author photo
By Bruce Sussman
Wed | Nov 20, 2019 | 12:18 PM PST

Imagine being targeted by cybercriminals and then getting sued because the attack worked.

You can ask Patricia Reilly what that is like. 

Her former company sued her for more than $130,000 to recover the money it lost in a cyberattack—a story we covered in February of this year—and now a judge has ruled in the case.

Here is her story.

Business Email Compromise leads to losses

Reilly was working at Scotland based Peebles Media Group when she received a series of emails appearing to be from her boss. 

The boss was company director Yvonne Bremner, who was on vacation in Tenerife.

And since she was out of the office, her email said she needed Reilly's help to move approximately $200,000 of the company's funds from one account to another through a wire transfer.

Reilly made the transfer as requested, unaware that the emails actually came from hackers who also knew the boss was on vacation.

A few days later, someone from the company contacted the boss in Tenerife and found out she had never requested any type of transfer.

Suddenly, the employees knew: the company was the victim of a cyberattack called Business Email Compromise. These BEC scams, as they're called, are rampant; more on that in a minute. 

For now, let's continue to follow Patricia Reilly's story.

Company sues employee for falling for Business Email Compromise

After discovering the cybercrime, the company's bank was able to recover part of the money before hackers got it. But the cybercriminals succeeded in keeping $138,000 of the transfer.

Peebles Media Group responded to this outcome by firing Reilly and then suing her for $138,000.

Is this what your company would do if you fall to a cyber scam?

The BBC reported on the grounds the company used to sue:

Lawyers acting for the company accuse Mrs. Reilly of being negligent. They have described her actions as "careless and in breach of the duties—including the duty to exercise reasonable care in the course of the performance of her duties as an employee which she owed to her employer, the pursuer."

Business Email Compromise case in court

This BEC cyberattack happened in 2015, and that left Patricia Reilly wondering and worrying for years.

Even though it was cybercriminals who stole the $138,000 from her company, would a judge order her to pay for it?

Outcome of the BEC case: how the judge ruled

Scotland's Lord Summers presided over the Scottish Court of Session to hear this case.

According to a BBC story, Lord Summers painted this as a lose-lose situation:

"The fraudster is the real culprit whoever he or she (or possibly they) may be. The pursuers [the company] have suffered a major loss. The defender has lost her employment. It is a tragic case."

And then he moved on to whether Reilly should have to repay the $138,000 lost in the BEC scam as her former company demanded. 

The judge found that Reilly was acting outside the scope of her duties, however, that's not what led to the loss. Instead, it was the targeted cyberattack.

"Although I consider her unilateral decision to transfer company funds without any authority was in breach of contract I do not consider that the loss that ensued was the natural consequence of the breach."

Ms. Bremner [the Company Director] claimed that Mrs. Reilly should have been suspicious of elements of the email communication—such as the unusual email address and the word choice.

However, Lord Summers said the word choice was "not unusual" and he was "not satisfied on the evidence adduced" that the fraudster's email address was visible.

In other words, Patricia Reilly was like a lot of employees caught in this type of scam: the wording seemed close enough to her boss's writing.

And the actual email address (rather than just the name of the sender, which can be anything) may not have been visible.

So the judge ruled that Reilly does not have to pay back the $138,000.

As part of her defense, she pointed to a lack of security awareness training at the company, and to the fact that this happened in 2015. 

"This was four years ago and there's a lot more information out on social media and in the world, the corporate world nowadays that wasn't as available and made public to companies then.

I would hope that this will highlight the difficulties that are there and things need to be tightened up to avoid what has happened to me."

How rampant are BEC cases?

This type of crime is happening to an unbelievable number of employees and organizations. 

According to the United States government, Business Email Compromise attacks have led to $26 billion (yes, with a B) in global losses during the last six years.

Often, it starts with hackers compromising or breaking into a corporate email, where they read and watch for potential opportunities—like a note that someone will be out of the office or on vacation.

Now, these attacks are often run by large criminal organizations:

"As we've investigated these types of crimes and arrested people and been able to interview the bad actors, what we find is that these criminal organizations, and that's truly what they are, they run just like a business. They're very good at what they do. They have CEOs, they have financial officers, they have bankers," says Christopher McMahon, a key BEC investigator at the U.S. Secret Service.

We spoke to McMahon after his recent keynote at SecureWorld Denver, where he explained the enterprise business model for cybercrime, which we discuss on our SecureWorld Sessions podcast:

These cybercrime groups look for specific targets, and Reilly and her out of office boss are an example of a strategy attackers like to use in their emails to the target:

"A lot of the red flags that we see in these email compromises are urgency, like 'I'll be out of town, or hey, can we take this offline?' And what's becoming more prevalent these days are some of these secure apps where the communication is encrypted. Now it's 'Let's take this offline and message me directly, so nobody sees this because it's a surprise for the company."

As McMahon told us during that interview, these criminal groups are skilled because this is their livelihood.

Proof of that comes from a case SecureWorld covered: Catholic Church Sends $1.7 Million to Hackers in BEC Scam. And then there was a really sophisticated BEC scam that led to this: $18.6 Million Gone in a Week.

How long would you spend on a legitimate business contract worth millions? Now ask yourself, how long would cybercriminals spend researching their targets to steal millions? 

This effort leads to polished and successful attacks.

There needs to be more security awareness around BEC

While the attackers in this type of crime go around fleecing the world, many working adults may not be aware of this type of cybercrime.

Just try walking around the office and asking "Have you heard of a BEC attack?" Or perhaps you could ask someone to describe how a Business Email Compromise scam operates.

Prepare for blank stares.

Compare BEC to the term phishing, for example. Cybersecurity teams have been talking about phishing for many years now, and entire programs are built around this topic.

However, we learned during our coverage of the 2019 State of the Phish Report that 28% of employees in the U.K. cannot correctly define phishing, and in the U.S. that number is 35%.

More work needs to be done to catch up with the ways cybercriminals are stealing from their victims, and that includes the tactics of BEC.

Now, back to Patricia Reilly's story.

Do you agree with the precedent the court set in this case that the employee caught in a BEC scam is not liable for the losses to the company? And are there any downsides to this decision?

Let us know in the comments below. And be sure to listen to the podcast for much more on how BEC scams operate. 

[Our original story on this case: Security Un-Awareness: Employer Suing Employee for $138k in BEC Losses]

Comments