'Whaling' in Singapore
Major Shipping & Trading Inc v Standard Chartered Bank (Singapore) Ltd [04.01.18]
Major Shipping & Trading Inc v Standard Chartered Bank (Singapore) Ltd, is the first reported decision by the Singapore High Court regarding a social engineering scam known as ‘whaling’ or ‘spoofing’.
The case involved a claim in negligence by a Singapore shipping company against its bank in circumstances where the bank had made several large remittances to unknown entities at the instructions of an imposter who had sent the instructions via the shipping company’s managing director’s email account - without his knowledge.
The company sought to argue that there had been a number of ‘red flags’ regarding the contents of the emails and the circumstances under which they had been sent and these ought to have put the bank on notice that the payment instructions were not genuine. The court however found that there was insufficient evidence to make out a claim in negligence against the bank.
Payments instructions by email are convenient and all too common in the chartering business. This decision is a timely reminder of the risks involved in authorising banks to make payments against unverified email instructions – and of the relatively low standards of care expected of banks making the payments.
In 2011, documents had been executed by the shipping company to open an account with the defendant bank. The Account Opening Documents included the bank’s Standard Terms which contained the following standard clause:
“Instruction” means instructions in relation to any Account, Transaction or Service which:
(c) We believe in good faith has been given by an Authorised Person or are transmitted with such testing or authentication as We may specify.
4.6 Payment Instructions: …. You also authorise Us, any Bank Member or any third party who receives such Instructions to act on them as if You had sent the Instructions directly to them.”
In 2013, a third party fraudster hacked into the company director’s email account and sent instructions to the bank to remit monies in four transactions worth US$1.8 million. The company subsequently discovered that these remittances had been made and sought to recover the monies from the bank on the basis that the remittances were not authorised and the bank could not in good faith have believed that the instructions by the company given the “highly suspicious circumstances surrounding their receipt”.
The court held in favour of the bank and dismissed the claim, finding that the bank was not negligent and made the transactions in good faith.
The Singapore High Court held that the concept of ‘good faith’ incorporated a subjective requirement of acting honestly, and an objective element of a lack of gross negligence or recklessness by the bank. As such, the court had to consider whether the defendant bank was grossly negligent in believing that the plaintiff’s authorised personnel had issued the payment instructions.
The company argued that there had been a number of ‘red flags’ that would have put the bank on notice that the transactions were not genuine such as:
- The frequency and quantum of the four instructions were “extremely high” and unprecedented.
- The instructions were to remit monies to beneficiaries and countries to which the plaintiff had not remitted monies before.
- The plaintiff’s name was misspelt as “Major Shipping & Tagging”.
- The purposes of the four instructions were not stated.
- The date of the third and fourth instructions were erroneously stated as “24/6/3013”.
- The four instructions were sent to the bank by email before being faxed, contrary to the authorised personnel’s usual practice.
- The four instructions were faxed via eFax, which the authorised personnel had not used before.
The court found that the purported ‘red flags’ were insufficient to make the bank liable. The court further noted that given the number of transactions that banks are required to deal with on a daily basis, bank officers cannot be required to scrutinise every remittance instruction in detail.
The decision is significant to anyone who authorises its bank to make payments against email instructions. While email instructions are a convenient and quick way of transmitting instructions, this decision illustrates how unsecure emails can be. The decision also confirms that banks are generally not expected to take on the responsibility of verifying the authenticity of email instructions.
Companies that currently issue instructions to banks by email should review their existing agreements/mandates with banks and consider if there are sufficient safeguards in place in terms of maximum limits for remittances (where instructions are given by email) and instruction authentication procedures. Companies should also review email security policies and training, in addition to adopting a more secure method of giving payment instructions.