Phishing Scams in the UAE: A case of complete innocence or negligence on the part of the payer?
  • Cybersecurity
  • Fraud Prevention
  • Legal Liability
  • Phishing Scams
  • UAE Law

Phishing Scams in the UAE: A case of complete innocence or negligence on the part of the payer?

Many of you reading this article will have undoubtedly heard or read of a company or individual being subject to a form of electronic scam and being asked to make payment to a specified location. Unfortunately, some do not recognise the red flags and go through with the payment without raising any suspicions as the request appears, on the face of it, genuine and from a credible source. 

An insight into phishing 

‘Phishing’ involves fraudsters sending correspondence such as emails or letters purporting to be a reputable company or person, with the sole purpose of obtaining confidential information such as bank details and passwords from the recipient, or more commonly now – payment. 

Phishing is on the rise in the UAE. 

Since joining ADG Legal, I have acted on two separate cases which involved companies being deceived and innocently making payment in excess of USD 1 million to bank accounts controlled by fraudsters. In both cases, fraudsters had stolen the identity of employees, forged company letterhead and managerial signatures; and hacked into company email accounts to communicate with the payer. 

The questions which ultimately arise from such scenarios (particularly in a commercial context) are (1) ‘has the payment been successfully made?’ and (2) ‘who is liable when the money has gone ‘missing’?’ (into the hands of fraudsters). 

Any case is always dealt with on a fact-by-fact basis, however, the two international judgments below demonstrate the importance of due diligence prior to making any electronic payment: 

 

Galactic Auto Ltd v Andre Venter [2019] ZALMPPHC (South Africa) 

Facts: 

  • The Claimant – a car dealership – sent an email to the Defendant attaching their invoice and bank account details after agreeing the sale of a vehicle.
  • This email was intercepted by fraudsters, who created their own separate invoice and a fake email address similar (but not identical) to that of the dealership. The fraudsters later sent an updated email to the Defendant providing details of a new bank account which they now controlled. 
  • The Defendant made payment to the fraudsters’ bank account without questioning the authenticity of the second email. 
  • When the Claimant advised that they had not received payment despite delivering the vehicle to the Defendant, the Defendant argued that the payment into the incorrect account should be treated as payment in full given the ‘new’ account details appeared to have been sent by the Claimant. 

 

Judgment: 

The High Court of South Africa held that the Claimant is only required to show that they provided the Defendant with the correct account details where payment was to be made. Once this is proven, the onus is placed on the Defendant to demonstrate that the money was transferred to the correct bank account. 

The Judge concluded that it was the responsibility of the Defendant to confirm with the Claimant that the account details were correct prior to authorising payment, citing: “…if the Defendant had only verified the banking details….he would have prevented his loss. His failure to do so was at his own peril.” 

 

Sell Your Car With Us Ltd. v Sareen [2019] BCC 1211 (England & Wales)

Facts: 

  • The Claimant had advertised and sold his vehicle through the Defendant’s website. 
  • The Claimant’s email account was hacked by fraudsters. They instructed the Defendant to send £30,000 of the purchase monies to a bank account that they had opened. 
  • When this payment was discovered, the Claimant served a statutory demand and threatened to present a winding up petition against the Defendant’s company to recover the monies. The Defendant disputed the application, citing the Claimant was in breach of an implied term under the contract between the two, where it had been agreed that the Claimant would take ‘reasonable care’ and have ‘ultimate control’ over the security of his emails. The Defendant therefore maintained that the Claimant had made misrepresentations (false statements), and it was ultimately his own negligence that had resulted in the loss. 

 

Judgment: 

The Judge affirmed that: “…the company was alone responsible for sending money to an unauthorised account on instructions received from an unknown third party”. She added that the company should have been aware of potential fraud risks and outlined that they had failed to adhere to their own anti-fraud procedures. As such, they were liable for the missing monies – which were not deemed to have been paid under law. 

