How Canada’s legal grey zone enables online fraud

Australian precedent

In a recent Australian court decision, Harbour Trust, a property management company, was defrauded after paying an invoice to a fraudster who’d compromised the email account of one of its suppliers, South Townsville Plumbing.

Posing as the supplier, the fraudster sent revised banking instructions via email, and Harbour Trust paid the invoice — only to discover later the funds had been misdirected to a fraudulent account.

The court found Harbour Trust, the payer, was responsible for the loss. The rationale was that email is an insecure communication channel, and so the payer had a duty to verify any changes to payment instructions. The judge emphasized Harbour Trust had failed to perform a simple verification step — such as calling the supplier to confirm the new banking details.

This case sets a clear expectation: even if fraud originates from a compromised third-party system, the payer still bears the burden of verification. In the digital age, this marks a significant shift from earlier thinking. Traditionally, courts had viewed the compromised party as being primarily liable.

British precedents

In the U.K., the 1918 case London Joint Stock Bank v. Macmillan remains a cornerstone decision. It says a bank customer has a duty to take ‘reasonable care’ in issuing cheques to avoid forgery or misdirection. If a customer’s negligence facilitates fraud, they may be held liable for resulting losses.

In a 2023 blog post, global law firm Norton Rose Fulbright reviewed a series of U.K. court cases dealing with supplier invoice fraud. Their conclusion: courts have consistently leaned toward assigning responsibility to the payer if they don’t follow verification procedures or ignore red flags.

Today, funds aren’t stolen after they’re sent — they’re diverted before being correctly issued, often due to the manipulation of electronic instructions. This places the onus squarely on the payer to ensure instructions are authentic.

Canada’s legal system has deep roots in U.K. common law and similar reasoning could one day shape a court decision here.

Canada’s legal void

So far, Canadian courts haven’t issued a definitive ruling on who’s liable in cases of social engineering and supplier invoice fraud. This uncertainty creates challenges for insurers and brokers trying to assess or defend claims.

In practice, when a Canadian company pays a fraudulent invoice, the paying party often points out the supplier’s system was compromised. And the supplier may counter that email is inherently insecure.

Most cases settle privately, but as the volume of incidents grows, a high-profile legal test case here seems inevitable.

Implications

Legal uncertainty increases the importance of risk transfer strategy. Cyber insurance policies generally cover social engineering or fund transfer fraud.

But the policies often come with an agreement at issuance that basic financial crime and fraud controls will be in place, such as:

• Phishing and social engineering training so accountants know what to look for
• Two parties must sign off on large payments
• Email filtering to make sure phishing emails and fraudulent emails are flagged
• Verifications such as a phone call to a known number when a change is made to a normal process.

Before 2023, cyber insurance policies commonly included call-back provisions intended to safeguard against social engineering fraud.

However, brokers have increasingly advised clients to avoid ‘condition(s) precedent’ language in policies that requires strict verification protocols, as it’s been used to limit coverage at the time of a claim. In practice, these provisions have proven too rigid, leading to confusion and denied claims when insureds fail to precisely follow their internal payment verification procedures.

Cyber insurers have since removed call-back provisions, shifting to more practical and client-friendly solutions to cope with social engineering frauds.

For brokers, this is a critical advisory moment. Clients need to understand the risk is for businesses of all sizes, not just large enterprises. Brokers must help clients understand both the coverages and reasons why insurers ask if controls are implemented.

Early notification is among the most effective tools to respond to cyber fraud. When clients act quickly, insurers can better work with banks, payment processors and law enforcement to intercept and recover stolen funds. Claw back efforts are resulting in millions of dollars being recovered. Speed matters.

Businesses should be advised to treat any changes to payment instructions as high-risk events. Implement dual verification processes. Use encrypted communication platforms. Train staff to recognize red flags. And never rely on email alone.

Neal Jardine is chief cyber intelligence and claims officer at BOXX Insurance. This article is excerpted from one that appeared in the August-September print edition of Canadian Underwriter.

__