Employees’ Contractual Duties of Care in the Face of Whaling Attacks: Lessons from the Peebles Media case

March 29, 2020

Introduction

Peebles Media Group Ltd v Patricia Reilly 1is the first reported case from a court in the UK (the Court of Session in Scotland)2 concerning the scope of an employee’s contractual duties of care in relation to ‘phishing’ emails.3 

In 2015 the Pursuer was targeted by a ‘whaling’ attack, a form of phishing attack directed at senior personnel within an organisation.4 While the Pursuer’s Managing Director was on holiday, the defender received several emails purporting to come from the Managing Director. The emails instructed the defender to make payments to various accounts. The defender arranged for payments totalling £193,250 to be transferred to the accounts. The bank was able to recover around £85,000 but the rest was not recovered from the fraudster. 

In this article I will look at  the increasingly sophisticated nature of phishing attacks, explore the nature of the attack in Peebles Media Group Ltd, review the Pursuer’s arguments and the Court’s decision in relation to the defender’s duty of care, and explore what organisations might do to protect themselves from similar attacks.

The increasingly sophisticated nature of phishing attacks 

Phishing attacks have become increasingly sophisticated.5 In the past phishing emails may have emanated from a person who made no secret of being a stranger to the victim. Fraudulent emails were often poorly written, using stilted language and containing spelling and other errors. Now fraudsters frequently present themselves as a person or entity known to the victim – impersonating their bank, telecommunications provider, software provider or senior personnel within the target organisation. The language used is more sophisticated; the recipient is often addressed by name; the fraudster may have collected information about the organisation to make the fraudulent communications seem genuine; email addresses may be ‘spoofed’ or cloned. These scams are harder to detect.  

Whaling attacks are a form of phishing attack in which the fraudster impersonates senior personnel within an organisation.6 Described as an ‘emerging threat’ by the FBI in 2015,7 such attacks are now common.8 The perpetrators of these attacks may go to some lengths to try to ensure the success of the attack. They may take steps to discover the email addresses of key personnel and monitor social media or outgoing email correspondence to find out when key personnel are on holiday.9 

The nature of the phishing attack in Peebles Media Group Ltd 

In Peebles Media Group Ltd the fraudster sent a series of emails from a cloned email – an email address which, on the face of it, replicated the genuine email address used by the Pursuer’s Managing Director.10 This was a classic whaling attack. The emails were sent while the Managing Director was on holiday. 

The fraudulent emails were sent to the defender, the Pursuer’s credit controller. The emails sought payment of sums into three different accounts. Ordinarily the defender would have had no role in making payments to external accounts, and no authority to make such payments. 

The first series of emails to the defender was received when the Managing Director was on holiday. The defender’s line manager was in the office but about to go on holiday. Faced with emails which, on the face of it, were sent by the Managing Director, the defender communicated the requests for payment to her line manager who made the payment, without, it seems, having had sight of the emails. 

The fraudster made two further requests for payment over the next two working days. By this time the defender’s line manager was on holiday. The defender accessed the Pursuer’s online banking facility and made both payments using her line manager’s online banking user name, password and token.11 The Court was satisfied on the evidence that the defender’s line manager co-operated by providing the token and its PIN and was aware that the defender was using her (the line manager’s) security details. 

Was the defender in breach of her contractual duties of care?

Employees have an implied contractual obligation to take reasonable care in the performance of their employment duties.12 While it is rare for employers to seek damages from employees for losses caused by breach of the contractual duty of reasonable care, such claims are competent.13   

In support of its argument that the defender was in breach of her contractual duties of reasonable care, the Pursuer maintained that the defender should have realised that the emails were the work of a fraudster. One of the emails requested payment in dollars. The defender queried the amount and the fraudster explained the use of the dollars sign was a ‘typo’. The fraudster signed the emails using the Managing Director’s full name when she habitually signed emails using only her forename. The timestamps on the emails received by the fraudster were out of step with the UK timings. However, the Court noted that electronic devices ‘may have date stamps that vary from local time for a variety of reasons.’14 The Court considered that none of these aspects established that the defender was in breach of her duties of care.

