Cybercrime and Man-in-the-Middle Attacks: Legal Defence Strategies

Defending a creditor from payment interception by a cybercriminal demands a detailed analysis of the situation and the implementation of an appropriate legal strategy. In such cases, the involvement of a malicious third party, as in man-in-the-middle (MitM) fraud scenarios, can significantly complicate dispute resolution.

Typical Case of MitM Fraud in Business Transactions

A frequent example involves a business owner providing services to a Spanish company, issuing an invoice and sending it via email. However, the creditor’s email account falls victim to a cyberattack, and a cybercriminal intercepts the correspondence. By impersonating the creditor and using their email address, the cybercriminal requests that the payment be sent to a different bank account.

The Spanish company, oblivious to the fraud, processes the payment to the indicated account. When the deception is uncovered, the company refuses to make a second payment, arguing, on the one hand, that it acted in good faith under Article 1,164 of the Civil Code and, on the other hand, that the security breach occurred within the creditor’s system.

Recommended Legal Actions for the Affected Creditor

In this situation, the most effective course of action is to file a lawsuit against the Spanish company to claim payment for the invoice, as pursuing the cybercriminal is unfeasible due to their unknown location. In preparing the defence, it is essential to anticipate that the judge might consider the creditor partially responsible for the security breach, potentially applying fault-sharing, where both parties bear part of the responsibility.

To effectively structure the defence, it is crucial to recognize that the standard of care required from the payer is higher than that of the recipient. While the creditor passively verifies the receipt of funds, the payer actively ensures the payment is executed correctly.

Key Aspects of Legal Defence Against Cybercrime

In this context, it is crucial to highlight the following key points during litigation:

  • Public Warnings About MitM Attacks: Highlight that public and private institutions have issued warnings regarding MitM fraud risks, with an unexpected change in the creditor’s account details being a common warning sign.
  • Lack of Caution by the Payer: Demonstrate that the payer failed to take recommended precautions, such as verifying the account change through alternative means (phone call or video conference with the creditor) or requesting a certificate of ownership for the new account.
  • Lack of Staff Training: Show that employees handling payments did not receive adequate training on cyberattack prevention. Their testimony can corroborate the evidence.
  • Inconsistencies in the Fraudulent Email: The cybercriminal’s email may display warning signs, such as requesting payment to an account in another country or containing obvious errors (misspellings, pixelated logos of the creditor’s company, etc.).

After evaluating all factors, a judge may determine that while the security breach happened in the creditor’s system, the payer’s negligence is significant enough to require that the payment be made correctly again.

Ultimately, the specific details of each case, rather than general formulas, will determine the most appropriate legal strategy and, in turn, the success of the client’s defence.

If your company is facing cybercrime issues and needs expert legal defence in Spain,

Please note that this article is not intended to provide legal advice.

Related Posts