From forged cheques to impersonation scams, fraudsters have long exploited the trust, distance and communication gaps that underpin commercial transactions. But the digital age has given rise to a new and particularly insidious form of deception: business email compromise (BEC) fraud. In these schemes, attackers infiltrate or spoof a businessperson’s email account—often that of a trusted vendor—redirecting payments to fraudulent bank accounts with alarming ease. As the financial consequences of these scams grow, so too does the complexity of the legal questions they raise. In Canada, courts are now beginning to grapple with the thorny issue of who should bear the loss when funds are misdirected due to email fraud: the paying party, whose reliance on the fraudulent instructions may seem careless in hindsight, or the payee, whose compromised systems created the opportunity for the deception.
One of the foundational Canadian decisions addressing loss allocation in BEC fraud is a Small Claims case from Ontario: St. Lawrence Testing & Inspection Co. Ltd. v. Lanark Leeds Distribution Ltd., 2019 CanLII 69697 (ON SCSM). The principles of loss allocation established in St. Lawrence were recently cited with approval by the Supreme Court of British Columbia in Apex Aluminum Extrusions Ltd. v. KD Sales & Service Limited, 2023 BCSC 2529.
This article explores the nascent development of Canadian caselaw dealing with the allocation of loss in payment disputes caused by BEC fraud, and what it means for business, lawyers and the courts as we navigate the newest frontier of commercial fraud.
Key takeaways
Generally, the payor will bear the loss for fraudulent payment instructions unless:
- The parties have specifically allocated liability for payment instructions by contract;
- The intended payee engaged in dishonesty or wilful misconduct with respect to the payment instructions; or
- The intended payee was negligent in causing the threat actor to gain access to its email account.
As a result, businesses should consider adding provisions to their commercial contracts allocating the risk of fraudulent payment instructions. For example, parties to a supply agreement would be wise to add terms stipulating the method of payment, agreeing that payment instructions will not be changed without an amendment to the contract and identifying which party will bear the loss if payment instructions are changed outside of the contract.
The foundation: St. Lawrence Testing & Inspection Co. Ltd. v. Lanark Leeds Distribution Ltd.
In St. Lawrence, the parties negotiated a settlement agreement. At the time, they were unaware that the email account of a paralegal working for plaintiff’s counsel had been compromised in a BEC attack. The defendant received two emails from the paralegal. The first email gave instructions to send the funds to the firm’s trust account, located in the province of the proceedings. The second (fraudulent) email changed the instructions to send the funds to the account of an unknown person at an Alberta credit union. Relying on the second email, the defendant transferred the funds to the Alberta credit union.
The parties later discovered the fraud. The defendant then commenced a lawsuit, seeking an order confirming that the payment term in the settlement agreement had been satisfied, even though the plaintiff did not receive the funds.
The Court held that the defendant had not fulfilled its payment obligation in the settlement agreement. The Court formed the following test for determining whether the plaintiff could be held liable: where a threat actor assumes control of the payee’s email account and, impersonating the payee, issues instructions to the payor, who then transfers funds intended for the payee to the fraudster’s account, the payee is liable for the loss only where:
- the payee and payor are parties to a contract that authorizes the payor to rely on email instructions from the payee and, assuming compliance with the terms of the contract, shifts liability for a loss resulting from fraudulent payment instructions to the payee;
- the payee was dishonest or engaged in willful misconduct; or
- the payee was negligent.
The Court found that none of the three exceptions were available on the facts of the case. It held that the payor was to bear the loss by making another payment to fulfil its payment obligation under the settlement agreement.
Application of St. Lawrence in the Supreme Court of British Columbia
In Apex, the plaintiff supplied the defendant with materials for a construction project and provided the defendant with an invoice. The plaintiff’s email account had been compromised in a BEC attack. Using a spoofed email account, the threat actor provided the defendant with wire payment instructions first for a bank in Hong Kong, and then to a bank in Chicago. The defendant made a wire payment to the account provided by the threat actor. Prior payments from the defendant to the plaintiff were made by cheque to an account in Canada.
The parties later discovered the BEC fraud. The plaintiff then commenced an action against the defendant for payment on account of the materials supplied to the defendant.
The Court applied the test described in St. Lawrence. The defendant conceded that there was no agreement between the parties authorizing it to rely on email instructions from the plaintiff and that there was no willful misconduct or dishonesty by the plaintiff.
There was no evidence on the record about the genesis of the BEC fraud. As a result, the Court could not determine whether the BEC attack leading to the fraudulent payment instructions was caused by the plaintiff’s negligence.
The Court went on to consider the apportionment of fault between the parties. The Court found that there were several “red flags” that should have been apparent to the defendant in the spoofed emails, including spelling errors, the payment instructions to banks in Hong Kong and Chicago for a Canadian business and unusual comments made by the threat actor in the spoofed emails. As such, the defendant had a duty to make inquiry with respect to those red flags, including by calling the plaintiff to confirm that payment should be made to a bank in Chicago. The defendant took no steps to inquire about the legitimacy of the emails or the payment instructions and, as a result, the Court declined to apportion the loss.
Conclusion
BEC Fraud highlights the importance of both technological safeguards and contractual clarity. As BEC fraud becomes more prevalent and sophisticated, the legal landscape will continue to evolve, placing increased pressure on businesses and lawyers to proactively manage these risks.