When the defender accessed the Pursuer’s online banking facility to make the last two payments she was presented with a fraud warning, which, according to Lord Summers, ‘could have been written for this transaction’.15  The text of the warning is not set out in the judgment but specifically refers to the use of fraudulent emails purporting to emanate from senior members of a business such as directors. It notes that the emails appear to be from genuine email addresses.16 

The advice accompanying the warning read:

Take additional steps to verify payments when dealing with email based instructions (particularly where the beneficiary is not one that you have paid before). Be aware of any changes to the style/grammar when receiving new payment instructions (often these instructions will have poor English). If you believe you are a victim or target contact your Account Manager as soon as possible and report this to Action Fraud.17

The defender ‘clicked through’ the warning. The Court accepted the defender’s evidence that her line manager had likewise ‘clicked through’ the warning in relation to the first payment. Acknowledging the force of an argument that both the defender and the line manager were in breach of their duties of care by ignoring the warning, the Court nevertheless held that since the defender ‘was entitled to take her lead to some extent from her superior’ she was not, in this respect, in breach of her duties of care.18 The Court considered, moreover, that, in the circumstances, even if the defender had read the warning, it would have made no difference to the outcome. 

The Court considered the implications of a conversation between the defender and the Pursuer’s banking relationship manager about the second of the two payment transactions. Having experienced some difficulty in processing the transaction the defender had called the relationship manager to ask for assistance. On the evidence, the Court considered that while the relationship manager had told the defender she was not authorised to make the payment he did not in terms direct her not to do so.19 The Court noted that the defender was acting under the misapprehension that she had instructions to make payment from her boss, the Managing Director, and that the defender’s line manager had permitted the defender to use her security credentials. In these circumstances Court declined to find that the defender was in breach of her duties of care in proceeding to make this payment. 

The Court did find the defender in breach of her duties of care in transferring monies from one account to another to ensure that sufficient funds were available to make the final payment. The defender had made the transfer without having received any instruction to do so: neither the Managing Director nor the fraudster had made any request to that effect. However, citing Hadley v Baxendale,20 the Court considered that the loss that ensued was not a natural consequence of that breach: the loss was too remote.21

A review of the Court’s findings on breach of the contractual duties of care

Clearly this is a case which turns on its facts. However, one can draw some general conclusions from the judgment. 

The mere presence of typographical errors, differences in style of writing or email signature may not be sufficient to put the recipient of an email on notice that the email is not genuine and found an action based on breach of contract. All depends on the nature and extent of the discrepancies. This is a sensible approach. The National Cyber Security Centre’s guidance on phishing attacks notes that ‘Spotting phishing emails is hard … Even experts from the NCSC struggle …’.22

An employee who ignores a fraud warning that appears as a message in the employer’s online banking system may be in breach of their contractual duties of reasonable care.23 However, whether that is so may depend on whether senior personnel within the organisation who have access to the banking facility pay heed to such warnings. 

The Court held that the defender did not have direct instructions from the bank not to make a payment. However, the judgment suggests that an employee who flouts a direct instruction from the employer’s bank not to make a payment believing that she is acting on instructions from her boss, will not necessarily be in breach of her contractual duties of care.24 The duties of the bank were not in issue in this case but the Court hints that the issue of such instructions might have consequences for a bank. Lord Summers states that if the defender had ignored such a direction he ‘would have expected Mr MacKay [the Pursuer’s relationship manager at the bank] to take a more robust view when the next payment was flagged by the fraud area.’25

Lack of authorisation to make payments on behalf of an organisation is relevant to an employee’s contractual duties of care. Of course, the defender did not have actual authorisation from the Pursuer to make these payments but she supposed that she had. She believed that she was corresponding with the Managing Director: the Court found that the various errors in the emails were not such as to put her on notice of the fraud. The Court also accepted that the defender’s line manager permitted her to use the line manager’s security credentials for the online banking system. The judgment indicates that in these circumstances, lack of actual authorisation does not of itself establish a breach of the employee’s contractual duties of care. To hold otherwise would expose employees to liability for any successful whaling attack.  

How can an organisation protect itself against attacks of this kind?

Organisations can take some basic steps to try to protect themselves against phishing attacks of this kind. 

Know your business.

In its guidance for small businesses, the NSCS advises business to ‘Think about how you operate’.26 In particular it urges businesses to make sure staff ‘understand normal ways of working … so that they’re better equipped to spot requests that are out of the ordinary.’27

In Peebles Media Group Ltd one of the reasons why the fraudster was able to succeed was that things were not entirely ‘normal’ for the business in the period when the fraud was carried out.28 Key personnel involved in the managing the company’s finances were absent from the office for all or part of that period. The defender’s line manager had been unwell. It is important to establish what ‘normal’ should look like in such circumstances and to treat requests for payment from key personnel who are absent on holiday with heightened suspicion. 

Be careful when disclosing information about the business or key personnel. 

The NSCS advises that businesses should consider the content of information disclosed on the company website or on social media, whether it is necessary to disclose that information, and in particular whether the information would be useful to attackers.29 Managing Directors and other senior personnel should be careful about disclosing information about when they are on holiday or absent from the office. 

