Online fraud was a commonly reported news item last year, and we anticipate that this problem will continue to gain traction in 2020. We look back at a case from the Outer House of the Court of Session from late 2019, which illustrates the risks to employers and employees alike.
Peebles Media Group Ltd against Patricia Reilly ( CSOH 89).
What’s it about?
The pursuer, a Glasgow-based media group, raised a claim for damages against the defender, a former employee, for causing the company to lose £107,984.02 to a whaling fraud.
“Whaling” is a relatively new type of fraud. Many of us have heard the term “phishing”, which describes a fraudster sending messages out to a large group of people chosen at random, in an attempt to dupe as many as possible. Whaling is somewhat more sophisticated, with the fraudster targeting specific companies and personnel.
The defender was a credit controller at the pursuer company, who received emails appearing to be from her boss’ email address. The messages asked her to make substantial payments to a number of companies. Nothing about the emails aroused the defender’s suspicions, and she duly executed the payments. It was not part of her job to make payments, but both her boss and the employee who usually dealt with outgoing payments were on holiday. The fraudster, emboldened by the success of their first attempt, made further payment requests over a number of days. These requests were also complied with by the defender; whom, noticing that the company current account had insufficient funds, took it upon herself to transfer money from the invoicing account. The defender paid out a total of £193,000, of which the pursuer’s bank was able to recover approximately £85,000.
What were the legal arguments?
The pursuer felt that the emails were obviously fraudulent: the language, tone and errors in the messages should have raised the defender’s suspicions that the messages were not really from her boss. The pursuer argued that the defender had breached her contractual obligation to exercise reasonable care and skill, in making the payments without verifying that the requests were genuine. The defender strayed well beyond the limits of her authority by transferring funds from another company account without any instructions to do so.
The defender argued that no remedy was available to an employer for losses caused by an employee. Lord Summers considered the cases of Lister and Janata Bank;  noting that it is indeed rare that an employer recovers damages from an employee. However, he found that that pursuer was entitled to damages if they could establish breach of contract.
Lord Summers was not convinced by the defender’s plea of contributory negligence, which was argued on the basis that she had not been trained to identify fraud.
What was the outcome?
Lord Summers sympathised with all of the involved parties; the business having lost a substantial amount of money and the defender having lost her job.
He did not agree with the pursuer that the emails were obviously fraudulent, and was not convinced that the defender had breached her contractual obligations in making the first set of payments to the fraudster. However, he did find that in transferring money from the company invoice account, she was in breach of her obligation of reasonable care and skill. The pursuer’s arguments ultimately fell down at the hurdles of causation and remoteness of loss. The defender had attempted to phone her boss after receiving the first of the emails, but was unable to get through because her boss was on holiday. Her boss being unreachable by phone, the only way for the defender to seek authority for the transfer of funds was via email. Had she asked for authority to transfer the funds from the person she believed was her boss, the fraudster would simply have encouraged the defender to go ahead, and the payments would still have been made. The pursuer had not established that if the defender had performed her duties correctly, the money would not have been lost.
What’s the impact?
Lord Summers’ judgement provides useful insight for employment law and professional negligence practitioners on the availability of damages for employers for loss caused by employees. The case also cautions us always to treat emails asking for money with suspicion, even when we believe they are from a sender we trust.
 Lister v Romford Ice and Cold Storage Co Ltd  2 W.L.R. 158
 Janata Bank v Ahmed  7 WLUK 83