Firm Sues Employee Following Successful Phishing Attack
A landmark civil employment case, involving a credit controller conned by fraudsters, is due to start this morning at the Court of Sessions in Edinburgh.
Patricia Reilly worked as the credit controller for Peebles Media Group, who publish magazines in Scotland that include Scottish Grocer, when she was scammed by email fraudsters on October 9th, 2015.
The impersonation fraud or whale phishing attack started on October 9th. The fraudsters claimed to be the managing director of the company, Yvonne Bremner, who had ordered £24,800 to be paid by CHAPS, a payment that will clear on the same day the request is made, to one of Peebles Media Group’s clients.
Before the initial payment was made to the fraudsters, Patricia Reilly consulted her line manager who then issued the payment to be made from the firm’s Clydesdale account.
Whilst managing director, Yvonne Bremner, and Reilly’s line manager were on holiday, three more malicious whaling attempts were successfully made. During this time, Patricia Reilly made three separate payments totalling £193,250.
Peeble’s Media Group claim that, although the emails were sent from somebody claiming to be the managing director, they were not sent from Yvonne Bremner’s email account, something that Patricia Reilly should have been aware of.
They also claim that Patricia Reilly had clearly ticked a box which claimed that she had read and understood a document relaying the threats and warning signs regarding online fraud.
However, Yvonne Reilly claims that she had been given no formal training on how to spot the signs of online fraud and that ticking a box only holds her accountable rather than educating employees on preventable approaches.
Finally, the company claim that employees were specifically told that no bills were to be paid between October 9th and October 17th; the dates that the management were on holiday.
When the successful attack was spotted, Reilly was dismissed from her position and despite appealing against the loss of her job, she remained unsuccessful.
Although the company were able to recover £85,265.98, the civil case will now determine whether Reilly is liable for the losses the company were unable to recoup from their bank.
Patricia Reilly, defendant in the lawsuit and ex credit controller at Peebles Media Group, said: “I have always worked hard in my life to support both myself and my family. Whilst working as a credit controller at my job, my employer and myself fell victim to a massive fraud. When it was discovered, I had panic attacks and was off sick for a period of time.
“I was subsequently disciplined and sacked. I raised a claim at an employment tribunal for unfair dismissal. My partnerm who supported me both practically and emotionally with the case, sadly passed away during this period with MND.
“My solicitor requested that the tribunal be postponed due to this but my ex-employer refused. Some months later I realised I couldn’t continue financially as well as living with the stress of my partner passing away. Six months later I was shell-shocked to find out I was being sued by my ex-employer for £107,984.02 – I had no choice but to legally defend myself.
“I have attempted to move on and was accepted by a major bank to start work as a credit controller but was honest and advised of the legal case. The offer was then withdrawn. I have had some temporary jobs with call centres and admin work. I nursed my mum for six months during this period till she sadly passed away.
“Ideally, I want to start a dog- walking business but due to being sued, it looks like I will not be accepted for insurance. Basically, my life has been a nightmare since it happened.”
Peebles Media Group lawsuit claims: “The suspicious nature of the circumstances which presented themselves to the Defender (Reilly) did not depend for their identification upon any specialist training or the like but, rather, simply upon the use of ordinary care and, indeed, common sense.”
Tom Lyes, Key Relationship Manager at The Practical Vision Network, said: “This is a frightening reminder of the impact that CEO Whaling fraud can have. The ladies defence talks about a lack of training, which makes it imperative that businesses across all sectors remember to look at areas of risk under the golden triangle theory of – people, processes and technology. The implications for law firms are significant if she wins or loses because they are one of the highest risk sectors targeted by cyber criminals daily. This is a case to keep a keen eye on.”
Has your law firm prepared and trained their staff to deal with suspicious emails? Should more training have been offered in this case?