Phishing Scam in the UAE
Phishing scams in the UAE: a case of complete innocence or negligence on the part of the payer?
Many of you reading this article will have undoubtedly heard or read of an individual/company being subject to a form of electronic scam and being asked to make payment to a specified location. Unfortunately, some do not notice the red flags and go through with the payment without raising any suspicions as the request appears, on the face of it, genuine and from a credible source.
An insight into Phishing
‘Phishing’ involves fraudsters sending correspondence such as emails or letters purporting to be a reputable company or person, with the sole purpose of obtaining confidential information such as bank details and passwords from the recipient, or more commonly now – payment.
Phishing is on the rise in the UAE.
Since joining ADG Legal, I have already been involved in two separate cases which involve companies being deceived and innocently making payment in excess of USD $1 million to bank accounts controlled by fraudsters. In both cases, fraudsters have stolen the identity of employees, forged company letterhead and managerial signatures; and hacked into company email accounts to communicate with the payer.
The questions which ultimately arise from such scenarios (particularly in a commercial context) are has the payment been successfully made?’ and ‘who is liable when the money has gone ‘missing’?’ (into the hands of fraudsters).
Any case is always dealt with on a fact-by-fact basis, however the following two international judgments will demonstrate the importance of due diligence prior to making any electronic payment:
Galactic Auto Ltd v Andre Venter  ZALMPPHC
- The Claimant – a car dealership – sent an email to the Defendant attaching their invoice and bank details after agreeing the sale of a vehicle.
- This email was intercepted by fraudsters, who created their own separate invoice and a fake email address similar (but not identical) to that of the dealership’s. The fraudsters later sent an updated email to the Defendant providing details of a new bank account which they now controlled.
- The Defendant made payment to the fraudsters’ bank account without questioning the authenticity of the second email.
- When the Claimant stated that they had never received payment despite delivering the vehicle to the Defendant, the Defendant argued that the payment into the incorrect bank account should be treated as payment in full given the ‘new’ bank details appeared to have been sent from the Claimant.
The High Court of South Africa held that the Claimant is only required to show that they provided the Defendant with the correct bank details where payment was to be made. Once this is proven, the onus is placed on the Defendant to demonstrate that the money was transferred to the correct bank account.
The Judge affirmed that it was the responsibility of the Defendant to confirm the bank details were correct with the Claimant prior to authorising payment, citing: “…if the Defendant had only verified the banking details….he would have prevented his loss. His failure to do so was at his own peril.”
Sell Your Car With Us v Sareen  BCC 1211
- The Claimant had advertised and sold his vehicle for a price in excess of £50,000.00 through the Defendant’s website.
- The Claimant’s email account was subsequently hacked by fraudsters who purported to be the Claimant and instructed the Defendant to send £30,000.00 of the monies to a bank account which had been opened by the fraudsters.
- When this payment was discovered, the Claimant served a statutory demand and threatened to present a winding up petition against the Defendant to recover the monies. The Defendant disputed the application, citing the Claimant was in breach of an implied term under the contract between the two, where it had been agreed that the Claimant would take ‘reasonable care’ and have ‘ultimate control’ over the security of his emails. The Defendant therefore maintained that the Claimant had made misrepresentations (false statements), and it was ultimately his own negligence which had resulted in the loss.
The Judge ruled: “…the company was alone responsible for sending money to an unauthorised account on instructions received from an unknown third party”. She added that the Defendant should have been aware of potential fraud risks and outlined that the company had failed to adhere to their own anti-fraud procedures. As such, they were liable for the missing monies which were not deemed to have been paid to the Claimant.
The above are just two examples of cases surrounding phishing fraud, which, unfortunately, is on an upward trajectory both here in the UAE and worldwide. Both judgments place weight on the responsibility of the payer to use initiative and not make any electronic payment without undertaking appropriate due diligence.
Signs of a Phishing scam
The below checklist is designed to assist in spotting the signs of phishing scams together with strategies to avoid falling victim to the same:
- Check, double check; and triple check if necessary.
Regardless of the amount, always confirm bank details via telephone with the individual / company you are set to make payment to prior to authorising payment with your bank. It is recommended this call be made on the morning payment is due.
- Pay close attention to the location of the designated bank account and email sender.
This is often ignored by payers; however it is of paramount importance when making electronic payments.
As an example, if the company you are making payment to is based in the United Kingdom but the invoice or email you have received asks for payment to be made to a bank account in Malaysia, this should automatically raise suspicions and could be a sign of a phishing scam. You should therefore telephone the relevant party immediately for confirmation.
It is also common for companies to have multiple offices worldwide. Nonetheless, this is where many fall victim to phishing scams. For instance, it would be highly unusual for you to have primary contact with an employee based in Hong Kong yet receive a request for payment from an employee based in the United States who you have never communicated with previously (or indeed from a location where the company concerned do not have a designated office).
Again – telephone the relevant party immediately before proceeding with payment.
- Check the email address of the sender
This may seem common practice, nonetheless it is often overlooked by victims of phishing scams. As highlighted in the case law above, fraudsters will attempt to (but not always) create their own personal email address and design it in such a way that it does not look out of place.
For example, fraudsters may use an email address such as ‘PJ@XXXXX.com’ when in fact the correct email address of the true account user is ‘Peter-John@XXXXX.com’. If you notice any discrepancy with an email which you have previously received from a sender, it is recommended that you call the sender for confirmation that the details are genuine.
- If you have suspicions that there may be fraud involved, report it!
The case of Royal Brunei Airlines v Tan  2 AC 378 held that: “Deliberately closing one’s eyes, in the sense of having suspicions of misfeasance but making a conscious decision not to ask questions or otherwise enquire, satisfies the test of dishonesty….”.
If you knowingly become aware of any potential wrongdoing in a transaction or indeed suspect a breach in IT security, you should immediately contact the individual/company concerned.
If you have fallen victim to a phishing scam in the UAE, refer the matter to legal enforcement and report the incident to your bank immediately.
- Regular anti-fraud training and enhanced IT systems
If you are operating a company, it is recommended that staff undertake monthly training on anti-fraud procedures to avoid cases ‘slipping through the net’ and personnel becoming lacklustre in respect of identifying potential fraud.
Cyber attacks are not uncommon, however steps can be taken to minimise a threat as much as possible. Major organisations have been subject to the same in recent years – including British Airways and the National Health Service (NHS) in the United Kingdom, which involved fraudsters gaining access to confidential information such as staff payrolls and patient data respectively. Particular focus should therefore be placed on companies enhancing their IT security.
- Poor grammar and structuring of emails
It is common for emails / letters received from fraudsters to contain numerous spelling errors and poor structuring (i.e. unnecessary spacing or lack of). Moreover, there may be an over-eagerness for payment to be made if this is the desired outcome of the phishing scam.
These are potential signs of a possible fraud and should be dealt with by speaking directly with the party concerned to ensure the correspondence is legitimate.
If you require any further information regarding the contents of this article; or if you have fallen victim to a phishing scam and require legal advice surrounding your circumstances, please do not hesitate to contact myself (email@example.com) or our International Disputes Partner, Josh Kemp (firstname.lastname@example.org).