Even if supplying his email address did amount to a representation, there was no evidence the Company had relied upon any such representation or that any alleged representation was false at the time it was given.
   3. The Company alone was solely responsible for paying the monies to the wrong account. Mr Sareen was owed an undisputed debt and had every right to petition for the Company’s winding up.

Comment

1. The result in favour of the consumer, Mr Sareen, is perhaps unsurprising given there was no evidence before the court he had done anything wrong whereas the Company, although equally a victim, had arguably missed several “red flags” and could be said to be the more responsible of the two.
2. Perhaps the Company’s submissions may have found more favour if the defendant was a non-consumer business or a professional services firm. One can envisage a court might readily imply duties on more sophisticated corporate entities with the resources to invest in IT security than on individual consumers.
3. Otherwise, this case highlights the common “red flags” that can be missed in these types of frauds that companies and employees should be alert to:
   1. Change of grammar/structure of emails –
   2. Change of bank details –
   3. Change of email address –

These are discussed as follows

1. Change of email address –
   1. The email address held on file by the Company for Mr Sareen differed to the email address containing the fraudulent instructions, albeit the difference was very subtle.
   2. In this case, the legitimate suffix was 1@gmail.com, and the fake account was 01@gmail.com.
   3. This is a common theme in Authorised Push Payment email frauds and can be easily missed.
   4. If the Company’s employees had been trained to be extra vigilant to these practises and noticed the change of email address and/or if the Company had specialist software installed that flagged impersonation attempts automatically the fraudulent emails may never have been responded to and the fraud avoided.
2. Change of bank details –
   1. The bank details provided to the Company changed on two different occasions from the details on the Company’s systems.
   2. These new bank details were all sent from the fraudulent email account. Not only did the account number and sort code differ but on one occasion the new details provided included an IBAN (International Bank Account Number) and BIC (Business Identifier Code) commonly used for international payments. In contrast, the details originally provided were for a UK bank account.
   3. The other attempt to change the bank details was to an entirely different UK bank. On both occasions the name of the account holder provided bore no resemblance to Mr Sareen’s name – for the international account the name “T soyanov” was provided and “Mr O’byrne” for the other UK account.
   4. The Company did appear to pick up on these evident discrepancies and the heightened risk, but its own security procedures still appear to have failed.
   5. Rather than only calling Mr Sareen directly on the contact number recorded on their system to confirm the change of details and waiting for confirmation from their bank that the test £1 transfer had been returned, they appear to have relied on a call from the fraudster (posing as Mr Sareen) confirming the same to authorise the eventual payment.
   6. If this fraud had been carried out-post 31 March 2020 when the new Confirmation of Payee checks come into force it is questionable if the Company’s bank may have helped prevent the fraud. That said, the Company had already spotted the discrepancy themselves and still proceeded to pay so the added confirmation by their bank that the payee details did not match may still not have helped.
3. Change of grammar/structure of emails –
   1. Spoofed accounts can often contain poor English, poor grammar and misspellings.
   2. The formatting can also change, e.g. large spaces in between lines or errant paragraphs which did not appear previously, subject headings may also change with prefixes changing from “RE” to “Fwd” or email signatures can be changed.
   3. Whilst there was nothing unusual in the use of English, the spelling or grammar of the fraudulent emails here, many of the fraudulent emails did bear the prefix “fwd”.” In contrast, the genuine emails were usually “re,” i.e. direct replies.
   4. The fake and genuine emails also had different email signatures, and the fake emails had some errant spacing.

Spoofed accounts –

• Whilst not determinative of fraud on their own, taken together with the other red flags above, if these had been spotted it should arguably have raised enough suspicion for the Company’s employees to question if the instructions they were receiving were legitimate.

Sourced - https://www.kingsleynapley.co.uk/insights/blogs/dispute-resolution-law-blog/the-maserati-fraud