Train employees to identify phishing emails. 

Employees should be trained to spot ‘warning signs’ that emails are fraudulent. Poor spelling, punctuation and grammar might indicate that an email is fraudulent, though, of course, these characteristics of writing are not confined to fraudsters! 

In Peebles Media Group Ltd the fraudster’s emails addressed the defender by name. However, many phishing emails will contain a generic greeting such as ‘Dear customer’ or ‘Dear colleague’. The absence of a specific greeting may be an indicator of fraud. 

The NSCS guidance specifically warns that employees should be trained to look out for emails that appear to come from a high-ranking person within your organisation, requesting a payment is made to a particular bank account.30

Training of this kind might have alerted the defender and her line manager to the possibility of fraud.31 However, employers should not expect employees to spot every phishing attack: training alone will not offer adequate protection.32  

Consider certification under schemes such as the UK’s Cyber Essentials Scheme.

The Cyber Essentials scheme is intended to help businesses protect themselves in relation to threats to cybersecurity, including threats from phishing attacks.  Under the scheme businesses can obtain certification where they meet certain security standards.33

Create a culture in which employees feel able to seek help in dealing with suspicious requests and to report successful attacks.

Use email filtering services to filter or block phishing email.

Control access to online banking facilities.

In Peebles Media Group Ltd it appears that although in ordinary circumstances the defender had no authority to make payments on behalf of the company she had access to her line manager’s online banking user name, password, token and PIN. The line manager gave evidence that ‘everyone in the department knew where her online banking details were stored’. Banking details should be stored securely and access to the online banking facility limited to those authorised to use the facility. Consideration should be given to use of dual authorisation.34 

Put protocols in place about verification of payment instructions received by email.35  

Consider taking out cyber insurance. 

Some insurance policies may provide cover for losses suffered by a business when it falls victim to a whaling attack.36 However, care should be taken to check the policy wording.  

Have a Response Plan in place. 

An organisation that falls victim to a phishing attack may have a short window of opportunity to freeze payments made to a fraudster. The organisation’s bank and insurers should be notified as soon as the fraud is discovered. 

Conclusion

Although this is a case which very much turns on its facts Peebles Media Group Ltd is helpful in considering the scope and limits of an employee’s contractual duties of care in relation to phishing attacks. The case offers a useful case study for those concerned to understand and mitigate against the factors that may contribute to a successful phishing attack. While there is no magic bullet that will allow organisations to detect every phishing email, simple steps may be taken to limit the risk of a successful attack. 

Footnotes

1 [2019] CSOH 89.

2 The Court of Session is Scotland’s highest Court. This was a decision of the Outer House of the Court of Session. Appeals may be made to the Inner House. 

3 World Proteins KFT v Persons Unknown [2019] EWHC 1146 (QB), 2019 WL 01458908, an application for continuation of a freezing injunction, relates to a phishing fraud but is not concerned with the contractual duties of care of employees. In World Protein KFT the applicant company paid a total of €2 million to a fraudster who impersonated one of the applicant’s longstanding suppliers. €1.5 million was subsequently recovered.

4 Such attacks are also known as CEO or Business Email Compromise frauds. See Europol, ‘Take Control of Your Digital Life. Don’t be a Victim of Cyber Scams!’ <https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/take-control-of-your-digital-life-don%E2%80%99t-be-victim-of-cyber-scams> (accessed 6 January 2020).  

5 This is reflected in the responses to the Cyber Security Breaches Survey 2019. Department for Digital, Media, Culture and Sport, ‘Cyber Security Breaches Survey 2019’ <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/813599/Cyber_Security_Breaches_Survey_2019_-_Main_Report.pdf> (accessed 3 January 2020).

6 NSCS, ‘Whaling: how it works, and what your organisation can do about it’ <https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-it> (accessed 7 January 2020). 

7 FBI, ‘Business E-Mail Compromise An Emerging Global Threat’ (28 August 2015) <https://www.fbi.gov/news/stories/business-e-mail-compromise/business-e-mail-compromise> (accessed 6 January 2020). See also BBC, ‘Whale’ finance fraud hits businesses’ <https://www.bbc.co.uk/news/technology-34570713> (accessed 6 January 2020). 

8 According to the FBI, 78,617 such attacks were recorded worldwide in the period between October 2013 and May 2018, accounting for losses totalling more than $12 billion. FBI, ‘Public Service Announcement: Business E-Mail Compromise the 12 Billion Dollar Scam’ (12 July 2018). <https://www.ic3.gov/media/2018/180712.aspx> (accessed 3 January 2020).

