Phishing and hacking are omnipresent in the digital business world - a recent ruling by Rostock Regional Court (judgment of 20.11.2024, ref. 2 O 450/24, final) now provides clarity as to who is liable - and why.
The case:
In an ongoing business relationship, a customer received a correct invoice from the actual contractual partner. This was followed shortly afterwards by a second - deceptively genuine-looking - email with a fake invoice. This not only contained manipulated bank details, but was also technically disguised by incorrect HTML formatting - a common scam for phishing emails.
The amount was then transferred by the customer to the wrong (alleged) sender. When the company, as the real contractual partner, nevertheless demanded payment, the defendant defended itself with two arguments:
- The company had not adequately secured its e-mail system.
- The company could not demand anything that was "immediately refundable" - a reference to the legal "dolo agit" objection.
The verdict:
The Rostock Regional Court rejected both arguments. In the opinion of the regional court, there was no fulfilment of the payment obligation towards the company - because the money was paid to a third, unauthorized person. In addition, the customer should have recognized clear warning signals, such as
- the conspicuously changed bank details to a Dutch bank,
- incorrectly displayed umlauts in the e-mail,
- an atypical HTML character string in the e-mail text.
Result: The customer was allowed to pay again.
Recommendations for action:
FOR INVOICE RECIPIENTS:
- Check every invoice meticulously for bank details, HTML errors or linguistic anomalies.
- In case of doubt, ask questions by phone or use established communication channels.
FOR COMPANIES:
- Even without a legal obligation for end-to-end encryption: transport encryption recommended.
- Use authenticated systems, introduce updates, monitoring and emergency plans.
- Keep your customers informed transparently and proactively in the event of security incidents.
📩 Are you affected or would you like to legally secure your IT & communication structure?
Contact us - we will support you with risk analysis, process optimization and legally compliant communication.
