Who is liable if payments are made to the wrong account? In a recent decision, the Supreme Court of Justice (OGH) dealt with a case in which a third party provided a false account number via a forged email – a practice known as email spoofing – and the debtor then transferred money to this account.
The plaintiff, a French company, concluded a contract for the supply of goods with the defendant, an Austrian company. Although the French company's invoices stated a French bank account, the transfer failed. An inquiry by the defendant revealed that these were the correct account details. Shortly thereafter, the Austrian defendant received an email, supposedly from the plaintiff, requesting the invoice amount to be transferred to a different, now German, account. Since the name of the new recipient did not match that of the plaintiff, the defendant inquired by email. The reply was that it did not matter which recipient name was specified in the transfer. The transfer failed again, and the defendant was informed in another email, supposedly from the plaintiff, that the transfer had been reversed due to an error. At the same time, she was provided with a Belgian bank account, to which the defendant then successfully transferred the money. In fact, however, it was a "Email spoofing"Attack by unknown third parties. The defendant thus transferred the money to a fraudulent account. When the French plaintiff later demanded payment to the originally agreed account, the defendant refused, stating that she had already paid.
Email spoofing is a method in which the sender of an email is spoofed in order to deceive the recipient about the sender's true identity. The goal of such attacks can be to trick the recipient into clicking on a link, opening an attachment, or transferring money to fraudsters by sending invoices with fake account information. The Supreme Court (OGH) was faced with the crucial legal question of who bears the risk of a payment being misdirected by fraudsters.
The court of first instance and the court of appeal initially ruled in favor of the plaintiff: The Austrian defendant had legally never paid into the plaintiff's account and, pursuant to Section 907a, Paragraph 2, last sentence of the Austrian Civil Code (ABGB), bore the risk of losing the sum because the plaintiff had not changed the bank details. It would exceed the contractual duty of care if the plaintiff were required to prevent all conceivable fraudulent methods in its computer and email system. Simply put, the plaintiff could not be held responsible for this. The Supreme Court (OGH) clarified that the change in account details could not be attributed to the plaintiff because the fraudulent email originated from a third party. Analogous attribution under Section 863 ABGB was ruled out because there was no attributable legal presumption for apparent authority. Regarding the assumption of risk, the OGH emphasized that in the case of a debt to be paid at the time of performance, the debtor's payment is only deemed to have been made upon receipt by the creditor or upon receipt in the creditor's account. The exception under Section 907a, Sentence 2 of the Austrian Civil Code (ABGB) only applies if the creditor actually changes the account. Even a possible technical negligence on the part of the plaintiff in protecting against fraudulent attacks does not constitute an immorality or breach of trust in the claim. The defendant was therefore entitled to rely on the account originally agreed upon and stated on the plaintiff's invoices.
This decision makes it clear that unusual payment requests – especially with a different account holder, foreign account or missing signature – must be critically examined and, in case of doubt, the contractual partner should be consulted before payments are made.
Supreme Court 14.01.2025, 8Ob121/24p
12.03.2025