Payment into a hacker’s bank account: at the risk of the hacked creditor or the paying debtor?
In a recent ruling, the Supreme Court of the Netherlands gave its opinion on the question as to who will have to bear the risk of a payment made into an incorrect bank account, when a fraudster (often a hacker) poses as the creditor and the debtor, based on statements from this fraudster, makes a payment into an incorrect bank account. This ruling is of major importance for (international) business practices in an increasingly digital world. Lawyer Sjoerd Yntema, who specialises in the law of obligations, discusses this ruling.
Hascor placed an order with Yildirim, which in its turn designated its subsidiary company Devante as the selling party. For the payment of the order, Hascor received an email from an email address ending on “yildirimgroup.com” with an invoice attached to this email. However, this email did not originate from Yildirim or Devante, but from a fraudster who had hacked the systems of the Yildirim group. The invoice that had been attached to the email did not contain the payment details of Yildirim or Devante, but of the fraudster. Hascor then transferred the purchase amount of $ 363,394.00 to the bank account of the fraudster.
Devante et al. claim payment of the invoice from Hascor, who takes the position that it has been discharged from its obligations by this payment, as it had reasons to assume, based on the email and the invoice, that the payment details were correct. In the first instance, the claim brought by Devante et al. was allowed, but on appeal, the court of appeal rejected the claim and ruled that there were circumstances justifying that Hascor has considered – and could reasonably have considered – the forged invoice to be correct can be attributed to Devante.
Supreme Court of the Netherlands
In its ruling, the Supreme Court of the Netherlands links up with the earlier conclusion of Procurator General Assink and holds that if someone, by fraudulently posing as someone else (the creditor), states something for that creditor – in this case, designates a bank account for payment – the starting point is that the creditor may in respect of the person to whom the statement is addressed (in this case, the debtor) rely on the fact that the statement was not made by him, even if the debtor has assumed and could reasonably have assumed that the statement had indeed been made by the creditor.
However, this may be different in some circumstances. These circumstances have to be of such nature that as a result, the fact that the debtor has assumed and reasonably could have assumed that the fraudster’s statement was genuine may wholly or partly be attributed to the creditor (as the Supreme Court also held in a previous ruling). The circumstances may therefore also be of such nature that the debtor’s legitimate reliance on that statement can only be partly attributed to the creditor, and that this remains at the risk and expense of the debtor in all other respects.
According to the Supreme Court of the Netherlands, one of the factors playing a role in the assessment could be the question to what extent the parties have taken adequate precautions to prevent a third party from being able to pose as one of them. In this context, the parties may be expected, if the occasion arises, to explain which efforts they have made to find out in what manner the third party has managed to fraudulently pose as one of them and what the results of these efforts were.
In this particular case, the Supreme Court of the Netherlands found that the Court of Appeal had not ruled incorrectly by dismissing Devante’s claim.
Consequences for daily practice
This ruling is of major importance for international business practices: on the one hand, the parties have to check every payment carefully, as payments made to a fraudster are in principle at their own risk and expense. On the other hand, is it also essential to ensure adequate protection of the systems, as a payment made to a hacker may in some circumstances (including a badly implemented cyber security) qualify as a discharge from the debtor’s obligations, leaving the creditor empty-handed.
The assessment of the facts in such a dispute will vary for each case. AMS Advocaten has extensive experience of such (international) disputes and provides assistance to both creditors and debtors, in and out of court.