9 Conor Pope, ‘Watch your bank account: Scammers up their game’ (4 June 2018) The Irish Times <https://www.irishtimes.com/news/consumer/watch-your-bank-account-scammers-up-their-game-1.3512750> (accessed 2 January 2020).

10 The Pursuer suggested that when the defender replied to the fraudulent emails, a different address appeared in the recipient field but failed to establish this point in evidence.

11 A token is a physical device used to gain access to online banking facilities. In Peebles Media Group Ltd, the banking token was aptly described by the defender as ‘a wee calculator thing’. Some tokens can only be operated by means of biometric input such as fingerprints or retinal scans and so cannot be used by anyone other than the person to whom the token was issued.

12 Lister v Romford Ice and Cold Storage Co Ltd [1957] AC 555; Janata Bank v Ahmed [1981] ICR 791.

13 ibid.

14 Peebles Media Group Ltd (n 1) [26].

15 Peebles Media Group Ltd (n 1) [33].

16 ibid.

17 ibid.

18 Peebles Media Group Ltd (n 1) [40].

19 Peebles Media Group Ltd (n 1) [35]. 

20 (1854) 9 Ex 341.

21 Brodie maintains that in Peebles Media Group Ltd the Court’s ‘reasoning on the remoteness point was scant to say the least.’ Douglas Brodie, ‘Employees’ Liability’ (2019) Reparation Bulletin 151, 1-2. The writer is not convinced that further reasoning was needed in this case. It is surely not reasonably foreseeable that, in the absence of knowledge of the fraud, an unauthorised transfer of funds from one account to another would result in payment of those funds to a fraudster and so a total loss of those funds. Put differently, it was not the transfer that gave rise to difficulty but rather payment of funds to a fraudster. 

22 NSCS ‘Phishing attacks: defending your organisation’ <https://www.ncsc.gov.uk/guidance/phishing> (accessed 2 January 2020).

23 Peebles Media Group Ltd (n 1) [40].

24 Peebles Media Group Ltd (n 1) [42].

25 Peebles Media Group Ltd (n 1) [43].

26 NSCS, ‘Small Business Guide: Cyber Security’ <https://www.ncsc.gov.uk/collection/small-business-guide/avoiding-phishing-attacks> (accessed 2 January 2020)

27 ibid.

28 Fraudsters take advantage of exceptional circumstances. Mattel, the makers of Barbie, suffered a whaling attack weeks after a new chief executive took up position at the company. A finance executive paid $3 million in response to an email which, on the face of it, was issued by the chief executive. Conor Pope, ‘Watch your bank account: Scammers up their game’ (4 June 2018) The Irish Times <https://www.irishtimes.com/news/consumer/watch-your-bank-account-scammers-up-their-game-1.3512750> (accessed 2 January 2020).

29 NSCS ‘Phishing attacks: defending your organisation’ <https://www.ncsc.gov.uk/guidance/phishing> (accessed 2 January 2020).

30 NSCS, ‘Small Business Guide: Cyber Security’ <https://www.ncsc.gov.uk/collection/small-business-guide/avoiding-phishing-attacks> (accessed 2 January 2020)

31 In Peebles Media Group Ltd Lord Summers suggests that the defender was ‘not the person who was suitable for … [elementary training in fraud awareness]’ on the basis that she was not expected to make online payments. It is suggested that, on the contrary, some form of elementary training in fraud awareness may usefully be provided to all staff, though additional training should be tailored for different roles. For further reading on how to deliver suitable training for staff see Gavin Watson, ‘Staff Awareness and Training Programs’ in Gavin Watson, Andrew Mason, Richard Ackroyd, Social Engineering Penetration Testing (Elsevier 2014) 339-359; Tracey Caldwell, ‘Making security awareness training work’ (2016) 6 Computer Fraud & Security 8-14. 

32 The NCSC notes that some phishing emails are ‘impossible to tell apart from genuine emails’. NSCS, ‘I’m gonna stop you, little phishie …’ <https://www.ncsc.gov.uk/blog-post/im-gonna-stop-you-little-phishie> (accessed 2 January 2020).

33 NSCS, ‘Protect Your Organisation Against Cyber Attacks’ <https://www.cyberessentials.ncsc.gov.uk/> (accessed 3 January 2020). Phippen and Furnell provide a critique of the scheme in A.D. Phippen, S.M. Furnell, ‘Cyber essentials: essential enough to be statutory?’ CTLR 2019, 25(1), 21-28.

