What began with a Nigerian prince who wanted to give away his million-dollar inheritance has long since developed into a lucrative business for fraudsters. The Christmas season in particular is peak season for fraudulent messages and attacks, with cybercriminals attempting to exploit the pre-Christmas circumstances, such as an increase in Christmas greetings via email and online orders for Christmas gifts. From supposed messages from children about a lost cell phone to emails from the tax office about an alleged refund and fake messages from parcel delivery companies asking for delivery address updates – there are no limits to the creativity of criminals. Austria is also not spared from cybercrime, as can be seen from the cybercrime statistics of the Federal Ministry of the Interior. In 2024, 62,328 crimes were reported, but the number of unreported cases is probably much higher.

(Source: https://www.bmi.gv.at/magazin/2025_11_12/01_Cybercrime_Report.aspx).

A recent decision by the Supreme Court (OGH on October 28, 2025, 3 Ob 161/25k) on contributory negligence in connection with a cyberattack highlights the omnipresent danger of cyberattacks for companies and underscores the need for all parties involved in business transactions to be vigilant:

Facts

The parties to the court proceedings had already had a long-standing business relationship at the time of the cyberattack. In 2015, payment instructions from the plaintiff were manipulated by a fraudster in such a way that the recipient addresses were changed and subsequently sent to the defendant company, which is why the defendant transferred purchase prices totaling over EUR 750,000 to a third party instead of to the plaintiff. The plaintiff sought payment of the purchase prices it had not received. The courts divided the damages equally between the parties to the dispute and recognized equal contributory negligence.

How did this happen?

Contributory negligence of both parties to the incident

The plaintiff had taken the first action leading to the damage by sending the payment instructions to a supposedly new email address of the defendant's managing director provided by the fraudster.

However, the mere fact that it was only through this transmission to the fraudster that the recipient details on the payment instructions could be manipulated is not sufficient to rule out contributory negligence on the part of the defendant. The defendant could still have prevented the fraud if it had inquired with the plaintiff about the conspicuous new circumstances, especially since the payment instructions had been sent not only with a changed payee, but also from a new email address. The Supreme Court therefore assumed that both parties were to blame for the fact that “their organs did not attach any importance to the fact that the correspondence suddenly came from other (similar to those previously used) email accounts” (Supreme Court 3 Ob 161/25k, margin note 6). The OGH cites the disregard of essential security measures and control mechanisms as grounds for its assumption of contributory negligence.

Practical tips from the decision

The following measures can minimize the risk of a cyberattack and the liability of companies and their management:

1. Careful checking of the email sender: Cyberattackers often use fake sender identities (known as “spoofing”) to gain the recipient's trust. In such emails, the sender in the header is manipulated so that a seemingly familiar sender name appears in the inbox. Particularly in the case of payment instructions, account changes, or other unusual content, such as requests to click on links, you should always check whether the sender address displayed in the email program actually and exactly matches the sender address known to date.
2. Critical questioning of changed conditions: Changes to payment details, account information, or other business-related information of a contractual partner should never be accepted without verification. Reputable companies do not regularly change such data without prior official notification via the communication channels normally used in business transactions. In addition, you can check the company website to see whether a new account has actually been announced; if in doubt, you should make enquiries via the channels that have been used and are known to date.
3. If in doubt, call to check: In the case of large transfer amounts, changes to email addresses, or other unusual circumstances, you should call your business partner to check. It is important that the telephone number previously used is used for such ad hoc inquiries and not the one newly announced in the suspicious email. In general, companies should have or create appropriate guidelines stipulating that compliance measures must be observed for transfers above a certain amount, such as the dual control principle and telephone validation of a recipient account.

Today's technical possibilities are both a blessing and a curse. Criminals have long recognized the potential of artificial intelligence and are using it for their own purposes. Criminals use cyberattacks to target not only companies' bank accounts, but also the crown jewels of many companies—their trade secrets. In our next blog post in the new year, we will focus on measures to protect trade secrets.

KWR's IT compliance team will be happy to assist you with any legal questions you may have regarding cybersecurity issues.