Lord Summers’ recent judgement in the case of Peebles Media Group Ltd v Patricia Kelly has no happy ending, describing as it does a situation that is increasingly common in the UK – ‘whaling fraud’. Unlike ‘phishing’, where fraudulent emails are sent to a large number of potential victims, hoping that one takes the bait, whaling is a more targeted form of cybercrime. Emails are sent, purporting to be from someone in senior management to a junior member of staff asking them to make a payment to a fictitious supplier.
In this particular case, the fraud was perpetrated on three occasions over a week when both the Managing Director and the manager in charge of making payments were on holiday. As a result, the company lost over £100,000, the junior employee (Ms. Kelly) was sacked, and her line manager was demoted.
In an attempt to recoup its loss, Peebles Media Group Ltd sued Patricia who it alleged was in breach of an implied term of her employment contract. That breach, it was claimed, led to the loss and should be repaid.
Implied and express contract terms
The case against Ms. Kelly was that she had breached an implied term of her contract to act with reasonable skill and care. All contracts have express terms that are agreed between parties before the contract is signed. However, implied terms are common in all types of contracts, particularly in contracts of employment. They are designed to ensure that the employment relationship works and often focus on issues that may seem obvious but are not always addressed in the contract itself. Implied terms will be read into a contract as if they were expressly included from day one.
Breach of contractual duty and negligence
The implied term relied on here was the employee's duty to act with reasonable skill and care. This is a performance obligation and is seen as analogous to the standard of care in negligence claims. It is not, however, the same, and it is important to be aware of the differences. In contractual claims, the relationship is clear and defined by the contract, as is the obligation. In delict, the concept of relationship can be far wider and is established by looking at whether there is a duty of care, whether harm was foreseeable and whether it is fair, just and reasonable to impose a duty in the circumstances. The obligation is also imposed by law and not agreed between parties. Whether you sue in contract or delict also has an impact on whether the loss is something that can be compensated.
Breach of obligation
In this case, it was claimed that Ms. Kelly had beached her contractual obligation by:
- Failing to realise the emails were fraudulent or failing to check that they were genuine by phoning her boss.
- Making the payments as she was operating out with her remit.
- Proceeding with a transaction after being told by the Bank that she had no authority to do so.
The Court approached the case by looking at the three emails separately. In all three cases, Peebles Media Group pointed to discrepancies in the language and style of the emails, compared to the usual communications from the Managing Director. They also pointed to changes in the email address. Of more significance was the fact that by using the online banking system, Ms. Kelly would have been presented with a fraud warning. This specifically deals with common traits in ‘whaling’ scams and should have alerted her to the fact that these emails were suspicious.
Dealing with the first email, the Court found that Ms. Kelly’s Manager – who had not yet departed on holiday and with whom Ms. Kelly had consulted – was responsible for the payment. Her manager did the online banking transaction, skipping through the fraud warning as she did so. In the second email, Ms. Kelly did the online banking, also skipping over the fraud warning. However, as she was following the example set by her superior, she had not breached her duty.
In relation to the third email, there was no real additional indication of fraud to put Ms. Kelly on alert. However, on this occasion, she transferred money from another account to facilitate payment. This she did on her own initiative. This was a breach of her obligation of reasonable skill and care. If she had acted with reasonable skill and care, she would have spoken with the Managing Director or her Manager before doing so. However, the Managing Director had not responded to her call earlier in the holiday. She could have emailed, but the email would have been received by the fraudster, and the loss would still have occurred. Besides, the Court did not consider that the loss was a natural consequence of the breach so she could not be held responsible for the damage caused.
Ms. Kelly was not found to be liable for any of the loss sustained through the fraud.
It is the fraudster that is the real culprit here. All the other parties have suffered a loss. Although not relevant to its decision making, the Court also considered the issue of contributory negligence. Ms. Kelly claimed that Peebles Media Group had contributed to the loss by failing to train her to identify fraud. At the time that this fraud was committed, ‘whaling’ was a relatively new concept, and it was not clear whether there would have been training available. However, if it had been and Ms. Kelly had been trained, it may have made a difference to the outcome.
The real moral of this tale, therefore, is prevention is better than cure and cybercrime training should be essential for all individuals in your business that deal with payments or might have to deal with payments in the absence of others.