The recently released decision stated the woman then received another email from the carpet company’s same genuine address with its same email signature advising that it had updated its payment details and the 50 per cent deposit should now be paid into an alternative account.
She paid the $5007.83 deposit accordingly but five days later was informed by a bank fraud team that the company’s email account had been compromised.
The bank explained her emails to the company had been intercepted by the hacker and that her payment could not be recovered.
After she verified the account number by phone and made a second payment to the company - of $5,007.84 - her carpet was installed.
The carpet business took the position that the woman’s second payment was her deposit, while she believed it completed the full amount owed.
The company then began to send demand letters to the woman for the deposit portion of the costs, which she had paid but was commandeered by the hacker.
The Disputes Tribunal has ruled on the case. Photo / Stock Image 123RF
So she turned to the Disputes Tribunal, seeking a declaration that she was not liable for the initial sum.
In the authority’s decision, tribunal referee Elizabeth Paton-Simpson said any business was in a much-better position to insure against Business Email Compromise (BEC) fraud than consumers were.
However, the law regarding who should bear the loss in fraud cases similar to the case in question was not clear and was still developing, she said.
“The context is also evolving, as BEC fraud is becoming a more widely known business risk and the techniques used by cybercriminals are becoming more sophisticated,” Paton-Simpson said.
“So far as I have been able to find, there is no New Zealand case law on the issue, and the overseas cases differ factually from the current situation.”
In finding in the woman’s favour, Paton-Simpson said the company had a duty to be aware of BEC fraud, to take precautions against it and to warn its customers.
“The extent of a business’s cybersecurity is entirely within the control and knowledge of that business and its chosen IT consultants, not its customers,” she said in the decision.
“If a customer is shown to have been negligent, the responsibility may be shared or the business may even be exonerated from responsibility but otherwise the business that was hacked should generally bear the loss.”
While the company argued the email to the woman should have “rung alarm bells” and she should have rung them to clarify the payment address, Paton-Simpson found that placed too high an expectation on a consumer to understand business matters.
“If the email had borne more resemblance to the usual spam emails consumers receive, such as being full of spelling mistakes and grammatical errors but devoid of personal detail, or asking the consumer to click on a link that goes to an unrelated site, the outcome might have been different,” she said.
“The fraud involved email hacking rather than ‘spoofing’ an email address, so was more difficult for the customer to detect. The email address used was the true email address, not just something similar, and the hacker was able to use personal details to make its emails convincing.”
A spokesperson for CERT NZ which provides online security information on behalf of the Ministry for Business Innovation and Employment didn’t respond directly to questions about a lack of case law for similar fraud in New Zealand.
They instead provided generic advice about how to protect oneself from getting hacked, such as using two-factor authentication and employing strong and unique passwords.
The spokesperson said payments should be preceded by a phone call to the person or business who sent you the invoice, where possible.
