Cybersecurity & employee liability for losses incurred through online fraud

26 February 2019

A recent Scottish case involving an employer seeking to recover its losses from an employee who was deceived into transferring company funds of £193,250 to online fraudsters has sparked considerable interest amongst employers and lawyers alike. This is the first reported case of its kind where the employing company has dismissed an employee for gross misconduct and thereafter issued legal proceedings against their former employee to seek to recover their losses.

Cybersecurity & employee liability for losses incurred through online fraud

Peebles Media Group dismissed its credit controller, Patricia Reilly, for gross misconduct when it discovered that she had been deceived by a number bogus emails, purporting to be from the Managing Director of the company but were in fact from online fraudsters, into making a series of online payments to fraudsters totalling £193,250.  Whilst the company managed to recover some of the money from the bank; it has issued legal proceedings against Ms Reilly to recover the remaining unrecovered losses of £108,000. Whilst Ms Reilly contends that she was a victim of online fraud and had not received any training from her employer on how to detect or avoid such scams; the company asserts that training was not necessary, that Ms Reilly ought to have realised this was a fraud as she had been informed that no bills were due to be paid during the relevant period when the Managing Director was on holiday and that she had also ticked a box to confirm that she read a warning about fraud when trying to access the employer’s online banking facilities.

Aside from whether an employee is likely to have the funds or assets to repay such a significant sum, this case raises a number of  significant legal issues for employers such as the extent to which an employee can be held legally responsible for losses arising from their actions at work, whether and to what extent employers can legitimately expect their staff to spot and avoid online fraud and if employers are seeking to hold their employees legally accountable in this way; will the employer be required to demonstrate that it has sufficiently robust cybersecurity measures and IT systems in place to reduce the risk of fraudulent activity reaching the email inboxes of its workforce and that it has put in place adequate staff training to assist employees in recognising potentially fraudulent scams or threats that still manage make it through company systems.  

One of a number of online frauds, ‘authorised push payment’ scams occur when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudster. This can involve hacking and intercepting email communication in order to impersonate third parties to deceive the victim into authorising a transaction. According to the banking body UK Finance, £145 million was lost due to authorised push payment scams in the first half of 2018.

Whilst we await the outcome of this litigation with interest, employers would be well advised to ensure that their employee contracts of employment, data protection policies and disciplinary procedures are reviewed and updated to reflect increased data security standards, particularly following the implementation of GDPR legislation in May 2018 and that appropriate cybersecurity and data protection training is put in place and delivered to all staff on an annual basis so that risks can be identified and managed as far as possible.

Louise McAloon is a Partner in Worthingtons Solicitors specialising in employment law. If you require advice in relation to contracts, policies and procedures or for details of staff training programmes available, Louise can be contacted on 02890434015 or






Newsletter Signup