Email Security Blog

Employees Falling for Phishing Scams: Who is at Fault?

Shortly after Patricia Reilly was fired from Peebles Media Group, she was sued for the $138,000 the company lost in a BEC (Business Email Compromise) scam.  Was Patricia being negligent when hackers, posing as her boss who was away on vacation, conned her into making the wire transfers that caused her to lose her job?1

BEC scams, also known as EAC (Email Account Compromise), are a sophisticated type of phishing scam whereby cybercriminals trick key employees of an organization into sending wire transfer payments to bank accounts controlled by the hackers. According to the FBI, in 2019, their Internet Crime Complaint Center (IC3) received 23,775 Business Email Compromise (BEC) complaints with adjusted losses of over $1.7 billion.2

In another startling phishing scam example, an employee working for the Saint Ambrose Catholic Parish in Ohio was deceived by hackers into believing that the construction firm hired to build and renovate at the church had changed their bank account information.  For two months the church was sending payments – totaling $1.7 million to a group of cybercriminals.3

Arguably the biggest cyber heist on record belongs to Milan-headquartered Tecnimont SpA. In a CEO fraud scheme, hackers in China sent emails to the head of the company’s Indian subsidiary regarding a highly confidential acquisition in China.  Citing regulatory reasons, the hackers convinced the Indian head of accounts to make three transfers in the course of a week to an account in Hong Kong.  The total? A whopping $18.6 million. The money was withdrawn within minutes of hitting the Hing Kong bank account.4 

So, who is at fault in cases like this?  Patricia Reilly’s case went to court.  Attorneys for Peebles Media Group argued that Patricia’s actions were "careless and in breach of the duties—including the duty to exercise reasonable care in the course of the performance of her duties as an employee which she owed to her employer, the pursuer."  In Patricia’s defense, her lawyers showed that Patricia had never received any cybersecurity training.  In the end, the judge ruled in Patricia’s favor.  The judge found that while Patricia was acting outside the scope of her duties when she made the transfers that is not what led to the loss. Instead, it was the targeted cyberattack that was to blame.1

In the case of Saint Ambrose Catholic Parish, although they never filed charges against the employee who fell for the phishing scam and changed the construction company’s banking account information to that of the hacker, they did file an insurance claim.3 Unfortunately, in most situations like this, when the loss of funds is due to human error – albeit a case of deception – insurance companies generally do not pay and the business is held liable.

As for Tecnimont SpA, both the both the Indian chief and head of accounts were fired and the company has yet to recover any of its money.

There is no denying that the lives of those employees who fell for these phishing scams were upended.  Whether it was the loss of a job, stress of involvement, or legal fees paid to be proven not at fault.  However, in all three of these cases, the defrauded company paid the financial consequences.  That is a big red flag to any business that could fall victim to cybercrimes such as these.

The amount of money lost to cybercriminals more than tripled from 2015 to 2019.2 Cybercrime affects companies of all sizes, all industries, all over the world.  The best step you can take to protect your business is to never put your employees in a position to be fooled by a phishing attack in the first place.  By taking a simple, proactive step to maintain the integrity and security of your company’s emails, you can avoid being among the growing number of companies devastated by cybercrime.  INKY® is a cloud-based email security service that is designed to catch everything, including spam, malware, phishing threats, and more. INKY® uses intelligent machine learning algorithms to catch abnormalities in emails, even if the threat has never been seen before.  Learn more about email security, and how INKY® can help you prevent phishing attacks.

This blog was updated in May 2022. 


INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security program, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.