Email Security Blog

Employees Falling for Phishing Scams: Who is at Fault?

Shortly after Patricia Reilly was fired from Peebles Media Group, she was sued for the $138,000 the company lost in a BEC (Business Email Compromise) scam. Was Patricia being negligent when hackers, posing as her boss who was away on vacation, conned her into making the wire transfers that caused her to lose her job?1

BEC scams, also known as EAC (Email Account Compromise), are a sophisticated type of phishing scam whereby cybercriminals trick key employees of an organization into sending wire transfer payments to bank accounts controlled by the hackers. According to the FBI, in 2021, their Internet Crime Complaint Center (IC3) received 19,954 Business Email Compromise (BEC) complaints with adjusted losses of nearly $2.4 billion.2

In another startling phishing scam example, an employee working for the Saint Ambrose Catholic Parish in Ohio was deceived by hackers into believing that the construction firm hired to build and renovate the church had changed their bank account information. For two months the church was sending payments – totaling $1.75 million to a group of cybercriminals.3

Arguably the biggest cyber heist on record belongs to Milan-headquartered Tecnimont SpA. In a CEO fraud scheme, hackers in China sent emails to the head of the company’s India subsidiary regarding a highly confidential acquisition in China. Citing regulatory reasons, the hackers convinced the head of accounts in India to make three transfers in the course of a week to an account in Hong Kong. The total? A whopping $18.6 million. The money was withdrawn within minutes of hitting the Hong Kong bank account.4

So, who is at fault in cases like these? Patricia Reilly’s case went to court. Attorneys for Peebles Media Group argued that Patricia’s actions were "careless and in breach of the duties—including the duty to exercise reasonable care in the course of the performance of her duties as an employee which she owed to her employer, the pursuer." In Patricia’s defense, her lawyers showed that Patricia had never received any cybersecurity training. In the end, the judge ruled in Patricia’s favor. The judge found that while Patricia was acting outside the scope of her duties when she made the transfers, that is not what led to the loss. Instead, it was the targeted cyberattack that was to blame.1

In the case of Saint Ambrose Catholic Parish, although they never filed charges against the employee who fell for the phishing scam and changed the construction company’s banking account information to that of the hacker, they did file an insurance claim.3 Unfortunately, in most situations like this, when the loss of funds is due to human error – albeit a case of deception – insurance companies generally do not pay and the business is held liable.

As for Tecnimont SpA, the India head of accounts was fired and the company has yet to recover any of its money.

There is no denying that the lives of those employees who fell for these phishing scams were upended. Whether it was the loss of a job, the stress of involvement, or legal fees paid to be proven not at fault. However, in all three of these cases, the defrauded company paid the financial consequences. That is a big red flag to any business that could fall victim to cybercrimes such as these.

In the last five years, the amount of money lost to cybercriminals has gone from $1.4 billion to $6.9 billion.

That’s an increase of almost 400%.2 Cybercrime affects companies of all sizes, all industries, all over the world. The best step you can take to protect your business is to never put your employees in a position to be fooled by a phishing attack in the first place. By taking a simple, proactive step to maintain the integrity and security of your company’s emails, you can avoid being among the growing number of companies devastated by cybercrime.

INKY is a cloud-based behavioral email security platform that blocks threats, prevents data leaks, and coaches users to make smart decisions. INKY™ uses intelligent machine learning algorithms to catch behavioral abnormalities in emails, even if the threat has never been seen before. Whether you’re concerned about the safety of your inbound, outbound, internal, or mobile email, INKY is the solution you need.

Learn more about email security, and how INKY™ can help you and your employees prevent costly phishing attacks. Schedule a free online demonstration today.


INKY is an award-winning, behavioral email security platform that blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.