How Canada’s legal grey zone enables online fraud

Social engineering and fund transfer fraud continue to be the most common and costly forms of cybercrime affecting Canadian businesses. These attacks are alarmingly simple: a fraudster sends an email posing as a supplier, requests a change in payment details and waits for funds to land in their account. No technical breach required.

Financial consequences from these attacks are severe — often six or seven figures — and recovery is rare. But the bigger question facing courts, insurers and businesses is: who’s legally responsible when fraudulent invoices are paid?

Is a hacked third party liable for allowing a breach to occur? Does a duped company, the one depositing the money into a fraudulent account, bear any responsibility for the loss?

This remains unresolved in Canada. No case law in this country directly addresses liability in situations where a third party intercepts or manipulates payment instructions via email. But international precedents, particularly in Australia and the U.K., offer insights suggesting how Canadian courts may eventually respond.

Australian precedent

In a recent Australian court decision, Harbour Trust, a property management company, was defrauded after paying an invoice to a fraudster who’d compromised the email account of one of its suppliers, South Townsville Plumbing.

Posing as the supplier, the fraudster sent revised banking instructions via email, and Harbour Trust paid the invoice — only to discover later the funds had been misdirected to a fraudulent account.

The court found Harbour Trust, the payer, was responsible for the loss. The rationale was that email is an insecure communication channel, and so the payer had a duty to verify any changes to payment instructions. The judge emphasized Harbour Trust had failed to perform a simple verification step — such as calling the supplier to confirm the new banking details.

This case sets a clear expectation: even if fraud originates from a compromised third-party system, the payer still bears the burden of verification. In the digital age, this marks a significant shift from earlier thinking. Traditionally, courts had viewed the compromised party as being primarily liable.

British precedents

In the U.K., the 1918 case London Joint Stock Bank v. Macmillan remains a cornerstone decision. It says a bank customer has a duty to take ‘reasonable care’ in issuing cheques to avoid forgery or misdirection. If a customer’s negligence facilitates fraud, they may be held liable for resulting losses.

In a 2023 blog post, global law firm Norton Rose Fulbright reviewed a series of U.K. court cases dealing with supplier invoice fraud. Their conclusion: courts have consistently leaned toward assigning responsibility to the payer if they don’t follow verification procedures or ignore red flags.

Today, funds aren’t stolen after they’re sent — they’re diverted before being correctly issued, often due to the manipulation of electronic instructions. This places the onus squarely on the payer to ensure instructions are authentic.

CAIB New Edition 1.0 – a New Standard for Broker Education Image

Insights Paid Content

CAIB New Edition 1.0 – a New Standard for Broker Education

Preparing brokers to navigate an increasingly complex insurance landscape.

By 

Sponsor Image

Canada’s legal system has deep roots in U.K. common law and similar reasoning could one day shape a court decision here.

Canada’s legal void

So far, Canadian courts haven’t issued a definitive ruling on who’s liable in cases of social engineering and supplier invoice fraud. This uncertainty creates challenges for insurers and brokers trying to assess or defend claims.

In practice, when a Canadian company pays a fraudulent invoice, the paying party often points out the supplier’s system was compromised. And the supplier may counter that email is inherently insecure.

Most cases settle privately, but as the volume of incidents grows, a high-profile legal test case here seems inevitable.

Implications

Legal uncertainty increases the importance of risk transfer strategy. Cyber insurance policies generally cover social engineering or fund transfer fraud.

But the policies often come with an agreement at issuance that basic financial crime and fraud controls will be in place, such as:

• Phishing and social engineering training so accountants know what to look for
• Two parties must sign off on large payments
• Email filtering to make sure phishing emails and fraudulent emails are flagged
• Verifications such as a phone call to a known number when a change is made to a normal process.

Before 2023, cyber insurance policies commonly included call-back provisions intended to safeguard against social engineering fraud.

However, brokers have increasingly advised clients to avoid ‘condition(s) precedent’ language in policies that requires strict verification protocols, as it’s been used to limit coverage at the time of a claim. In practice, these provisions have proven too rigid, leading to confusion and denied claims when insureds fail to precisely follow their internal payment verification procedures.

Cyber insurers have since removed call-back provisions, shifting to more practical and client-friendly solutions to cope with social engineering frauds.

For brokers, this is a critical advisory moment. Clients need to understand the risk is for businesses of all sizes, not just large enterprises. Brokers must help clients understand both the coverages and reasons why insurers ask if controls are implemented.

Early notification is among the most effective tools to respond to cyber fraud. When clients act quickly, insurers can better work with banks, payment processors and law enforcement to intercept and recover stolen funds. Claw back efforts are resulting in millions of dollars being recovered. Speed matters.

Businesses should be advised to treat any changes to payment instructions as high-risk events. Implement dual verification processes. Use encrypted communication platforms. Train staff to recognize red flags. And never rely on email alone.

Neal Jardine is chief cyber intelligence and claims officer at BOXX Insurance. This article is excerpted from one that appeared in the August-September print edition of Canadian Underwriter.