Earlier this year cyber criminals scammed an energy firm out of £200,000 by using AI to mimic the CEO’s voice. In this article, Nick Hawkins, Senior Associate at CM Murray, discusses who the liability in a case like this would lie with and the measures that can be put in place to ensure a repeat doesn’t occur.
A British energy firm was recently scammed into paying £198,600 to fraudsters. This particular hack was unusual in that the fraudsters had used ‘deepfake’ software to impersonate the voice of a manager’s boss resulting in the transfer of funds to a Hungarian bank account. The employee was told that the transfer was urgently required and would be repaid soon – however no such repayment was forthcoming.
The story raises interesting issues about what liabilities may arise from this sort of scam, and provides a further cautionary tale to companies, many of whom might be considering the adequacy of their own internal policies and procedures.
In relation to liabilities, much will depend on the companies own policies and procedures, what the roles and responsibilities are of the individual(s) involved. It will be important to establish what the individual in question was contracted to do and whether they have acted in accordance with those responsibilities.
As a general rule, employers are responsible for the acts of their employees, as well as any mistakes they make or unlawful acts they commit, provided those acts are undertaken in the course of their employment. It is therefore in all companies’ interests to ensure that their staff are aware of their duties and the company policies and are provided with proper training. That is not to say that there are not instances where the individual cannot be personally liable, particularly in respect of grossly negligent matters.
When there has been a scam, there might be a need for an internal investigation to find out precisely went wrong, whether any employee has committed an act of gross misconduct, and whether anything can be done to avoid future similar occurrences. If there has been an act of gross misconduct (which can include gross negligence) then it may be that the employer will need to run a disciplinary process which could result in the dismissal of the employee.
Gross negligence in scam situations might include, for example, an employee transferring company funds to an unknown account, off the back of receiving an email from an unknown sender without having carried out the appropriate checks. However, that is obviously a crude example, and in the age of advancing technology, it is arguably increasingly easy for employees to be tripped up, without there necessarily being any negligent conduct on their part.
Gross misconduct is conduct by an employee which is sufficiently serious as to destroy the relationship between the employer and employee – it can often mean that the employee can be dismissed without notice. Therefore, an individual won’t necessarily be guilty of gross misconduct just by virtue of having been scammed. Particularly sophisticated scams might easily find their way through a company’s internal money laundering or security procedures – and this is likely to be increasingly the case when software can accurately mimic an individual’s voice, and it will surely be only a matter of time before a deepfake video scam hits the headlines.
One of the principal ways that companies can best protect against this sort of fraud is to have adequate procedures and policies in place and to ensure that they are properly complied with. However, importantly, as technology develops and fraudsters become ever more cunning and sophisticated, it is important for companies to account for this development. It may well be the case that, for example, an IT policy from five years ago is no longer fit for purpose, and it is really important that companies are constantly reviewing their policies to ensure they are effective.
Where errors are made or even where there has been no error but scams such as the aforementioned nevertheless take place, it is important that companies learn their lessons and, importantly, see what can be done to reduce the risk of future scam. Employers should be providing regular and ongoing training to staff on how better to identify scams.
What might be done in cases similar to the one above? If there is not already one in place, companies could consider implementing a multi-step process for financial transfers – for example, any request of a certain value could require the receiver of the request to hang up and call the requesting colleague back to verify the request and details, or there could be the additional layer of security questions introduced. While steps such as this might seem impractical when there is a need for urgency but: rather safe than sorry?
