Site navigation

How to Protect Your Business from Phishing and Whaling Scams

Staff Writer


Phishing and Whaling

Steve Guild, partner at Burness Paull, explores how businesses minimise the risk of falling victim to ‘phishing’ and ‘whaling’ techniques.

Do you know what email phishing is? How about whaling? Or domain spoofing?

Even if you can’t be precise, you probably have an inkling of what they are – catchy but rather confusing terms to describe types of online fraud.

At their heart, there is a deception: some trickery by a fraudster to obtain sensitive information such as supplier or banking details, which are then used to transfer funds to the fraudster’s bank account.

Before the victim knows it, the funds have been transferred away in a manner that makes them difficult or impossible to trace – and police are often powerless to help.

If a bank has made a transfer on the instructions of a fraudster rather than a genuine customer, the customer may be able to sue the bank for breach of mandate. But banks have now tightened up their payment protocols to makes this type of fraud much harder to carry out. In response, the fraudsters have devised scams to deceive the bank’s customers into instructing the transfers themselves.

As a firm, we are seeing increasing numbers of online frauds in which clients have either been the victim or unwittingly played a part.

Recently I was asked by a client to defend a substantial claim from a firm of debt collectors who were threatening to sue on behalf of their Chinese client for payment for 3,000 sewing machines – machines which purportedly had been supplied to our client in Uganda.

The problem was; our client operates only in the oil and gas sectors; did not place any such order; does not operate in Uganda, and has no need for one sewing machine, let alone 3,000.

On investigation, it became apparent that a “domain spoof” had occurred. In other words, a fraudster had set up a website purporting to belong to our client which suggested our client was a UK distributor of consumer goods such as sewing machines. The website contained some errors that were obvious to those with English as their first language.

But the errors would not have been so obvious to a non-native speaker. The website also displayed factually correct information about our client taken from UK Companies House which gave the website an air of legitimacy – at least, at first glance.

Despite high-profile campaigns designed to raise awareness of online fraud, we nevertheless have seen a number of instances where sophisticated business persons and corporate clients, wrongly believing that they are corresponding with financial advisors, pension providers or trusted suppliers, have been duped by phishing e-mails into parting with substantial funds.

The way to minimise the risk is for companies to implement strict payment protocols and properly train and instruct staff in their operation. But let’s say you have put such protocols in place, and your employees have been trained in them. What if an employee has failed to exercise common sense or been careless – “negligent” – and inadvertently facilitates an online fraud? The employee is, of course, not a fraudster.

He or she is arguably a victim too in that they have been duped. Can you sue the employee to recover your loss? This was the interesting question before the court in the recent Scottish case of Peebles Media Group Ltd v Patricia Reilly (15 Nov 2019). Peebles sued Mrs Reilly, their credit controller, for £107k being the loss it suffered as a result of an online “whaling” fraud (the “whale” “harpooned” here being the MD of Peebles).


At the time of the fraud, Peebles’ MD had gone to Tenerife on holiday. While on holiday, the unfortunate Mrs Reilly was duped into believing that she was in email correspondence with the MD. In fact, the e-mails were coming from a fraudster who managed to persuade Mrs Reilly to make various payments totalling £193K to the bank accounts of purported suppliers of Peebles.

Of course, the accounts under the control of the fraudster who promptly removed the funds with all but £85,000 proving untraceable. As the judge put it: “[Peebles] have suffered a major loss…[Reilly] has lost her employment. It is a tragic case.”

In the end, the judge held that Mrs Reilly’s conduct was not sufficiently careless or egregious to amount to a breach of a duty of care. The claim failed.

So the answer is yes, you can sue an employee because they owe you a duty to exercise reasonable skill and care in the performance of their duties. However, in practice, it is likely to be very difficult to persuade a court to order the employee to compensate – particularly where an employee is a junior member of staff. Therefore, be warned, don’t expect the courts to provide a safety net if an employee gets caught out
by phishing.

DIGIT Staff Writer Robot

Staff Writer

Staff Writer - DIGIT

Latest News

%d bloggers like this: