Company fails in claim to recover payment from ex-employee who fell for £200,000 ‘whaling fraud’
A publishing company which sued a former employee for more than £100,000 after she fell victim to a “whaling fraud” has failed in a legal action to recover the funds.
Peebles Media Group raised an action against its former credit controller Patricia Reilly, claiming she was in “breach of her contractual obligation to exercise reasonable skill and care” after she was duped by an online scam in 2015.
But a judge in the Court of Session ruled that while the defender was in breach of contract in relation to some of the payments, the loss suffered by the pursuers was “exceptional and unnatural” because she was “ignorant” of the fraud being perpetrated on her.
‘Whaling fraud’
Lord Summers heard that a fraudster had impersonated the company’ managing director Yvonne Bremner, who was on holiday in Tenerife at the time.
In a series of emails bearing to come from Ms Bremner the fraudster instructed the defender to make various payments, and the defender believing she was in communication with Ms Bremner acted on those instructions.
The court was told that after the first exchange of emails the defender did try to call Ms Bremner and had left a voicemail message about making a payment, but Ms Bremner was not concerned by the message and deleted the voicemail.
A payment of £24,800 was ultimately processed on a Friday afternoon using the company’s online banking system by the defender’s line manager “CC”.
The defender, having watched her line manager process the first payment, was thereafter able to access the online banking system herself.
No doubt buoyed by his or her initial success the fraudster contacted the defender again the following Monday and after a further exchange of emails a payment of £75,200 was made.
The defender had ignored a fraud warning which appeared on the company’s online banking system but she had spoken to the company’s bank manager Alasdair MacKay before processing the payment.
The fraudster continued with his criminal activity the next day, and after another exchange of emails the defender made two further payments of £56,750 and £36,500.
The bank’s fraud prevention system considered that the payment was “suspicious”, but having spoken with the defender Mr MacKay permitted the money to be released.
‘Reasonable skill and care’
The pursuers argued that the emails were “obviously fraudulent” and that in acting on these instructions the defender was in breach of her contractual obligation to exercise reasonable skill and care.
The pursuers alleged that the defender should either have worked out that the emails were false or checked with Ms Bremner to make sure that they were genuine.
The pursuers also argued that the defender’s job was to chase sums due to the pursuers, not to make payment of sums due by the pursuers, and that in making payment the defender “strayed beyond the duties she was authorised to perform” and breached her implied obligation of reasonable skill and care.
The pursuers further offered to prove that in a telephone call with the company’s bank manager the defender was told that she was not authorised to make payments by online banking, and that in ignoring this warning and the warnings that appeared on the online banking system she further breached her implied obligation.
Had she exercised “reasonable skill and care” she would have “heeded the warnings” and discontinued her attempts to make payment, it was submitted.
The defender, who paid out nearly £200,000 in total as a result of the fraud, was later dismissed by the pursuers.
The fraud came to light when Rosemary Morris, the company’s party-time accountant and finance director, visited the premises two days after the final payments were made.
The bank refunded £85,000 of the £193,250 paid out, but the company still suffered a substantial loss and it sued for the unrecovered balance.
‘Unnatural loss’
The issues for the court were whether on the facts proved, the law permitted the pursuers to recover their loss, but the judge ruled in favour of the defender.
In a written opinion, Lord Summers said: “Since the pursuers allege breach of obligation in connection with each payment, I turn now to examine the first payment. In my judgement CC was responsible for this payment. She was the defender’s line manager and was authorised to make online payments. I am unable to see how the defender can be said to have breached her obligation when she submitted the relevant details to her superior.
“The only possible way in which the defender may have breached her obligation of reasonable care and skill is at an earlier stage. It is possible to argue that she should have appreciated that the emails were the work of a fraudster. If she had realised this, the emails would never have been passed to CC.
“I am not satisfied on the evidence adduced that I can draw this inference. The defender stated she had not noticed that there were two email addresses. Given her ignorance of any other features of the transaction that suggested that a fraud was being practised on her and the apparently innocuous nature of the spurious email address, I am not convinced that this evidence demonstrates a breach of her implied obligation.”
In relation to the second payment, the judge stated: “I do not consider that the defender was in breach of her implied obligation of reasonable skill and care in failing to read the fraud warning nor do I consider that it would have made any difference had she read it. I do not consider that the defender was in breach of her implied obligation of reasonable care and skill in continuing to progress the payment after speaking to Mr MacKay.
“Although Mr MacKay had told her she was not authorised to make payments, her boss Yvonne Bremner communicated with her in terms which indicated that the defender should continue to try to make payment. While we know that the email emanated from the fraudster, this was not how it appeared to the defender. Looking at matters from the defender’s point of view, she was entitled to conclude that Yvonne Bremner wished her to make the payment.”
The judge found that the defender was in breach of her obligation in processing the third set of payments, but held that the loss incurred was not a “natural consequence” of the breach.
Lord Summers said: “I do not consider that the language of the final set of emails contains any more clues as to their origin than those that had gone before. In light of the conclusions expressed above I do not consider them to be indicative of breach of contract.
“I am persuaded however that the defender acted in breach of her obligation of reasonable skill and care in transferring funds from the invoice financing account to the current account. I consider she did this on her own initiative.
“Unlike the other transactions this transfer was done on her own initiative. The fraudster did not prompt her to take this step. I am satisfied that switching money in this way was a significant step and that she had no express or implied authority to do so.
“Although I consider her unilateral decision to transfer company funds without any authority was in breach of contract I do not consider that the loss that ensued was the natural consequence of the breach. The loss was exceptional and unnatural because she was ignorant of the fraud being perpetrated on her and on the pursuers.”
The judge concluded: “I can only record my regret that whoever was behind the fraud has not been caught. The fraudster is the real culprit whoever he or she (or possibly they) may be. The pursuers have suffered a major loss. The defender has lost her employment. CC has on top of her health problems suffered a demotion. It is a tragic case.”