Regional court ruling: Who is liable for phishing with manipulated emails?
The Regional Court of Rostock has clarified who bears the risk of an incorrect transfer of an invoice in the event of "misinformation" due to phishing attacks.
(Image: Stokkete/Shutterstock.com)
A recent ruling by the Regional Court of Rostock has clarified an important question that is coming up more and more frequently in civil law: Who is liable if someone transfers money to a false account due to a manipulated email in a phishing attack? The court has clarified that in such cases, the biller still has a claim against the injured party. This applies at least if the signs of a forgery are recognizable. The risk then lies with the remitter.
Specifically, according to the recently published judgment of November 20, 2024 (Ref.: 2 O 450/24), the case concerns the following: The plaintiff, a construction company, had concluded a contract with the defendant, another company, for painting and drywall construction work. When the construction company sent a first partial invoice by email, the defendant received an almost identical email shortly afterwards. The catch: In this second email, the bank details were falsified and there were also small errors in the HTML formatting. The victimized company nevertheless transferred around 37,730 euros to the account specified in the forged email.
As the construction company did not receive the money, it demanded payment again. The defendant refused and argued that she herself had become a victim because the construction company's email system was allegedly not secured well enough. She believed that she had already settled her debt by transferring the money.
Potential cyberattack: irrelevant
The Rostock judges did not accept this: If money is transferred to the wrong recipient, the invoice is not paid, they stated. According to them, the construction company had neither specified nor authorized the incorrect account details itself. There was also no indication that the construction company had tacitly agreed to the money being transferred to a different account.
The court also rejected the defendant's attempt to accuse the plaintiff of breaching its duty of care. According to the court, it is common practice to use emails in business transactions. However, it is also known that this medium can be susceptible to attacks. An actual "hacking" of the construction company could not be proven. Even in such a case, the main fault would lie with the defendant.
Videos by heise
More legal certainty in e-commerce?
The judges also criticized the transferring company for overlooking obvious indications of manipulation. These included incorrectly displayed umlauts, strange HTML characters in the text and, above all, the conspicuous change of the known account details to a Dutch bank. Such things should have made the defendant suspicious and prompted it to make inquiries with the construction company.
According to lawyer Jens Fener, the ruling strengthens legal certainty in electronic business transactions: anyone making payments must make sure of any deviations from known bank details: "Control takes precedence over trust." However, it always depends on the individual case. The scams do not only affect companies: Saxony's Ministry of Health paid a fraudulent invoice in 2023 and transferred 225,000 euros to criminals. The police warned of the scam back in 2016.
(vbr)
