By Matthew Friedlander, Chris Recker and Sam Laycock
Cyber fraud is a real and present danger across almost all industry sectors, and the construction sector is not immune as our recent article demonstrated. According to the FCA there has been a jump of 52% in incident reports and recent global conflict may possibly increase this threat.
One of the primary types of fraud affecting the construction industry is the prevalence of payment diversion fraud. It is estimated that contractors pay out around £100m per year in fake invoices. In some cases, a single instance of payment diversion fraud can amount to millions of pounds. In such cases it is easy to see how the fraud would place intolerable pressure on the cash flow of a business and in extreme instances even lead to insolvency. In an industry already under pressure through factors such as super-inflation and rising energy costs, fraud is yet another unwelcome factor which can be detrimental to cash flow on a project.
The problems do not end with cash flow issues.
Payments made due to a fraud are not always covered by insurance and, therefore, a business may find itself having to incur legal costs to address the issue. For example, a contractor may be forced to defend its position (having made a payment to a fraudster) or alternatively may have to advance a claim to recover a payment that it was owed but which was made to a fraudster by a third party.
In addition, the types of fraud are becoming more complex – and can often lead to other risks for an organisation such as ransomware or even more problematic, the unlawful processing of personal data. Inadvertently finding yourself on the wrong side of the regulator due to a data breach is not something to be trifled with.
Payment diversion fraud (or mandate fraud) generally happens in one of two ways and sometimes can be a combination of the two:
- The fraudster, often through hacking or social engineering, gains access to a victim’s email account. This allows the fraudster to monitor emails, set rules and potentially move laterally within the network. The fraudster can then exploit financial controls within the organisation and send emails from a genuine account with a view to diverting a payment away or accessing data or confidential information.
- The fraudster sends a purportedly genuine email from a spoofed email address to a victim (pretending to be a legitimate party). That email might include a ‘revised’ invoice, or include a link that they hope the victim will click on which may infect an email account or network with malware. The fraudster, in this scenario, is focussed on tricking a third party and the emails can be difficult to spot even for the most astute. See for example, the difference between a legitimate ‘email@example.com’ address and the fraudulent ‘secureítsystems@info.com’. It is often the case that the invoices or documents themselves appear entirely legitimate, with one exception, the bank details are changed to the account operated by the fraudster.
As to the how the Courts approach payment diversion fraud, the case law in this area is developing. However, the Court has grappled with this concept specifically in the construction sector (see J Brazil Road Contractors v Belectric Solar Ltd  1 WLUK 294.
The case revolved around the hacking of the claimant’s BT email account which resulted in the proceeds of a fake invoice totalling over £20,000 being diverted away from the Claimant. This invoice was relied upon by the Defendant when making the payment. The Defendant was unaware that the details belonged to a fraudster. The Claimants then brought proceedings for the full invoice value, which it had not received. It was held that, although both parties were innocent in the fraud, the Defendant was still required to pay the invoice value to the claimant (meaning that they had to pay twice). The judgment indicates that it is unlikely that a hacked or tampered email will release a party from payment obligations and therefore, can add an extra layer of financial turmoil for those affected.
What practical steps can organisations in the construction sector take to protect themselves? Ultimately, prevention is better than cure.
The better prepared an organisation is, the better they are able to respond and take steps to recover from an incident. This includes training staff, and having robust policies and procedures to ensure that changes in financial details for vendors (for example) are confirmed by telephone and to a different person within the organisation. It is also possible to purchase specific software, or engage cyber security experts, who can provide monitoring services and threat hunting services including those focussed around artificial intelligence.
Parties can also look to their construction contracts. Robust payment procedures can be spelt out in contractual obligations which can only be changed via a notice provisions under the contract. For example, should a party change its payment details, it could be made a requirement under the contract that notice of that change must be served prior to any payment being made to the new bank details. In circumstances where a payment is made to fraudster outside of any notice provision that would in principle be a breach of the contract which may entitle an aggrieved party to damages. However, the utility of such clauses would in theory have their limitations. It would still require an investigation into which party has suffered the hacking (which is not always easy to establish) and may also require the commencement of a claim by the aggrieved party which would further delay any receipt of payment. Where cash is critical to a business that may have dire consequences.
Reaction to the Fraud
Ultimately even the best preparations can fail and fraud can occur. However, good preparation will usually facilitate a faster response time to an incident and engage the relevant teams to assess the standing position (for example legal, cyber security and PR).
From a legal perspective, it important to engage expert legal counsel as quickly as possible so that the process of tracing the misappropriated assets can begin, and the threat of the assets being dissipated is minimized.
Applications for proprietary injunctions and worldwide freezing orders can be used in conjunction to prevent dissipation of assets against persons unknown and can be made without notice. This is a strategy the English courts have accepted, and is regularly used in these types of cases (for example, see CMOC v Persons Unknown  EWHC 3599 (Comm)).
As is often the case, the misappropriated assets will be moved internationally and sometimes through different mediums such as cryptocurrency. Having a legal team with extensive experience of international tracing and recovery of various asset classes is therefore vital.
Finally, the global pandemic has hastened the reliance on technology, and that has brought its own challenges with criminal threats. This area of law is ever evolving. Failure to take reasonable prevention steps to protect your business may result in potential liability to other parts of the supply chains effected by the fraud. There may be duties owed to notify or warn your supply chain if you have been a victim of such fraud so that others can ensure that they can take preventative measures. Organisations must take precautions, be vigilant and be prepared to act swiftly where cyber fraud occurs.
Remember if something is suspicious, or sounds too good to be true, it probably is!
 “Contractors warned over multi-million-pound invoice fraud”, Construction News, David Price, 25 January 2022.