Cyberfraud and the risk of suffering damage… twice!

Circumstance

Cybercrime often follows a similar pattern. The market and business relationships between parties are monitored closely and exploited at the right moment — often when a deal has been finalised or a money transfer is imminent — by taking over the communication between the relevant people ("spoofing"). As a result, a business partner is tricked into executing a monetary transaction to the wrong account. The perception that such activities are being carried out by lone hackers in a shabby room is a thing of the past. These activities are the result of meticulously organised and planned processes.

In our Legal Insight of 28 March 2025, we highlighted legal developments that improve the possibility of asset restitution for victims (https://www.schoenherr.eu/content/austrian-legal-reform-enhances-asset-restitution-for-ceo-fraud-victims). However, as the Austrian Supreme Court (OGH) recently ruled, fraud is not just a matter for criminal courts. Another question is whether the real business partner can claim payment from the victim again.

The facts of the case are similar to those described above:

An Austrian company owed a French company the purchase price for goods supplied. The first attempt to transfer the purchase price failed. When the responsible employee of the buyer inquired about this, confirmation was received that the account details were correct. Shortly afterwards, fraudsters took over the correspondence. Using authentic-looking e-mails and fake bank certificates, they attempted to persuade the employee to first transfer the money to a German account and then to a Belgian one.

As none of the accounts were in the seller's name, the buyer's employee replied by unwittingly sending an e-mail to the fraudsters, who, of course, reassured the employee that everything was in order. The subsequent transfer to the German account failed, while the transfer to the Belgian account went through. During these events, the buyer's employee repeatedly tried and failed to reach the seller's actual employee by phone. 

Since the seller never received the purchase price, it sued the buyer. The Supreme Court ruled in favour of the seller and ordered the buyer to pay – for a second time.

No active action by the creditor

As monetary debts are delivery debts (Geldschulden sind Bringschuden), the buyer was responsible for delivering the money to the seller's account. The buyer could not rely on the assumption that the seller had changed the account details, as this change was made by the fraudsters. Similarly, the buyer could not apply the principles of cases involving third parties not attributable to the creditor (i.e. the seller in this case) intervening. Such an application would require that the account details were changed with the seller's knowledge.

Irrelevance of the creditor's (possible) negligence

The fraudulent e-mails were also not attributable to the creditor's negligent conduct. This would only be the case if someone had misused the seller's qualified electronic signature. However, in this case, no such technology was used, meaning the e-mails did not provide absolute proof of the sender's identity anyway. According to the OGH, it would be excessive to require ordinary e-mail users to secure their IT systems with up-to-date protection software to prevent hackers from misusing their identities to send e-mails.

No good faith on the part of the buyer

The OGH also rejected the argument that the buyer acted in good faith and was therefore entitled to assume that the fraudulent act was attributed to the seller. In the OGH's opinion, the buyer acted with at least slight negligence: 

• the fraudsters provided the buyer with a name of the recipient of the money transaction that differed from that of the seller;
• the fraudsters demanded that the transfer be made to an account with a German and then with a Belgian credit institution, even though the account to which the money should have been transferred initially belonged to a French credit institution; and
• the buyer refrained from make further and more intensive attempts to contact and reach the seller's responsible employee by telephone to verify the accuracy of the account information.

Conclusion

The case illustrates how quickly a party can suffer a double financial loss from a single instance of cyberfraud. All too often, people executing money transactions hesitate to verify the accuracy of the provided information. Fraudsters exploit this hesitation, typically by creating artificial time pressure.

How to avoid not only transferring money to the wrong account but also being exempt from liability toward a business partner? The OGH provides a clear answer: contact the person you have been doing business with using the verified contact details you already have. And if you do not reach them? Try again. And again. And again — until you do. Notably, the person in this case had the presence of mind to attempt this. Alas, after failing to make contact, the transaction was still executed prematurely.

As unfortunate as this story was for the buyer, it hopefully will raise awareness. Better safe than sorry.

authors: Oliver M. Loksa, Laura Benczak