34 Dual authorisation is an added security measure where two different people must authenticate a payment. 

35 Sim discusses the verification practices that might be adopted by Scottish law firms in relation to conveyancing transactions in Alistair Sim, ‘Payment fraud: the fight goes on’ (20 June 2016) <https://www.lawscot.org.uk/members/journal/issues/vol-61-issue-06/payment-frauds-the-fight-goes-on/> (accessed 7 January 2020). See also Nada Jardaneh, ‘Fraud: a battle of wits’ (15 February 2016) <https://www.lawscot.org.uk/members/journal/issues/vol-61-issue-02/fraud-a-battle-of-wits/> (accessed 7 January 2020).

36 Aon, ‘Cyber insurance and phishing – what it covers and what it might not ‘(2 November 2018) <https://insurance.aon.co.uk/resource-center/business-insurance/Cyber-insurance-and-phishing-what-it-covers-and-what-it-might-not> (3 January 2020).

References 

Aon, ‘Cyber insurance and phishing – what it covers and what it might not ‘(2 November 2018) <https://insurance.aon.co.uk/resource-center/business-insurance/Cyber-insurance-and-phishing-what-it-covers-and-what-it-might-not> (3 January 2020)

BBC, ‘Whale’ finance fraud hits businesses’ <https://www.bbc.co.uk/news/technology-34570713> (accessed 6 January 2020)

Brodie, D., ‘Employees’ Liability’ (2019) Reparation Bulletin 151, 1-2

Caldwell, T., ‘Making security awareness training work’ (2016) 6 Computer Fraud & Security 8-14.

Department for Digital, Media, Culture and Sport, ‘Cyber Security Breaches Survey 2019’ <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/813599/Cyber_Security_Breaches_Survey_2019_-_Main_Report.pdf> (accessed 3 January 2020)

Europol, ‘Take Control of Your Digital Life. Don’t be a Victim of Cyber Scams!’ <https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/take-control-of-your-digital-life-don%E2%80%99t-be-victim-of-cyber-scams> (accessed 6 January 2020)

FBI, ‘Business E-Mail Compromise An Emerging Global Threat’ (28 August 2015) <https://www.fbi.gov/news/stories/business-e-mail-compromise/business-e-mail-compromise> (accessed 6 January 2020)

FBI, ‘Public Service Announcement: Business E-Mail Compromise the 12 Billion Dollar Scam’ (12 July 2018). <https://www.ic3.gov/media/2018/180712.aspx> (accessed 3 January 2020)

Janata Bank v Ahmed [1981] ICR 791

Jardaneh, N., ‘Fraud: a battle of wits’ (15 February 2016) <https://www.lawscot.org.uk/members/journal/issues/vol-61-issue-02/fraud-a-battle-of-wits/> (accessed 7 January 2020)

Lister v Romford Ice and Cold Storage Co Ltd [1957] AC 555 

NSCS, ‘I’m gonna stop you, little phishie …’ <https://www.ncsc.gov.uk/blog-post/im-gonna-stop-you-little-phishie> (accessed 2 January 2020)

NSCS ‘Phishing attacks: defending your organisation’ <https://www.ncsc.gov.uk/guidance/phishing> (accessed 2 January 2020)

NSCS, ‘Small Business Guide: Cyber Security’ <https://www.ncsc.gov.uk/collection/small-business-guide/avoiding-phishing-attacks> (accessed 2 January 2020)

NSCS, ‘Whaling: how it works, and what your organisation can do about it’ <https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-it> (accessed 7 January 2020)

Peebles Media Group Ltd v Patricia Reilly [2019] CSOH 89

Phippen, A.D., Furnell, S.M., ‘Cyber essentials: essential enough to be statutory?’ CTLR 2019, 25(1), 21-28

Pope, C., ‘Watch your bank account: Scammers up their game’ (4 June 2018) The Irish Times <https://www.irishtimes.com/news/consumer/watch-your-bank-account-scammers-up-their-game-1.3512750> (accessed 2 January 2020)

Sim, A., ‘Payment fraud: the fight goes on’ (20 June 2016) <https://www.lawscot.org.uk/members/journal/issues/vol-61-issue-06/payment-frauds-the-fight-goes-on/> (accessed 7 January 2020)

Watson, G., ‘Staff Awareness and Training Programs’ in Watson, G., Mason, A., Ackroyd, R., Social Engineering Penetration Testing (Elsevier 2014) 339-359

World Proteins KFT v Persons Unknown [2019] EWHC 1146 (QB), 2019 WL

Dr. Pauline McBride, Lecturer (Law and Technology), Queen’s University, Belfast.