Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
If your organisation is subjected to a Business Email Compromise (BEC) attack, coming to terms with the theft may be just the beginning of your woes.
In cases where you’ve been the victim of a BEC attack because someone within your own organisation, such as the CEO or CFO, was impersonated, you could end up finding yourself subjected to a lawsuit by an aggrieved third party.
In circumstances where you’re short of funds as a result of a BEC attack, and you’re unable to meet your financial obligations, those to whom you owe money may have recourse to file a lawsuit against you for negligence.
Delayed payments on your part may cause others significant harm. It may result in them being unable to meet their financial obligations to pay their suppliers, creditors, staff or others. Consequently, they may seek compensation for disrupted business operations and other losses which could take years to recoup.
Demonstrating that your organisation has taken adequate steps to mitigate the risks of a BEC attack will be key to demonstrating that you have not been negligent.
Whilst lawsuits stemming from BEC attacks are not yet commonplace in Australia, that may soon begin to change. In other jurisdictions such lawsuits are occurring with increasing frequency. In the United States, negligence is included in approximately 95% of data breach class actions.
In 2016, an investment fund, Tillage Commodities Fund, sued technology company, SS&C Technology. SS&C had been contracted by Tillage to execute wire transfers related to the fund’s operations, including investor redemptions and bill payments.
In the lawsuit, Tillage claimed SS&C had processed payments to fraudsters totalling $6 million following receipt of a series of six scam emails purporting to be redemption requests on behalf of Tillage investors. As a result of the theft, Tillage claimed it faced massive losses, forcing it to temporarily take its operations offline.
Importantly, Tillage claimed that SS&C staff had been negligent in not exercising their responsibilities to verify that the redemption requests were authentic and that the bank accounts they sent the funds to actually belong to Tillage investors.
Negligence lawsuits stemming from cyber incidents face a number of significant hurdles in Australia, where the courts have traditionally been reluctant to award compensation in such claims, particularly if the act occurred unintentionally.
In general, for Australian courts to award damages due to negligence, the plaintiff would need to prove harm as a consequence of the other party’s actions. They would need to demonstrate that the defendant’s breach of duty caused the harm and that there were no other intervening events. In short, it must be clear that the plaintiff would not have suffered any harm ‘but for’ the actions of the defendant.
Despite the hurdles that negligence lawsuits face in Australia, a court may determine that your organisation has been in breach of its duty to take adequate measures to mitigate the risks of BEC attacks.
To reduce the likelihood that a court will find your organisation negligent, you need to be able to demonstrate that you have taken reasonable steps to avoid a BEC attack.
Some of the measures you should be taking to limit your exposure to lawsuits include:
Finally, a platform like eftsure can help you limit the risks of BEC attacks by cross-referencing the payments you make with a database of verified bank account details. Our fully integrated platform will clearly highlight to you any suspect payments, allowing your accounting team to undertake further checks before clicking “send.”
If you implement the suite of measures outlined above, any negligence lawsuits in the event of a BEC attack are highly unlikely to succeed.
Contact eftsure today for a demonstration of the ways our platform can help your organisation stay secure.
NOTE: None of the information contained in this content constitutes legal advice. It is for general informational purposes only.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.