Invoice fraud - do we have to pay again?

[JasperRising]

We have recently been victim of invoice fraud - small company was hacked and they were able to make it look like the company was invoicing us but with different payment details. So we paid up but the money hasn't got to the right company leaving us both out of pocket. Obviously, we got a good service that we were happy to pay for but we can't afford to pay for it twice! DP wants to offer to pay half again because he feels bad that company has lost out. I feel that paying half seems a bit random - why half? Also would it make it look like we are admitting to some guilt in the situation?

Does anyone have any idea what the legalities around the situation are? Are we obliged to pay again as at the moment the company hasn't received payment from us for services rendered?

Eeeek tricky! My argument to the company would probably be that the fraud is against them so it's down to them to claim it back/pursue it?

Does the company have insurance? They ought to have protection against this. What are they saying - are they asking you for payment again? Talk to them and see what they are planning to do - it is their reputation and their business that was hacked.

It really depends what exactly happened. If they were hacked because their security was poor, or they knew they had been hacked but failed to warn customers, you would have a good case for not paying.

Unless you can prove negligence then the fraud is against you and the company are not a party to it. Someone has conned you and you have made a payment to a third party. Your invoice still needs to be paid.

Negligence is a difficult one to prove. Did they have virus protection? If so then it's unlikely they were negligent.

How much is the bill? From a customer service/ goodwill viewpoint I would hope that they will negotiate with you, but legally you do still owe the money.

Still trying to get to the bottom of exactly what happened - it only came fully to light recently. It seems that their email was accessed such that the hacker was able to set up filtering rules to conceal incoming emails, replace them with their own incoming emails (so company thought they were emailing us but weren't) and insert their own outgoing emails (that we thought were from the company). Not sure how that level of access was gained!

We are reporting to ActionFraud - not sure what else we can/should be doing on that side of things.

Can you not see the banking details you sent payment to? If you give them to the company they could possibly go through their banks fraud dept to chase it?

We are landlords and our tenant's email was hacked (either she left her email open in an internet cafe or a password was hacked from another site) and someone wrote to us as "her" to say we should send her deposit to X account which was the hacker's.
I just looked back at the emails from the tenant and she would have been able to report this to the police as theft from her - it wasn't theft from us. Or there was a suggestion to obtain a court order from the bank or the ISP to obtain records of who was using/faking the accounts.

It was done via a slightly similar setup except that the tenant was out of email contact for a while so didn't notice that she didn't hear from us.

It's not you that has been robbed, though.

Personally I’d pursue the interpretation of the situation that leaves the company out of pocket rather than me! You paid an invoice sent to you from the company. It’s their problem that their systems were hacked.

We have the fraudulent bank details and I think the company has identified some of the IP addresses associated with the emails. I suppose we should probably wait for more investigation but I know that this type of fraud can be hard to resolve (as we did approve the bank payment) and DP is raring to write something to the company. I just don't want us to write the wrong thing!

It’s their problem that their systems were hacked.
Exactly.

Here, USA, it's harsh but it is the responsibility of the customer to ensure payment reaches the correct account. It happens here with things like downpayments for houses, hackers monitor real estate companies and all their email transactions then nip in right before closing costs are due with a fake email that looks like it comes from the title company and tell the home buyer to transfer the money to wrong bank. Often the customer doesn't realize until a couple of days later when they get a letter or call from the real title company telling them to transfer and it's too late, the scammers have already withdrawn the funds and scarpered. People here have lost hundreds of thousands and the homes they were hoping to buy by wire transferring to the wrong account. The authorities here take the view you are the ones who fell for the fake email and paid money into the wrong account just like if you followed a link from an email that looks like it came from your bank. You approve the payment so you are the one who stands to lose the money.

You could possibly use the data protection act.

MyDirtyLittleSecret, that's unfortunately rather how I am envisioning this having to play out (fortunately not quite so much money). It feels very harsh though as we are wise to phishing emails but this came from the right company (apparently), at the right time and with the right amount of money so we had no reason to question the bank details! I think I might go back to paying everything by cheque in the post at this rate...

I asked a family member who’s a legal professional and she said OP is liable to pay the invoice to the correct company as per their contract. Having no money (because you’ve been defrauded of it) isn’t an excuse not to pay - and it is OP who has been defrauded, not the company, because it’s OP who transferred her money to the wrong account.

Thanks @LlamaPyjamas! That's really helpful. Something about it seems a bit inherently unfair ie: we wouldn't have been defrauded if the company hadn't been hacked but it seems like a lot of cyber crime can be unfair...

LlamaPyjamas is correct it does not matter you made a mistake and paid the wrong person you do no cease to owe said money because people would totally abuse the system.

If they took it to court they would win nearly 100% as it was on your watch out to pay the right people sadly.

Yes, we deal with a fair few of these at work and I agree with @llamapyjamas.

I've seen a few negligence based defences but claims have been settled before trial.

Similar thing happened to us . You will need to contact your bank that you have made the payment from , since you believe it is fraud the bank will refund you the amount you have paid to the said fraud account. When this happened to us our Metro bank sorted it out and we were refunded the full amount straight away, You can then pay the company you own the money to.

Out of interest is this classed as a data breach under the new GDPR regs as clutterbugsmum suggested ie: our contact details were accessed by a third party? I doubt we'd pursue it as such but after all the radio ads I heard in the run up to GDPR I am interested in whether this is the sort of scenario it covered or just marketing emails and agreeing to cookies in more detail!