An unusual case came to its conclusion recently in the Court of Session. A business took a junior employee, a member of its cash handling team, to court for company funds which she had lost in a “whaling fraud”. To see a business sue an employee in a position of such low responsibility is rare by the court’s own admission. As a case study, it sheds much light on why, when things go wrong, businesses should think carefully before setting out on the search for blame.
The case
The defender worked for a business of about 50 people, as a credit controller in a small cash room team alongside a senior colleague (CC) and their team manager (YB). The defender herself was mainly involved in chasing debts, as opposed to handling outgoing payments. When YB left for a week’s holiday one Thursday, it must have seemed as if there was little to be concerned about with this small team and its clear division of labour.
And yet the next day, before YB was even on the plane, a fraud was playing out which would cost an initial total of £193,250, and lead all affected on a difficult journey through the courts.
The defender received an email that Friday, supposedly from YB, urgently asking her to process a payment. The email appeared to come from YB’s email address and addressed the defender by name. When the defender informed CC of this request, they proceeded together to gather the required details and process the payment.
This was a “whaling fraud” – a fraud attempt which uses knowledge of the targeted business and techniques such as email imitation, to create a more sophisticated threat than normal spam emails. Attempts will mostly be specifically timed to strike at businesses when key personnel are absent.
Both the defender and CC accepted that the instruction was legitimate, and the court noted that the defender knew very little anyway about was normal or expected when it came to outgoing payments. The defender was not held to be at fault for failing to immediately recognise the fraud.
Naturally, the fraudster pressed on. On Monday morning, a new email came through, asking for another payment to be processed. This time, the defender was alone without CC, who was now also on holiday. She did however have access to CC’s online banking log-in, and CC provided a missing PIN number by text.
As the payment was close to its conclusion, a warning appeared on the screen. It advised that emailed payment instructions should be verified by alternative means, and to be wary of any suspicious variations in spelling or grammar. This could have been useful for the defender. Sadly, she did as she had seen CC do on Friday and promptly clicked past it.
Decision
The court did not feel that it could find the defender at fault for following the example of a more experienced colleague, while using an unfamiliar system. In any case, it was not certain that reading the warning would have changed the outcome. The defender thought she was following instructions, had been given access to the system, and was entirely unsupervised.
Further emails and payments would follow, as would further opportunities for intervention. At one stage the company account was flagged as a fraud risk, which was then cleared by the bank. The defender also sent a voicemail to YB updating her on her progress with moving the funds. YB would later maintain that she did not realise the defender was referring to new payments.
By the time the business discovered the fraud on Thursday, only £85,265.98 of the £193,250 transferred out was recoverable. The remainder was the sum sought from the defender, who had been let go soon after the discovery.
At first instance, the court did not find the defender liable for any amount of the sum claimed. This decision was then upheld on appeal in May 2021. The defender may have made mistakes, but she had not fallen short of her duty of reasonable care.
What the decision means for employers
How then, do we handle blame in such situations, where an individual can be so badly misled while also being let down by a lack of supervision? The court noted that, in the end, the fraudsters are to blame. However, that is little comfort to the other parties involved.
The first point is that the expectation of “reasonable” care for employees is not just an abstract concept. It is also shaped by the standards set in practice - especially by supervisors and colleagues with relevant experience and expertise. Consider then, that a harmless shortcut for one colleague might set a dangerous precedent for another.
Another lesson which can be taken from this case is that employees who are kept to a narrow set of functions can easily miss what might seem like obvious warning signs. It will not do to say in hindsight that the danger was obvious, given all the facts. What the courts are interested in is whether the employee in question was aware of those facts. So, for employees in any role, it is always worthwhile to instil a healthy awareness of what is going on around them.
The final point is more fundamentally that the courts are not eager to point the finger at junior employees where major failings occur. For most, that will be a reassuring thought. The point is that it shouldn’t be made easier to lay responsibility at the foot of an unfortunate colleague when a fraud occurs. Rather, that should a fraudster strike, they will not find similar success in the first place.
When it comes to the blame game, the best result is not to play at all.
This article is by our Dispute Resolution and Litigation team and our Employment law team can also offer advice and guidance regarding employers setting standards and policies for employees to help avoid similar disputes occurring.
