The Man In the Middle scam and its civil consequences
How does it affect the performance of a civil or commercial contract when a hacker intercepts the debtor’s payment, and is the debtor released from the obligation?
I present to you the following factual situation: ENTERPRISE, S.A., after negotiating for a long time with a possible supplier, MAKER, S.A., has managed to close a deal for half a million euros to buy from MAKER, S.A. a state-of-the-art machine that will allow it to position itself among the best competitors in its sector.
MAKER, S.A. has everything ready to start manufacturing the machine, but ENTERPRISE, S.A., is late in paying the agreed advance payments, so it sends an e-mail reminding them of the payment. Immediately, ENTERPRISE, S.A. replies with a receipt for the payment made two weeks before, in the amount of 250.000 € and in an unknown bank account. MAKER, S.A., detects the error and replies saying that the bank account is not the correct one. Then ENTERPRISE, S.A., sends a series of e-mails in which MAKER, S.A. itself (or from an e-mail address very similar to the one used by MAKER, S.A.) sends an e-mail to the bank account. (or from an email very similar to his) sent him a new invoice and indicated that he had changed the company’s bank account. It was then that the scam was uncovered.
It is the so-called “Man in the middle” scam
For almost a year now, a third party has managed to infiltrate the e-mail of one of them and has patiently monitored the e-mails exchanged. When he finally sees that the parties have concluded the deal and are about to make the payment, he takes action. He impersonates the supplier and sends an email with new payment instructions, indicating a new bank account, usually offshore and controlled by him. In the meantime, he intercepts e-mails and prevents e-mails that could foil his scheme from reaching their recipients. By the time the scam is discovered, the money is gone and the hacker stops intercepting emails.
Criminal and civil legal consequences follow from the above facts. The hacker would be liable for a fraud offence and would be obliged to repair the damage caused by paying back the amounts stolen. But it can take time to track them down and, until then, the provider and his customer either fight over who bears the loss or reach agreements that allow them to continue their business relationship.
In the contractual sphere, the legal debate is limited to determining whether the intervention of a third party who has fraudulently caused the payment to be made to someone other than the creditor should be borne by the one who pays and suffers the deception (in our example ENTERPRISE, S.A.) and, therefore, whether the payment obligation subsists, or whether it should be borne by the creditor or supplier (MAKER, S.A.) and, consequently, the debtor is released from the obligation to pay.
The majority position is inclined to resolve this controversy by applying the doctrine of the apparent creditor, extensively developed by the Supreme Court in its Judgment of 17 October 1998.
Thus, it starts from the general rule contained in Art. 1162 of the Civil Code, by virtue of which, only the payment made to the true creditor (or person authorised to receive on his behalf) extinguishes the obligation and releases the debtor from performance.
However, part of the case law considers applicable to the case described the exception contemplated in Article 1164 of the Civil Code, which establishes that the payment made in good faith to the person “in possession of the credit” does have the effect of releasing the debtor from the obligation.
The concept of being “in possession of the claim” is assimilated to cases in which someone, like our hacker, appears to be the creditor of the claim.
But for the payment to the “apparent creditor” to be dischargeable, the debtor has to prove, not only that he believed he was paying the true creditor, but also that this belief existed even if he had used the diligence required in accordance with the circumstances of the case (Judgment AP Madrid, 10th Section, no. 501/2019).
Therefore, these processes are complicated for the debtor who has made the payment, because while the creditor only has to prove the reality and the amount of the debt, the creditor has to prove either negligence or fault on the part of the creditor that has been the cause of the fraud (for example, a deficient security system that has allowed the hacker to enter its servers) or his own good faith and justified belief that the payment was made to the person who was the holder of the credit through objective and reliable data and which does not show any hint of negligence on his part.
It is important to pay attention to the parties’ own actions, and therefore caution should be exercised in reporting the event to the authorities either by way of a report or a complaint and, both in such reports and in communications with the other party to the contractual relationship, care should be taken to avoid acknowledgement of facts that could entail recognition of any negligent action or deficiency in the system.
In addition, we recommend great caution when acknowledging oneself as a victim of the crime of fraud, as this acknowledgement of the loss of property suffered could make it difficult to claim this loss from the other party to the contractual relationship at a later date.
Likewise, if civil liability or cybersecurity insurance has been taken out, the possibility of claiming against the insurer cannot be ruled out. Liability coverage covers damage caused to third parties by negligent acts or omissions, so it should be borne in mind that, when claiming in this way, the negligent behaviour itself should be acknowledged.
For preventive purposes, it is recommended to have developed internal security protocols that exclude any fault, as well as general terms and conditions of contract that provide, among others, security protocols for a change of bank account and the distribution of liability in the event of similar events.
This type of scam has many variants, both in terms of the means by which it is committed (by e-mail, but also by telephone, post, etc.) and in terms of the method of deception. ) and the method of deception. Sometimes the third party directly contacts the bank depositing our funds, impersonating the identity of the client and giving payment orders that are processed by the bank. In other cases, the email address of the CEO or CFO is intercepted or spoofed and an email is sent to a member of the financial department, ordering an urgent payment, under the pretext that there is a secret operation ordered directly by the CEO.
In any case, once it has been detected that the scam has taken place, it is advisable to consult with legal and IT security professionals. It is advisable to save all available information, change all passwords and carry out a security audit to detect malware on the devices.
From the litigation department of AddVANTE, we can provide any person or company that has been the victim of a “Man in the middle” scam with the advice required from the outset, offering a comprehensive and coordinated response from the different legal and technological areas of the firm.