Last Friday we received an e-mail from a worried IT service provider client.

His client’s admin@ e-mail account seems to have been hacked, with the hacker:

  • monitoring the e-mails;
  • noticing an invoice being issued and sent out for $262,708.38;
  • sending out an e-mail advising of a change of bank account, and asking for the invoiced amount to be paid into that account.

The customer duly did as requested.  The account was emptied by the hacker and cannot be traced.

The customer has not paid our client’s client for the service, but has paid the hacker instead.  The debt is still owed.  The office manager should have double-checked the change in payee details by making a phone call.

That will not stop the customer seeking to avoid liability by blaming our client’s client for the lax security that allowed this to happen.

Then the client will blame our client.

The solicitor of our client’s client was going to ring our client for a report.  We suggested that he tell his client that, while he is more than happy to co-operate, he would prefer all queries and requests for reports to be in writing, with confirmation that he will be paid for the work involved in investigating and reporting.

The moral of the story, double-check any change in payee details, and tell everyone you know this story.

For IT-related legal advice, contact Michael Paterson & Associates.