Following a ruling by the Disputes Tribunal, a landscaper, VH Ltd, has been left $13,801.15 out of pocket after falling victim to a business email compromise scam
During September and October 2023, VH Ltd carried out landscaping work on KI’s property. On 4 October, VH Ltd sent KI an invoice for $13,801.15 for the final payment for the work, with a due date of 11 October 2023.
KI requested a more detailed invoice, which was sent via email. At 2.29pm, one minute after receiving the amended invoice, KI was sent another email from the same email address that VH Ltd used. This email claimed to be from OL, the owner of VH Ltd, but was actually from a hacker.
It said the company had to change bank accounts due to a hacker and provided KI with a new invoice that included a different bank account number. The Disputes Tribunal referee, J. Northwood, heard that upon receiving the email from the hacker, KI replied to OL “did the latest invoice have the updated account?” to which the reply was “yes”.
“There is no dispute at this point that when KI replied to the 2.29pm email that it was OL that replied to him and not the hacker, as she [also] asked about a meeting with KI’s wife,” said Northwood. “KI points out that OL did not ask what he meant about the ‘updated account’. Furthermore, the hackers’ email was attached to the email chain between KI and OL.”
Hacker received payment
Following this exchange, KI paid the $13,801.15 to the bank account on the amended invoice, which was not VH Ltd’s bank account. Both parties contacted the police and their banks but the money has not been recovered.
“VH Ltd is claiming the cost of the invoice, as she needs to get paid for work she had done,” said Northwood. “OL says that it is for KI to have confirmed that the new bank account changes were real by ringing her or contacting her on social media. KI is refusing to pay the invoice again and says VH Ltd should have sufficient security in place to protect themselves and their customers.”
It was not under dispute that VH Ltd was hacked. Businesses owner OL reported the hacking to police and said that two clients had been targeted by hackers in a similar way (KI and one other).
“The email address used was the correct email address for VH Ltd and the hacker was able to intercept it on at least two occasions,” wrote Northwood. “There were no obvious flaws or clues that the email and invoice might not be valid. In fact, KI pointed out that the word ‘mulch’ had been wrongly spelt in both the real and hacked invoice.”
Cybersecurity responsibilities
Northwood found that, as VH Ltd’s cybersecurity is “entirely in their hands” and not controlled by the customer, the company should bear the risk in this situation and that KI is not liable for the sum paid to the hacker.
In conclusion, Northwood found that businesses are in a better place than consumers to insure and protect themselves from business email compromise (BEC) fraud and concluded that KI is not liable to pay VH Ltd $13,801.15.
“This is a very bad experience for both parties to have been subjected to and I suspect there have been many lessons learned,” said Northwood. “I am genuinely sorry but after analysing the documentation, both written and oral, I must dismiss VH Ltd’s claim for the reasons set out above.”
Cover available to landscapers
To protect against instances like this, director of Builtin Insurance Brokers Ben Rickard said cyber insurance can help manage risks and facilitate recovery of losses.
“Our approach is always to ensure the customer has managed the risk first, undertaking as many mitigation measures as they can. When a client has cyber insurance, there are two main benefits.
Firstly, they have access to 24/7 support from the insurer’s cyber incident response team, which will support the customer through the early, traumatic stages of the process, facilitate a smooth recovery and then get you back to business.
“Secondly, depending on the type of cover the customer has selected, they will be compensated for losses suffered. It should be noted that different types of attacks and losses are not always covered by the different types of policies available, and for comprehensive cover for attacks and losses, the customer may need to add policy extensions such as for socially engineered theft or cyber theft.”
A legal perspective
The case highlights how important it is for landscapers to protect themselves from cybercrime. Law firm Sprintlaw has prepared a guidance document called What Is Business Email Compromise? The below is an excerpt from it.
How to avoid BEC
In order to avoid BEC, there are various measures you should consider implementing:
Have a strong cyber security system in place and get it regularly updated by an IT professional.
Train all your employees on being vigilant and aware – have a system in place for any communication in the workplace.
Stay aware on the latest updates regarding BEC, so you can know what to look out for.
Have tailored, businesses emails as opposed to web-based accounts.
Make the use of scam-detecting software.
Limit exposure in certain areas; ie, public wifi.
It may be worth investing in the help of a professional to secure your systems.
Who is liable in a business email compromise?
Currently, there is no legislation or case law that can distinctly state which party is liable when it comes to BEC. Therefore, there is no uniform answer to this.
Sometimes, it can be the responsibility of clients to double check where a particular email is coming from or the mistake of the business for allowing their systems to be penetrated.
The liability is likely to be assessed on a case-to-case basis, depending on whose duty of care is in question.
As a business, however, it is your responsibility to ensure you have taken all reasonable measures possible to secure your systems.
Ultimately, if something does go wrong, then your liability could be influenced based on the preventative measures you have taken.
Who is liable for hacked emails in New Zealand?
Determining liability for hacked emails in New Zealand is complex and there are no clear legal rulings on the issue.
Liability depends on whether the email was hacked or spoofed. Hacking involves a cybercriminal breaching an organisation’s internal systems and exploiting that access. In contrast, spoofing is when a fraudster disguises their email as one from a trusted source to mislead the recipient.
While businesses are typically not responsible if
a customer falls victim to spoofing, they must still take reasonable security measures to prevent unauthorised access. Failing to secure systems could result in liability if a breach is traced back to inadequate precautions.
If you need help sorting out the legal side of things as a sole trader or tradie, Sprintlaw is always ready to help you out. We offer a whole range of services to help you start and grow your business. You can contact
our team at 0800 002 184 or team@sprintlaw.co.nz for a free, no obligations chat.