Check twice or pay twice

21 January 2020

We have recently received a number of enquiries where an operator has paid a supplier’s invoice using new bank account details seemingly sent by the supplier’s email address, but in fact sent by a fraudster which has only come to light when the supplier has chased payment. The question that has arisen is whether the supplier must accept that the money can no longer be recovered as the operator made a payment in good faith or whether the customer is obliged to make payment again.

The general legal position is that if a business pays into the account of a fraudster in the mistaken belief that it is an account of the supplier, the businesses contractual liability to make payment to the supplier is not discharged and the monies are due and owing. It is imperative that businesses are aware of the very real possibility of an email account being hacked in these circumstances and conduct further due diligence before making payment to a bank account where details have been provided by email.

There are some conflicting County Court decisions which suggest that payment may be discharged if the supplier has previously confirmed emails are secure or continued to correspond from the same email address after the fraud however they are fact specific and are not binding decisions. The overarching position is that emails are not secure, and the onus is on businesses to ensure that the accuracy of any payment details are checked, and double checked!

It is vital that when paying invoices, operators carry out due diligence before making payment to a bank account where details have been provided by email, particularly where the bank account has not been used before. This may include a quick call to the supplier to check the payment details in advance of processing the invoice.  Once payment has been made, it is good practice to inform the supplier of the details of the payment made, including the name of the bank and the account number.

Operators should make their customers aware that their bank account details will never change and that any email purporting to do so if likely to be a fraud. Operators could also protect themselves by sending bank details on company letterhead in a pdf format – particularly where the details are to be exchanged by email.  If an operator becomes aware that its email account may have been hacked, it should immediately notify its customers that may have already made payment and those that are due to make payment. The sooner that payments to an incorrect account can be identified, the greater the prospects of being able to recover the money through the bank.

For further information on any of the aspects raised in this article, please speak with a member from our Dispute Resolution Team on 01254 828 300.

Mitigating malware and ransomware attacks in the transport sector
Previous Next

Related news articles

Strategic and measured business solutions providing 20:20 vision for your operation.