A credit controller who mistakenly transferred £200,000 of company money to an email fraudster does not have to repay her former employer, a judge has ruled.
Patricia Reilly (pictured), who worked for Glasgow publisher Peebles Media Group, was fired from her position after she fell victim to an email scam, which convinced her to make online payments amounting to £200,000.
While banks refunded £85,000 of the stolen money, the business sued Reilly in a civil action for the remaining £107,984. But the Scotland Court of Session this week ruled against Peebles Media, in what the judge referred to as “a tragic case”.
- Cybersecurity is too important to be left to the IT department
- How to deal with repeat cyber security offenders
- Morrisons data leak case ‘makes employers more liable for staff behaviour’
Reilly was not found to be in breach of obligation and the loss suffered by Peebles Media was “exceptional and unnatural” because Reilly was ignorant of the fraud being perpetrated on her and the company.
The court heard that on 9 October 2015, Reilly received an email purporting to come from managing director Yvonne Bremner requesting £24,800 be transferred to another company. The email had in fact been sent by scammers.
At the time, both Bremner and Reilly’s line manager, referred to as CC in the court documents, were on annual leave, leaving Reilly “holding the fort”. Reilly managed to contact CC – who, unlike Reilly, was authorised and trained to make such payments – and CC processed the payment online through the business’s bank.
Get more HR and employment law news like this delivered straight to your inbox every day – sign up to People Management’s PM Daily newsletter
The scammer then emailed Reilly several times for larger amounts of £75,200, £56,750 and £36,500. The court heard Reilly processed these later payments, contacting CC once to confirm a PIN needed to access the online banking system. She paid a total of £193,250 via online transfers – including the initial payment processed by CC.
The court heard this was a type of fraud known as ‘whaling’, which typically targets junior members of staff. The fraudster first ascertains that the senior manager is out of the office, clones the manager’s email address and sends out bogus payment instructions to junior staff. The judge noted that at the time of the fraud, these types of scams were “fairly new”.
Reilly was fired from her job on 11 November 2015 for gross misconduct. She appealed against her dismissal but lost. Reilly began tribunal proceedings, but discontinued them before they went to a hearing.
Reilly told The Sunday Post that she did not pursue the case because of the deteriorating health of her late partner, who died of motor neurone disease in July that year. Her line manager, CC, was demoted.
Peebles Media brought its own action against Reilly, arguing she should repay the money not recovered from the bank as she acted in breach of her contractual obligation to exercise reasonable skill and care. It claimed the emails were “obviously fraudulent”.
But the judge, Lord Summers, said he was unable to see how Reilly could have been said to have breached her obligation when her manager was responsible for clearing the initial payment and had allowed Reilly to use her security details.
“She [Reilly] was in the office on her own at this stage. What additional steps should she have taken?... The fact she was holding the fort for more experienced members of staff put her at a significant disadvantage. I do not consider that the defender was in breach of her implied obligation of reasonable skill and care in failing to read the fraud warning, nor do I consider that it would have made any difference had she read it,” he said.
On the point of whether Reilly – who argued contributory negligence on the part of her employer – should have received more training, Summers ruled there was no evidence training was available at the time to address this type of fraud, but added: “The persons who were expected to process online payments were Yvonne Bremner and CC. They were the persons who should have been trained, if that was necessary.”
Paul Holcroft, associate director at Croner, said that in cases such as these, the judge had the final decision on who was responsible for financial loss suffered by a company, and advised employers to investigate ways to protect themselves against “clever new ways” that business security may be compromised.
“Training all relevant staff on the identification of IT security threats and how to deal with them is pivotal to this. A procedure should also be put in place to report any suspected threats received,” said Holcroft.
David Lorimer, director and employment lawyer at Fieldfisher, said the case highlighted the risks of pursuing employees in this way, even if there had been “serious missteps”.
He said businesses could be open to criticism for failing to ensure staff were appropriately trained on the risks and tactics used by fraudsters, as well as negative publicity around the fact that account login details and PINs for company accounts were routinely and widely shared.
However, Lorimer said the case was not a blanket confirmation that an employee would not be liable for a mistake resulting in an unauthorised payment. “For instance, if the successful whaling attack was carried out against a more senior employee and more recently (because such attacks are now part of everyday knowledge and understanding) the outcome could have been very different,” he said.
Employers have been encouraged to consider these types of threats following the High Court ruling against Morrisons, in which the retailer was found vicariously liable for the actions of a worker who exposed 100,000 colleagues’ personal information to the public. An appeal has recently been heard by the Supreme Court; however, the outcome has not yet been announced.
“The stark reality is that employers are susceptible to threats from various sources, whether that be external or internal, as seen in the ongoing Morrisons data breach case in which an employee intentionally misused data. Employers are likely to have to factor in substantial spend on cybersecurity in the future,” said Holcroft.
Lorimer added that the Morrisons case “broadly reflects the ‘policy’ position here that if anyone is to bear the brunt of liability it should be the insured employer, rather than the employee who is less likely to have the means to meet any liability”.