The above are just two examples of cases surrounding phishing scams, which, unfortunately, is on an upward trajectory both here in the UAE and worldwide. Both judgments place weight on the responsibility of the payer to use initiative and not make any electronic payment without undertaking appropriate due diligence. 

 

Signs of a phishing scam 

The below checklist is designed to assist in spotting the signs of phishing scams together with strategies to avoid falling victim to the same: 

1. Check, double check; and triple check if necessary. 

Regardless of the amount, always confirm bank details viatelephonewith the individual / company you are set to make payment to prior to authorising payment with your bank. It is recommended that this call be made on the morning payment is due. 

 

2. Pay close attention to the location of the designated bank account and email sender. 

This is often ignored by payers; however, it is of paramount importance when making electronic payments. 

As an example, if the company you are making payment to is based in the United Kingdom but the invoice or email you have received asks for payment to be made to a bank account in Malaysia, this should automatically raise suspicions and could be a sign of a phishing scam. You should therefore telephone the relevant party immediately for confirmation. 

It is also common for companies to have multiple offices worldwide. Nonetheless, this is where many fall victim to phishing scams. For instance, it would be highly unusual for you to have primary contact with an employee based in Hong Kong yet receive a request for payment from an employee based in the United States who you have never communicated with previously (or indeed from a location where the company concerned do not have a designated office). 

Again – telephone the relevant party immediately before proceeding with payment. 

 

3. Check the email address of the sender 

This may seem common practice, nonetheless it is often overlooked by victims of phishing scams. As highlighted in the case law above, fraudsters will attempt to (but not always) create their own personal email address and design it in such a way that it does not look out of place. 

For example, fraudsters may use an email address such as ‘PJ@XXXXX.com’ when in fact the correct email address of the true account user is ‘Peter-John@XXXXX.com’. If you notice any discrepancy with an email that you have previously received from a sender, it is recommended that you call the sender for confirmation that the details are genuine. 

 

4. If you have suspicions that there may be fraud, report it! 

The case of Royal Brunei Airlines v Tan [1995] 2 AC 378held that: “Deliberately closing one’s eyes, in the sense of having suspicions of misfeasance but making a conscious decision not to ask questions or otherwise enquire, satisfies the test of dishonesty….”. 

If you knowingly become aware of any potential wrongdoing in a transaction or indeed suspect a breach in IT security, you should contact the individual or company concerned. Further, if you have fallen victim to a phishing scam in the UAE, refer the matter to legal enforcement and report the incident to your bank immediately. 

 

5. Regular anti-fraud training and enhanced IT systems 

Steps can be taken to minimise a threat as much as possible. If you are operating a company, it is recommended that staff undertake monthly training on anti-fraud procedures to avoid cases ‘slipping through the net’ and personnel becoming lacklustre in respect of identifying potential fraud. 

Cyber-attacks are not uncommon. Major organisations have been subject to the same in recent years – including British Airways and the National Health Service (NHS) in the United Kingdom, which involved fraudsters gaining access to confidential information such as staff payrolls and patient data respectively.  

Particular focus should therefore be placed on companies enhancing their IT security. 

 

6. Poor grammar and structuring of emails 

It is common for emails and letters received from fraudsters to contain numerous spelling errors and poor structuring (i.e. unnecessary spacing or lack of). Further, there may be an over-eagerness for payment to be made if this is the desired outcome of the phishing scam. 

These are potential signs of a possible fraud and should be dealt with by speaking directly with the party concerned to ensure the correspondence is legitimate. 

If you require any further information regarding the contents of this article; or if you have fallen victim to a phishing scam and require legal advice surrounding your circumstances, please do not hesitate to contact me via email at cg@adglegal.com. 

Accept Cookies

We use cookies to personalise content, provide social media features and to analyse our traffic. We also share information about your use of our site with our social media and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. By using this website, you agree to the use of cookies as stipulated in our privacy policy.

Accept Cookies