Is an employer liable if an employee was scammed and the company lost money?
Generally, liability depends on whether the employee followed established procedures and acted reasonably — if adequate controls were in place and the employee disregarded them, the employee may bear some responsibility; if controls were inadequate, the employer's exposure may be greater.
Last reviewed: 10 June 2026
Explanation
Business email compromise (BEC) and CEO fraud are among the most financially damaging forms of corporate fraud. An employee receives a convincing email appearing to come from a senior colleague, supplier, or client and is instructed to transfer funds to a new account. When the fraud is discovered, the question of who bears legal and financial responsibility arises.
In employment law, an employee who follows a fraudulent instruction in good faith and within their normal scope of authority is generally not personally liable for the resulting loss — the loss falls to the employer. However, if the employee acted outside their authority, ignored clear fraud warning signs (such as new bank details without phone confirmation), or failed to follow explicitly established payment verification procedures, disciplinary or civil action against the employee is possible.
From a civil recovery standpoint, the employer's primary recourse is against the bank (APP fraud reimbursement for the sending bank's obligations) and potentially the receiving bank, as well as any cyber insurance policy. Many cyber insurance policies specifically cover BEC losses.
This is general information only. Employment law and corporate liability vary significantly by jurisdiction and by the specific facts of the incident. A solicitor specialising in employment or commercial law should be consulted.
Common red flags
- Payment instructions arrived by email only with no phone confirmation
- Supplier notified a change of bank details shortly before a large payment was due
- No two-person authorisation process was in place for high-value transfers
- The instruction came from an email domain with a subtle typo
- Staff were not trained in payment fraud verification procedures
What to do now
- Report to the bank immediately and request an urgent recall of the funds
- Report to Action Fraud or your national fraud authority
- Preserve all emails and communication records as evidence
- Review your cyber insurance policy to check cover for BEC losses
- Notify your solicitor and, if relevant, your data protection officer (if personal data was involved)
- Implement two-factor payment verification procedures to prevent recurrence
Frequently asked questions
Can the employee be dismissed for falling for a BEC scam?
This depends on whether they followed established procedures and acted reasonably. Dismissal following a scam loss would need to meet the legal test of fair dismissal in your jurisdiction — gross misconduct may be arguable if the employee clearly deviated from explicit procedures, but dismissal purely for being deceived by a sophisticated fraud is unlikely to be fair.
Can the company sue the receiving bank for accepting fraudulent funds?
Increasingly, yes — both the sending and receiving bank share obligations under the APP reimbursement framework in the UK. The receiving bank has obligations not to facilitate fraud, and civil claims against receiving banks have succeeded in some cases. This is a developing area of law.