In recent times, due to the increasingly sophisticated methods adopted by fraudsters, there has been an alarming increase in cybercrime. It was reported that 50% of UK businesses experienced some form of cyberattack in 2024. Of these, 35% involved impersonation, where the fraudster would impersonate an individual or entity by email or online. Fraudsters will commonly use impersonation to fraudulently intercept emails containing bank details for payment of invoices. For more detailed insights and statistics on cybercrime, you can read the full Cyber Security Breaches Survey 2024 published by the UK Government.
We do not profess to be cybersecurity experts. This blog will therefore not examine how parties can protect themselves from an IT and systems perspective. We will, however, offer our insight with some practical tips on protecting yourselves from a debt recovery angle.
In this blog, we refer to the 'Payer' as the party making the payment (such as a customer or client) and the 'Payee' as the party expecting to receive the payment (such as a supplier or service provider).
How is cybercrime affecting debt recovery?
Common practice will be that the fraudster intercepts an email from the Payee and swaps the bank details, either in the email or on an invoice, to those of the fraudster. This results in the Payer sending money to the fraudster instead of the Payee. A debt is therefore created as the Payee has not received payment for its outstanding invoice.
We have seen an increasing number of cases where a Payer claims to have paid a Payee’s invoice, but unfortunately the Payer has been the victim of cybercrime and has paid a fraudster. This often leads to a “blame game” between the parties, with each trying to pin fault on the other and ultimately the invoice will remain outstanding.
How can the Payee protect themselves?
The Payee should protect themselves when contracting with a party from the outset. Where possible, any contractual documentation should include the nominated bank details for payment. The contract should also include a clause indicating that any change of bank account details will always be given in writing on company letterhead and that the onus is on the Payer to ensure the legitimacy of the change in details.
If no formal contract is in place, the Payee should publish a notice on quotations, order forms and invoices setting out the above, thereby protecting themselves from potential cybercrime.
How can the Payer protect themselves?
The Payer needs to ensure that they verbally confirm the bank details with the Payee whenever they receive notification of a change of bank details from the Payee. The Payer should use a number known to be the Payee’s and ideally speak to a known contact of the Payee.
If the Payer is unable to confirm the details and has previously paid the Payee, then the Payer should use the previous bank details and inform the Payee by email that payment will be made into that account.
Who is at fault?
The onus is generally on the Payer to ensure that the Payee’s invoice is settled. Should a fraudster commit impersonation fraud, and the Payer receives notification of the change of bank details, the onus is on the Payer to ensure that the bank details provided are those of the Payee and carry out due diligence on the legitimacy of any new details which have been provided.
Should the invoice remain outstanding due to impersonation fraud, then indebtedness will be created, and the Payee will be entitled to pursue the Payer as if the invoice had never been paid. The issue of fraud will then be between the Payer, the fraudsters, the Payer’s bank, and/or the police/action for fraud.
A Payer’s only form of defence, should impersonation fraud occur, would be to prove that there had been a heightened degree of contributory negligence on the part of the Payee.
If you have any concerns about the issues discussed in this blog or require further advice, our Debt Recovery team are here to help. Please do not hesitate to get in touch.