Hacking and invoice fraud: the importance of robust internal (payment) policies!
Imagine the situation where a company purchases goods or services from a supplier, with the obligation to pay the invoice within 60 days on the bank account of the supplier. Before the maturity date of the invoice, the company receives an email that appears to come from the supplier, with the instruction to pay on a different (foreign) bank account.
After payment by the company on the ‘updated’ bank account, it becomes clear that the supplier was the victim of a hacking and that the email with the new bank account details was fraudulent.
Now the supplier – still not paid – claims (a second) payment from the company. The company, on the other hand, states that it has been misled by the email with the new payment instructions from the supplier and refuses to pay. Who is now entitled to what?
Consequences of payment to an unauthorized company
In accordance with Belgian law, payment is valid to the creditor (i.e. the supplier) or its authorized representative. When payment is done to an unauthorized party, it will only be valid when the creditor ratifies the payment or receives the payment (in)directly (art. 1239 Old Belgian Civil Code / 5.198 New Belgian Civil Code). As a consequence, the risk of invoice fraud is principally on the receiver of the invoice (i.e. the company) who paid to an unauthorized party, even when the receiver is acting on what it believes to be a legitimate source, (i.e. a(n) (hacked) email from the supplier).
This is what the Enterprise Court of Brussels decided in its decision of 27 October 2021. The court found that the company – who did apparently question the ‘updated’ bank account details internally prior to payment – still executed the payment and only started a formal inquiry on the accuracy of the altered payment details afterwards. Based thereon, the court decided that the company could not have relied on the fraudulent email and remains liable for the (second) payment to the supplier, increased with the accumulated interests and liquidated damages.
That this is not a standalone case appears from the similar conclusion that was reached by the Court of Appeal of Antwerp in its decision of 5 September 2019. Even when the updated payment details were sent via the usual email address of the seller and in a very similar style (look and feel of the message), the company should have been more prudent, especially since the updated bank account details mentioned a foreign bank account. Here again, the court decided that the company should not have relied on an email from a legitimate source with updated bank account details.
Immediate action upon discovery of invoice fraud
What to do if your company falls victim to invoice fraud following the hacking of the email of the supplier?
The first thing to do is to notify your bank in order to try to block the payment if it has not yet been executed or enable your bank to notify the receiving (foreign) bank to block the fraudulent bank account. However, success is not guaranteed because of time constraints, because not all (foreign) banks are forthcoming in blocking bank accounts and because criminals are often using so-called mule bank accounts, which are emptied as soon as payment is received.
Secondly – and if this has not yet become apparent upon the discovery of the fraud – you should inform the supplier that his email account has been hacked and that fraudulent payment instructions are being issued.
Thirdly, you could consider filing a criminal complaint with the competent authorities against the hacker. However, a consequence of a criminal complaint could be that the civil proceedings to recover payments are delayed until the criminal proceedings are finished, which can prolong the recovery proceedings with several years. Success is far from guaranteed as the hacker might not be identified properly, or is located in a shady country, or has organized its insolvency, all resulting in a costly enforcement procedure with likely no result.
Structural action to avoid fraud: the importance of robust internal policies
The foregoing clearly demonstrates that curative actions are far from ideal. Far better would be to design bespoke and robust internal policies to anticipate and avoid invoice fraud, such as:
- A cybersecurity policy: rules on timely updates of the systems, passwords, the appointment of a cybersecurity officer, back-up frequency;
- Payment validation policy: the choice for double verification and/or a payment validation grid;
- A contract policy: contractually ensuring that your partner is aware of and follows validation policies;
By implementing the aforementioned policies, you are forced to consider the efficiency of internal processes and can minimize the risk of falling victim to (invoice) fraud. Better safe than sorry.
Please do not hesitate to contact EY Law if you would have any questions regarding invoice fraud or if you would need guidance in drafting or updating bespoke internal policies to protect your company.