Verdict: Customer has to pay if they fall for an email with a fake invoice

A buyer of a used car has to pay the agreed price to the seller even if he has already paid it to a third party after receiving an e-mail with a fake invoice with different bank details. The Karlsruhe Higher Regional Court (OLG) decided this in a judgment that has now been published on July 27 (Az.: 19 U 83/22) and thus overturned the contrary decision of the Mosbach Regional Court (LG) of May 2022. At the same time, the court of appeal clarified which security precautions must be observed when sending e-mails in commercial transactions. End-to-end encryption is therefore usually not necessary.

Advertisement

Responsible for spotting fraud

In this case, a managing director of one company bought a used Mercedes E 200 T from another company for 13,500 euros. On the same day at 11:44 a.m., the seller sent the invoice as an attachment to an e-mail to the contractual partner, as requested. An account with a savings bank for receiving the money was specified in the header of the invoice and in the footer. Two minutes later, the buyer received a second email with a manipulated payment request with a recipient account at a bank in Berlin. The electronic message was suddenly in the form of you, although the managing directors were on first-name terms, and at the end contained an incomprehensible sentence referring to a completely different product. Nevertheless, the customer transferred the amount to the last account number received.

Eleven days later, the seller called in the money that he had not received. Only then, according to the court documents, did it turn out that the second email had been sent by an unauthorized third party as a result of a “hacker attack”. The seller then filed a complaint and sued the buyer because the buyer refused to pay him and saw his obligations under the purchase contract as already fulfilled. The LG Mosbach sided with the defendant and took the position that the plaintiff had caused “too little” data security. The Higher Regional Court overturned this decision and ordered the buyer to pay the plaintiff the agreed price plus interest and the costs of the legal dispute. A revision did not allow it.

Recommended Editorial Content

With your consent, an external survey (Opinary GmbH) will be loaded here.

Always load polls Load poll now

No obligation to take security measures

The judges in the appeal proceedings also state: “In the absence of legal requirements for security precautions when sending e-mails in commercial transactions, the type and scope of the necessary security precautions are determined by the legitimate security expectations of the relevant traffic, unless the parties have expressly agreed to this consideration of reasonableness.” Accordingly, proof of transport encryption or digital signing of a PDF file is not required. It could be different for an exchange between natural persons without a business character if the General Data Protection Regulation (GDPR) applies.

Advertisement

The Higher Regional Court also cannot see any obligation to apply the Sender Policy Framework (SPF) procedure. End users like the plaintiff, who do not operate an e-mail server themselves, would have no influence at all on such a test procedure for authorizations to send e-mail. However, the security precautions at the seller’s company were apparently not particularly good: according to the verdict, his e-mail account with an external provider was protected with a password “that two people in the plaintiff’s entire company” were known to “and all two up to four weeks” had been changed. “Password rotation is theatre. Not only useless, but actually counterproductive,” criticizes the IT security expert and blogger Fefe. The relevant question would have been whether the mail came from the seller’s server. The corresponding header was apparently not checked at all.

(tiw)

Home
#Verdict #Customer #pay #fall #email #fake #invoice