Cyber Security: the importance of training

The employee in this case was employed as a credit controller. She had received a number of email messages, the first of which appeared to be sent from her manager requesting that payment be transferred to another company.  Three days later the employee received another email claiming be from the employer’s managing director which asked for another online payment of £75,200.

Both the managing director and the employee’s line manager were on holiday at the time the emails were received.  The employee says that she had liaised with her line manager in making the first payment and assumed the second request for payment was also genuine.  The employee subsequently paid a total of £193,250 on behalf of the company in accordance with the email requests.

The emails were in fact sent by fraudsters. The employer dismissed the employee for gross misconduct and subsequently brought a court claim in the Scottish Court of Session (Scotland’s highest civil court) in the sum of £107,984 against their former employee, being the sum outstanding after the bank refunded more than £85,000 of the almost £200,000 stolen.

In this case, the employer claims that their ex-employee was negligent in making the payments, as she should have realised the emails were suspicious and this was basic common sense.  The employer claims that their ex-employee ignored a security warning she received from the company’s bank before authorising the payments. 

However, her lawyers have argued that the ex-employee was not negligent, as she did not receive any training on how to spot online fraud and is being made a scapegoat for the scam. They have applied for the court case against her to be dismissed on this basis. However, unless the employer can show they had appropriate procedures and training in place, it is likely that the employer will struggle to prove their ex-employee was liable for the loss. 

In general, unless the employee has substantial assets (or insurance in their personal capacity, such as director insurance), court claims rarely lead to any damages actually being paid to the successful employer. For this reason, it is unusual for employers to pursue claims for large sums against their employees or former employees.

The practical key to reducing the risk of loss caused by fraud is prevention. This includes ensuring that employees, contractors and anyone who has access to company money, or who may be responsible for carrying out financial transactions on the company’s behalf, have received training on cyber security. This includes training on how to spot fraudulent requests for payment by the company and how to verify that requests for payment are in fact from authorised individuals within the company, rather than a fraudulent request from a third party. Employers of all sizes are advised to ensure that secure procedures for financial transactions are in place (including an appropriate sign off process to authorise financial transactions), that staff are sufficiently trained on these and that the business has appropriate insurance in place to recover any financial loss caused by fraud. The National Cyber Security Centre has produced some online guidance on how to spot phishing attacks which employers can adapt as staff training material.