author photo
By Bruce Sussman
Thu | Feb 21, 2019 | 7:19 AM PST

If you're a regular SecureWorld reader, you may remember our recent story of employees being fired after falling for a BEC (Business Email Compromise) scam that cost their company millions. 

If you missed it, be sure to read $18.6 Million Gone: Business Email Compromise at a Whole New Level for something you can share with your organization.

Company sues employee who was tricked by a cyber attack

Now, a company in the United Kingdom has decided that firing an employee who fell for a BEC scam is not enough and is suing its former employee for the losses.

The case: how the BEC happened

Patricia Reilly was working at Peebles Media Group when a BEC script familiar to InfoSec (but not most employees) played out: her boss was on vacation and hackers knew it.

They sent a series of believable emails to her, posing as her out of office boss who needed help transferring funds to a specific account. Reilly transferred the equivalent of more than $250,000 before her boss discovered that the company was being scammed.

Now, the company is suing the former employee for the wire transfers which could not be stopped, a total of about $138,000.

The BBC reports on the grounds the company is using to sue:

Lawyers acting for the company accuse Mrs. Reilly of being negligent.

They have described her actions as "careless and in breach of the duties—including the duty to exercise reasonable care in the course of the performance of her duties as an employee which she owed to her employer, the pursuer."

Did the company have a security awareness program?

Just as interesting as the fact the company is suing the employee for BEC losses is the defense the employee is using. 

Her legal team says she never received any training on how to spot or watch out for this type of scam, and is asking the case to be dismissed.

Was there a lack of security awareness training at the company? We're not sure about that.

However, we learned during our coverage of the 2019 State of the Phish Report that 28% of employees in the U.K. cannot correctly define phishing, and in the U.S. that number is 35%.

So what would the numbers on Business Email Compromise look like?

Security Awareness continues to be a relevant topic of discussion at SecureWorld conferences across North America, and cases like the one in this story remind us why that is so crucial.

Comments