cerrar

EnglishEnglish

EspañolEspañol

DeutchDeutsch

FrançaisFrançais

NederlandsNederlands

CatalàCatalà

wassap

Contact

Calendari

Quote

Invoice fraud in e-mails: Is the debtor relieved of payment obligations?

According to data collected by the Attorney General's Office, more than 16,900 legal proceedings involving cybercrime took place in Spain in 2020, representing an increase of 28.69% over the previous year. In the following years, these figures have only increased.

Of the victims of this type of crime, an estimated 65 to 70 percent are small and medium-sized businesses. The reason is clear: the recurrent use of digital tools - for storing and managing information, for making payments, etc. - together with a lack of resources and resources, and a lack of access to information. - coupled with a lack of resources and knowledge of prevention, make this type of companies the number one target of these criminals.

One of the most popular types of cybercrime is the technique known as "Man in the Middle". Through this technique, the cybercriminal intercepts the communications exchanged between two parties, monitoring the messages and, when the time comes, manipulating the exchanged messages at will.

One of the most common types, which we will discuss in this article, is email invoice fraud, where the offender acts when, in the context of payment for services, the supplier sends the client an invoice. At this point, with communications previously monitored by the criminal, the latter sends, from the supplier's own e-mail account or one with a very similar address name, an e-mail informing of a change in the bank account number to which the payment should be made.

Once the debtor has paid the amount into the new account, the offender disappears without leaving any trace. Often the intrusion is not detected until a few weeks later, when the supplier, not seeing the deposit in his bank account, contacts his customer and discovers what has happened.

As we pointed out, this is a technique widely used by criminals and has already been dealt with by our criminal and civil courts. They have had occasion to rule, among other questions, on the central issue of this article: does the payment made by the debtor have a discharging effect? In other words, once the incident has been detected, does the debtor have to pay his creditor the sum already deposited in the cybercriminal's account or does the payment made release him from his obligation? 

To resolve this question, we must first start from the general rule set out in Article 1162 of the Spanish Civil Code, which states that payment must be made to "the person in whose favour the obligation was constituted".

However, there are two exceptions to the general rule: (i) the one provided for in Article 1163 of the Spanish Civil Code: "[...] payment made to a third party shall be valid insofar as it has become the creditor's utility"; and especially, (ii) the one contained in Article 1164 of the Spanish Civil Code: "payment made in good faith to the person in possession of the claim shall discharge the debtor".                                                  

It is precisely on the basis of both provisions that our case law has ruled on the discharging effect of the payment made in the context of a "Man in the Middle" fraud, and in particular, on the requirements or elements that must be examined in order to answer the question that has been raised.                

For the sake of clarity, we refer firstly to the decision of the Audiencia Provincial of Madrid (10th Section) Sentence no. 501/2019 of 28 October:

"In short, it is necessary, in this last case, the case on which the resolution of the question submitted for trial hinges, that in order for the payment made by the debtor to the apparent creditor to produce a dischargeable effect, the concurrence of three requirements is necessary: effective payment by the debtor; possession of the credit or appearance of ownership of the credit, which must be reasonable or objectively plausible, that is to say, justifying good faith when paying to a person other than the true creditor; and good faith of the debtor or solvens; [...] the mere subjective belief or conviction that the true creditor is being paid is not sufficient, as it is necessary that such a belief exists even if the diligence that is really required in accordance with the circumstances of the case has been used, and it must derive from objective and reliable data. Objective good faith which, unlike subjective good faith, is not presumed, but must be proven by the party who invokes it (Art.217 LEC). And in the absence of such assumptions, as in the present case, the debtor is obliged to pay his creditor, without prejudice to claiming the return of what he considered to be the creditor [...]".

 

Thus, the requirements that must be observed in order for the payment made by a third party in good faith to a non-creditor to have a releasing effect are the following: (i) making an effective payment; (ii) the existence of a reasonable and justified appearance of ownership of the credit; and (iii) the good faith of the debtor, understood objectively and examined in the light of the use of a reasonable diligence.

Since neither the payment to a third party nor the subjective good faith, understood as the conviction that whoever pays does so to the true creditor, is debatable in these cases, the liberating effect of the payment will be determined by the concurrence of the objective good faith which, as we have already pointed out, arises from the use of the due diligence. Thus, only the observance of such diligence, contextualised in the particularities of each case, allows us to affirm the reasonableness of the apparent belief that justifies payment to a third party and that discharges the debt.

Therefore, it is not possible to give a generic answer to the question raised. We must necessarily attend to the specific circumstances of each case.

In contrast to the previous case, where the Court ruled that the debtor should pay the amount already paid to the cybercriminal to the real creditor, in the following case decided by Bilbao Commercial Court no. 2 in its Sentence no. 152/2021 of 11 March, the opposite is established:

"With the precision that I will make in relation to the amount, the challenge will be resolved in favour of the bankrupt party because, in view of the concurrent circumstances, it must be considered proven that Balzola acted with the required diligence. Indeed, he acted after receiving an email from the same person with whom he had previously arranged the payment and from the same email address. More importantly, when he made the transfer, he obtained a receipt indicating the Challenger as the beneficiary of the transfer. Thus, Balzola had no reason to suspect that he was being the object of an illicit act, and for this reason the payment he made must be effective".

 

Therefore, in conclusion, we can state that in order for the payment made by the debtor in good faith to a third party other than the creditor to have discharging effects, we must analyse whether the latter has acted diligently, not being able to establish a homogeneous answer for all cases. To this end, it is important to assess the circumstances of each case, observing numerous elements such as: (i) the e-mail address used by the offender; (ii) the existence of obvious external signs that warn of a possible hacking; (iii) the existence of previous commercial relations in which the payment was made in a different account or through another contact; etc.

 

Pedro Pérez-Cuesta Llaneras
Illeslex Lawyers

Other posts that
may interest you

The other half.......

08-mar-2024 / ARTICULO

The other half.......

Read More >
Partnerships to promote the sustainable transformation of the tourism sector...

08-ene-2024 / ARTICULO

Partnerships to promote the sustainable transformation of the tourism sector...

Read More >

Subscribe now to
our newsletter

We keep you informed

You'll find us at...