The Employee and the Whale

Lord Summers’ recent judgement in the case of Peebles Media Group Ltd v Patricia Kelly has no happy ending, describing as it does a situation that is increasingly common in the UK – ‘whaling fraud’. Unlike ‘phishing’, where fraudulent emails are sent to a large number of potential victims, hoping that one takes the bait, whaling is a more targeted form of cybercrime. Emails are sent, purporting to be from someone in senior management to a junior member of staff asking them to make a payment to a fictitious supplier.

In this particular case, the fraud was perpetrated on three occasions over a week when both the Managing Director and the manager in charge of making payments were on holiday. As a result, the company lost over £100,000, the junior employee (Ms. Kelly) was sacked, and her line manager was demoted. 

In an attempt to recoup its loss, Peebles Media Group Ltd sued Patricia who it alleged was in breach of an implied term of her employment contract. That breach, it was claimed, led to the loss and should be repaid.

Implied and express contract terms

The case against Ms. Kelly was that she had breached an implied term of her contract to act with reasonable skill and care. All contracts have express terms that are agreed between parties before the contract is signed. However, implied terms are common in all types of contracts, particularly in contracts of employment. They are designed to ensure that the employment relationship works and often focus on issues that may seem obvious but are not always addressed in the contract itself. Implied terms will be read into a contract as if they were expressly included from day one. 

Breach of contractual duty and negligence

The implied term relied on here was the employee's duty to act with reasonable skill and care. This is a performance obligation and is seen as analogous to the standard of care in negligence claims. It is not, however, the same, and it is important to be aware of the differences. In contractual claims, the relationship is clear and defined by the contract, as is the obligation. In delict, the concept of relationship can be far wider and is established by looking at whether there is a duty of care, whether harm was foreseeable and whether it is fair, just and reasonable to impose a duty in the circumstances. The obligation is also imposed by law and not agreed between parties. Whether you sue in contract or delict also has an impact on whether the loss is something that can be compensated.

Breach of obligation

In this case, it was claimed that Ms. Kelly had beached her contractual obligation by:

  1. Failing to realise the emails were fraudulent or failing to check that they were genuine by phoning her boss.
  2. Making the payments as she was operating out with her remit.
  3. Proceeding with a transaction after being told by the Bank that she had no authority to do so.
Result

The Court approached the case by looking at the three emails separately. In all three cases, Peebles Media Group pointed to discrepancies in the language and style of the emails, compared to the usual communications from the Managing Director. They also pointed to changes in the email address. Of more significance was the fact that by using the online banking system, Ms. Kelly would have been presented with a fraud warning. This specifically deals with common traits in ‘whaling’ scams and should have alerted her to the fact that these emails were suspicious.

Dealing with the first email, the Court found that Ms. Kelly’s Manager who had not yet departed on holiday and with whom Ms. Kelly had consulted was responsible for the payment. Her manager did the online banking transaction, skipping through the fraud warning as she did so. In the second email, Ms. Kelly did the online banking, also skipping over the fraud warning.  However, as she was following the example set by her superior, she had not breached her duty. 

In relation to the third email, there was no real additional indication of fraud to put Ms. Kelly on alert. However, on this occasion, she transferred money from another account to facilitate payment. This she did on her own initiative. This was a breach of her obligation of reasonable skill and care. If she had acted with reasonable skill and care, she would have spoken with the Managing Director or her Manager before doing so. However, the Managing Director had not responded to her call earlier in the holiday. She could have emailed, but the email would have been received by the fraudster, and the loss would still have occurred. Besides, the Court did not consider that the loss was a natural consequence of the breach so she could not be held responsible for the damage caused.

Ms. Kelly was not found to be liable for any of the loss sustained through the fraud.

Comment

It is the fraudster that is the real culprit here. All the other parties have suffered a loss. Although not relevant to its decision making, the Court also considered the issue of contributory negligence. Ms. Kelly claimed that Peebles Media Group had contributed to the loss by failing to train her to identify fraud. At the time that this fraud was committed, ‘whaling’ was a relatively new concept, and it was not clear whether there would have been training available. However, if it had been and Ms. Kelly had been trained, it may have made a difference to the outcome.

The real moral of this tale, therefore, is prevention is better than cure and cybercrime training should be essential for all individuals in your business that deal with payments or might have to deal with payments in the absence of others. 

Latest updates from @MacRoberts

  • MacRoberts is delighted to be shortlisted at this year’s Scottish Legal Awards! We're up for Firm of the Year & t… https://t.co/LfaBwKCeXC 19 hours ago
  • Have you and your partner been considering moving in together? Are you aware of the legal implications that this ma… https://t.co/BCgW2nHnCR 23 hours ago
  • Following a consultation in 2019, the UK Government has outlined its intention to introduce a mandatory duty on emp… https://t.co/2XBrafRQ22 29/07/2021
  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… https://t.co/sOwEmv13fP 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… https://t.co/0v2nNQ9zzZ 14/07/2021