Painter loses DT case resulting from Man In The Middle scam invoice, which Applicant had paid. Painter has to pay Applicant $5300.

Forums › Home Workshop DIY › Painter loses DT case resulting from Man In The Middle scam invoice, which Applicant had paid. Painter has to pay Applicant $5300.

kiwiharry

1030 posts

Uber Geek

ID Verified

Subscriber

#319072 19-Mar-2025 16:37

I was trawling through some Disputes Tribunal cases and found this one from last September which I found quite interesting, especially as I was self employed doing freelance work and invoicing clients. This sort of thing hadn't ever crossed my mind.

The Applicants were awarded $5,300.00, which they paid as a deposit for painting services from the Respondent (Painter). The Applicants paid the deposit after receiving an invoice that they believed was from the Painter, but it was a "Man In The Middle" scam invoice. The deposit was paid into the bank account of the scammer.

Full decision - https://www.disputestribunal.govt.nz/assets/Documents/Decisions/LK-NI-v-JK-Ltd-2024-NZDT-636-5-September-2024.pdf

This is my summary of the case.

The Applicant asked Painter for a quote for painting services. Painter attended site and issued a quote for $10,600.

At this point scammers intercepted emails to the Painter. Scammers replied to follow-up emails from Applicant and subsequently scammers issued an invoice to the Applicant for a 50% deposit which the Applicant paid. It wasn’t until the Applicant chased up a receipt for the payment, that the Painter advised them that he’s had no correspondence with them after issuing the quote. This is when both parties realised that the Painters’ email was hacked and emails were being intercepted by scammers.

Applicant took Painter to the Disputes Tribunal. The Tribunal determined that the Applicants are entitled to make a claim under the Consumer Guarantees Act 1993, as there is a guarantee that a service will be carried out with reasonable care and skill.

The follow-up emails that were sent and the attached invoice did appear, from the evidence, to be genuine. As this was a of business email compromise (BEC) issue, the email received by the Applicants was from the Painters' email address and the invoice was like the invoices sent by the Painter (which the Painter did confirm). There did not appear to be any issues that could have caused the Applicants to think that the correspondence and the invoice had not come from the Painter.

The Tribunal found that the Painter did not provide services with reasonable skill and care by not having appropriate cybersecurity measures in place. It determined that in BEC cases, the default liability generally rests with the business, as it is best placed to ensure that cybersecurity measures are in place to protect their IT systems. In this case, the Painter did not have adequate cybersecurity protections in place even though they had an IT firm managing their IT systems.

Judgement in favour of the Applicants and Painter required to pay them $5,300.

If you can't laugh at yourself then you probably shouldn't laugh at others.

1 | 2

4014 posts

Uber Geek

Trusted

#3355269 19-Mar-2025 16:53

That needs to be challenged in court. Sets a very bad precedent leaving it with that decision at the disputes tribunal.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

evnafets

537 posts

Ultimate Geek

Lifetime subscriber

#3355274 19-Mar-2025 17:00

I wonder if the IT Firm providing the Painter with services has anything to answer for here?
Are they executing their role with "relevant skill and care"?

Presumably this is also the sort of scam that would be made harder to pull off by checking the company name matches the bank account.

wellygary

8321 posts

Uber Geek

#3355275 19-Mar-2025 17:02

Yip,

Although Disputes Tribunal rulings don't legal set precedents.. they can be referred to by other Tribunal decisions, but they are not binding...

raytaylor

4014 posts

Uber Geek

Trusted

#3355276 19-Mar-2025 17:05

Well thats why we have professional liability insurance but its worrying if suddenly joe blogs IT firm is suddenly responsible for PaintingCo@xtra email address getting hacked etc. because i can see that turning into a headache.

Home business based PaintingCo doesnt want to pay the appropriate hourly rate for every piece of advice and cover every potential vulnerability or attack vector and then argues with joe blogs it firm when something goes wrong "you should have warned me about this possibility"

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

Handle9

11390 posts

Uber Geek

Trusted

Lifetime subscriber

#3355282 19-Mar-2025 17:23

raytaylor:

That needs to be challenged in court. Sets a very bad precedent leaving it with that decision at the disputes tribunal.

I'd agree that case law would be helpful but I don't agree that the decision is entirely unreasonable. Section 29 of the decision seems to be the crucial one to me:

29.In the present case, while the Respondent did use an external provider to ensure that the IT
systems were appropriate and secure, there is no evidence to suggest that the Respondent had
considered or invested in any proper cyber security measures. For instance, there is no evidence
that the Respondent’s businesses used multi-factor authentication or that the email passwords
were sufficiently complex (and sufficiently unique) to prevent BEC. There is also no evidence to
indicate how the BEC may have occurred from a technical perspective.

Without knowing the facts it seems very likely that there was a simple and repeated password used with no MFA. It's a pretty reasonable argument that this is negligent behaviour on behalf of the painter. They didn't take reasonable a practicable steps to prevent this foreseeable event.

It sucks but it does seem reasonable.

lxsw20

3552 posts

Uber Geek

Subscriber

#3355283 19-Mar-2025 17:25

evnafets:

I wonder if the IT Firm providing the Painter with services has anything to answer for here?
Are they executing their role with "relevant skill and care"?

Presumably this is also the sort of scam that would be made harder to pull off by checking the company name matches the bank account.

It depends I guess - if IT firm has said you need to stop doing shared passwords and enable MFA for example and that gets ignored then its on the painter firm IMO, as its negligence. If its some zero day vlun or complicated attack, not so much.

We need some sort of a GDPR in this country not only for this sort of situation but so companies are actually accountable for how they are storing our PII. I was in the UK when GDPR came in, funny enough business take it seriously when you start talking about fines that are a % of profit.

jonherries

1395 posts

Uber Geek

Trusted

Subscriber

#3355311 19-Mar-2025 18:21

Yeah had seen this a bit in the UK when we were there. Liability sits with the company/person that got hacked (the painter in this case).

