If your email is hacked, who pays the bill?

With email fraud on the rise, Michael Gerard of Michael Gerard Solicitors ( explains the issues around legal liability and email fraud.

It’s fair to say that construction companies have not been at the forefront of the conversion to paperless processes. However, as a sector that often has a long supply chain and makes frequent use of sub-contractors, the financial and administrative transactions around a building project can be numerous and complex. This is one of the reasons why construction companies can sometimes be targeted by online scammers. Unfortunately, when phishing schemes and email hacking are successful, not only can it be disastrous for the defrauded businesses, it can also be difficult to determine liability. 

Paper protection

In a time gone-by, when invoices were issued by post and payment made by cheque, companies were afforded some protection by the cheque rule which allowed a payee to bring an action against the payer if a cheque had been stopped. This was due to the fact that issuing a cheque created a binding contract for both parties, separate to the contract for the supply of goods and/or services. Nor was there a legal defence for stopping a cheque unless it was stolen or fraud was involved. Essentially, once the cheque was signed and sent, the payer was obliged to settle the bill.   


However, with electronic funds transfers (EFT’s) now the most common form of payment, the question of cyber security is one that all companies involved in the building trade need to address. Unfortunately, most of us have seen examples of how online systems can be breached. So, if an email system is hacked resulting in fraudulent transactions, who is legally liable? The answer might surprise you.

The real-life results of email hacking

Essentially, to avoid a claim where funds are diverted or not received due to email fraud, the payer would need to establish either a breach of contract or negligence. This is best illustrated by a real-life case.

The main contractor on a building project lasting several months had engaged a specialist contractor who was involved most of the way through. It was agreed in the contract that they would receive regular payments throughout the project’s duration.

As is now standard practice, all document exchanges and financial transactions were carried out electronically. So, when the specialist contractor’s email account was hacked, they became vulnerable. The hackers then installed software capable of reading all incoming and outgoing emails, flagging up key commercial words.

The specialist contractor was unaware that their email system had been compromised and the situation was further compromised by the fact that part way through the contract they informed the main contractor of an intention to change bank accounts. At this point, the hackers sprang into action. Having intercepted an application for payment, the hackers advised the main contractor’s accounts department that a new bank account had been set up and requested that all future payments be paid into it. The accounts department duly complied, paying a five-figure sum into the hacker’s account.

The email hack was only discovered when the specialist contractor started to chase payment. By this time, it was too late as the fraudster’s account had been cleared of almost all of the money.

In terms of liability, the main contractor had complied with what appeared to be a legitimate request for payment into what they believed to be the supplier’s bank account.  However, despite the fact that it was the specialist contractor’s email account that had been hacked, the payer was still liable. This is because the specialist contractor had a strict contractual claim for the monies owed and to avoid that claim, the main contractor needed to establish either (a) a breach of contract; or (b) negligence to set-off the contractual claim.

Furthermore, there was no evidence that the specialist contractor was aware of the fraud which could have shifted liability. Similarly, if the fraud had been carried out by an employee of the payee, they would be vicariously liable, but this was not the case. Finally, neither the contract nor common law imposed a duty of care on the specialist contractor to maintain a cyber-security system capable of preventing such a payment fraud. As a result, the main contractor was legally obliged to pay the amount originally owed – for the second time.


4 steps to guard against the impact of email hacking

Such cases underline the importance of companies putting measures in place to protect themselves against email fraud and security breaches. Here are four simple steps that companies can take:

  • As spam is the most likely cause of malware entering an IT system, businesses need to have a robust software security system in place, including a firewall to monitor network traffic and connection attempts in and out of a network or computer.  
  • When setting up payment on an EFT, test the details sent by a supplier by transferring a small and unusual amount into the account, then ask the supplier to confirm receipt by telephone. Follow the same procedure if an existing supplier changes their bank details. 
  • If someone in your organisation can read message headers and IP addresses, they can cross-check a particular IP address with a previous IP address to authenticate communications.
  • Include contract clauses around minimum security standards on a supplier’s server, including protection against malware and viruses and a firewall, regularly updated software and a stipulation that changes to company bank account details be confirmed in writing by post or hand delivered and signed. 

Breaches in cyber security are rising as hackers are constantly finding ways to get through security measures. So, if a company isn’t adequately protected, they could find themselves the next target. Having cyber liability insurance is a good move but won’t protect an organisation from all types of losses, so prevention really is the best option, and some of that prevention includes doing things the old-fashioned way – like using the telephone and post!

Author background

Michael Gerard is a solicitor, practising adjudicator and accredited expert in quantum and planning.  He is a Fellow of the Chartered Institute of Building and a Member of the Chartered Institute of Arbitrators and is also a registered adjudicator on the panels of the Royal Institute of British Architects, the Chartered Institute of Arbitrators and Hunt ADR.  He is the founding partner of Michael Gerard Solicitors (, a Midlands-based firm of lawyers who practice in the area of construction law.

Latest Issue

BDC 318 : Jul 2024