The importance of up-to-date training around email scams has been highlighted in a case at Scotland’s Court of Session where a woman who fell for a £193,000 email scam was judged not to be liable for her employer’s loss.
Patricia Reilly was sacked from her role as credit controller at Peebles Media Group after falling victim to a “whaling” scam. The fraudster, who is still at large, posed as the firm’s managing director Yvonne Bremner on email in 2015 and asked Reilly to make payments to an unknown company. The Glasgow-based company alleged that Reilly ignored bank warnings about making such payments.
The bank refunded £85,000 of the stolen money but Peebles attempted to claim the remaining £108,000 from Reilly.
In his judgment at Scotland’s highest court, Lord Summers described the case as “tragic” and said the fraudster is the “real culprit”.
In her defence, Reilly claimed that her employer was partly to blame because it had not provided training on identifying fraud and that she made the “relevant checks” to make sure she was following procedures correctly.
Unlike a phishing scams, whaling – or “CEO fraud” – is highly targeted and involves a criminal masquerading as a senior executive. Because fraudsters do not require extensive technical knowledge, the National Cyber Security Centre has described whaling as one of the “biggest risks facing businesses”.
Whaling emails usually contain personalised information about the targeted organisation, they tend to convey a sense of urgency, and are often crafted with authentic business language and tone.
Lord Summers ruled he was unable to say whether Reilly was in breach over the bank warnings but that it would not have “altered the outcome”.
He said: “I am persuaded however that the defender acted in breach of her obligation of reasonable skill and care in transferring funds from the invoice financing account to the current account. I consider she did this on her own initiative.
“Although I consider her unilateral decision to transfer company funds without any authority was in breach of contract I do not consider that the loss that ensued was the natural consequence of the breach.”
The judge said he was not satisfied with evidence suggesting that the fraudster’s email address was visible, nor that the language in the email should have raised suspicion. He also noted animosity between the two women.
Lord Summers added that in 2015 “whaling” scams were a “relatively new phenomenon”.