I feel sorry for them, but it is not the customers fault if they received an email from the account the painter used.

I have and do call the business we are dealing with to personally confirm the bank account number before paying substantial amounts. Have had a number of them seem incredulous that it could happen to them and are somewhat dismissive of my request. But think about the orthodontist - who offers $9.5k upfront payment ($500 discount). If you MITMed them, you could clear hundreds of thousands from their customers in a day or two.

Jon

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

timmmay

20580 posts

Uber Geek

Trusted

Lifetime subscriber

#3355333 19-Mar-2025 20:24

I absolutely call to confirm account numbers for any payment over a few hundred dollars. I've heard of this scam happening in the past.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3355369 19-Mar-2025 22:11

raytaylor:

That needs to be challenged in court. Sets a very bad precedent leaving it with that decision at the disputes tribunal.

Why?

The painter did not take reasonable care to secure their email and the scam email was sent from their account, not spoofed.

It seems eminently reasonable that they should reimburse the client.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

4n6expert

10 posts

Wannabe Geek

ID Verified

#3355381 19-Mar-2025 23:01

raytaylor:

Well thats why we have professional liability insurance

No, insurance is not the primary protection for this type of situation.

The primary protection (ie. the painter protecting their business) is to operate the business with due care and skill, meaning taking care to ensure that IT security is up to a minimum standard. What the minimum standard is would be judged by the type and size of the business (painter vs professional firm vs bank). IMO, for a painter you would expect at least unique passwords, up-to-date AV software, firewall and software patches applied. Maybe 2FA, maybe not - that's probably the boundary. Although we don't know the technical details, the judgement concludes the painter was remiss.

The function of insurance is to deal with residual risk (the risk that remains even though the insured has acted reasonably) - not to protect the insured from their own recklessness or negligence. That is why insurance polices have exclusions - for example in a car policy you would not be covered if you were drink driving, in many cyber policies you are not covered if you do not meet some specified minimum standard of IT security.

If the painter was negligent/reckless with IT security, it is likely that they would not be covered in this situation. (Note: I carried out the technical investigation for NZ's first cyber insurance claim, so I have direct personal experience in this area).

but its worrying if suddenly joe blogs IT firm is suddenly responsible for PaintingCo@xtra email address getting hacked etc. because i can see that turning into a headache.

Joe Bloggs IT form would only be liable if the hack happened as a result of their negligence and the contract in place with the painter did not shield them from the consequences thereof.

Your post implies that you think this DT judgement is a new thing, but it is not. IMO it is simply a correct application of long-standing legal principles.

Home business based PaintingCo doesnt want to pay the appropriate hourly rate for every piece of advice and cover every potential vulnerability or attack vector

They are not expected to. The level of security expected depends on the type and size of business.

BTW, I have seen a cyber claim where the IT firm (rather stupidly, in my view) disabled realtime AV scanning on the client's computers because they were "old and slow" and that scanning slowed them down. The client got ransomwared, guess who was legally liable?

4n6expert

10 posts

Wannabe Geek

ID Verified

#3355384 19-Mar-2025 23:12

lxsw20:

It depends I guess - if IT firm has said you need to stop doing shared passwords and enable MFA for example and that gets ignored then its on the painter firm IMO, as its negligence. If its some zero day vlun or complicated attack, not so much.

From the perspective of the customer claiming against the painter, the question is whether or not IT security was good enough in that context (due care and skill). If it was, painter is not liable. If it wasn't, painter could be held liable.

The question of whether or not an IT firm could be held liable is a separate question, the painter could join them as a co-defendant to the claim if they wanted to argue that - or if the painter lost the case the painter could then make a claim against the IT firm. But the IT firm would only be liable if they were negligent and the contract with the painter did not shield them from the consequences of that.

If the IT firm gave poor advice and that contributed to the problem, they would probably be liable (subject to contract). If the IT firm gave good advice they would not be liable.

We need some sort of a GDPR in this country not only for this sort of situation but so companies are actually accountable for how they are storing our PII. I was in the UK when GDPR came in, funny enough business take it seriously when you start talking about fines that are a % of profit.

That's a fair point. There were some additional "teeth" added to NZ's privacy law in 2020, but its still a long way short of GDPR. Also my experience of dealing with the Privacy Commissioner is not exactly favourable, shall we say.

raytaylor

4014 posts

Uber Geek

Trusted

#3355389 20-Mar-2025 00:11

Lias:

Why?

Many of us work in the IT industry. This is not something we want as an industry.

There is no need for us to encourage it.

I can quite happily express my dislike of the judgement if it supports the narrative i want to present (even if i am wrong)

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

Handle9

11390 posts

Uber Geek

Trusted

Lifetime subscriber

#3355390 20-Mar-2025 00:33

raytaylor:

Many of us work in the IT industry. This is not something we want as an industry.

Forcing businesses to take IT security seriously thing is a good thing for good operators in the IT industry. It's not a good thing for cowboys.

I don't see it as a bad thing at all.

mattwnz

20155 posts

Uber Geek

#3355391 20-Mar-2025 00:51

As banks now have their systems setup to check the account number with the name of the company, I can't see how this could happen now. It was pretty slack system before this came in imo

SaltyNZ

8227 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#3355413 20-Mar-2025 08:13

timmmay:

I absolutely call to confirm account numbers for any payment over a few hundred dollars. I've heard of this scam happening in the past.

ANZ is rolling out payee verification in their app now. It will instantly tell you whether the name exactly or partially matches or not, although it will still allow you to go ahead even if there is no match.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

1 | 2