Employer fails in claim against credit controller for transferring £200,000 to fraudsters - Peebles Media v Patricia Reilly

A Court of Session judge has rejected a claim from Peebles Media to recover over £107,000 from a former employee, Patricia Reilly, after she made a series of online payments as the firm’s credit controller following fraudulent emails.


In 2015, Reilly received a fraudulent email claiming to be from the Pebbles Media managing director that requested £24,800 be transferred to another company. Reilly contacted her line manager who processed the payment whilst on annual leave, as she did not have authorisation to do so. Further emails were sent requesting larger amounts and Reilly processed these payments herself, only contacting her manager once for a PIN to access online banking. When doing so, Reilly received a fraud warning from the bank which she did not read.

Reilly was subsequently dismissed for gross misconduct and brought a claim for unfair dismissal, but did not continue with this. Pebbles Media recovered £85,265.98 from their bank and brought a claim against Reilly for the remaining £107,984.02, arguing that she breached her obligation to exercise reasonable skill and care as the emails were ‘obviously fraudulent’. Reilly argued contributory negligence on the part of her employer.


Employees have an implied obligation to exercise reasonable skill and care in the performance of their duties. The Scotland Court of Session ruled that Reilly did not breach this obligation. They held that even if she had read the fraud warning, they were not persuaded the outcome would be different.

The Court noted that Reilly’s manager was responsible for the first payment and allowed Reilly to use her bank security details; they were therefore unable to see how she can be said to have breached her obligation, as she sent the relevant details to a superior. The court also stated that although Reilly was not authorised to use online banking, her manager did not give clear direction that she should not do so and that she was at a significant disadvantage, by holding the fort for more senior colleagues.

The Court concluded that Reilly had not breached her contract. The Court did accept that she breached her obligation of reasonable skill and care when transferring funds from the invoice financing account to the current account as she did this on her own initiative. Unlike the other payments, she was not prompted to make this payment and had no authority to do so. The Court did not however consider that the money lost was a natural consequence of this breach and was instead ‘exceptional and unnatural’ as Reilly was ignorant of the fraud being perpetrated.

Importance for Employers

The nature of this type of fraud is known as whaling, which targets specific people in an organisation. In this case, an email was sent to a senior person within the organisation, if they are greeted with an out of office email, the fraudster will then create an email address containing the name of this senior person. A payment instruction is then issued to a junior member of staff, who like Reilly is unsuspecting as it appears to be from the absent senior colleague, and the payment is made.

Being aware of scams such as this is especially important for those managing finances within organisations. It is important therefore to be aware of the fraud related risks that could face your organisation, devise preventive measures, have training on fraudulent activity and implement reporting procedures in the event of fraud.

The law and practice referred to in this article or webinar has been paraphrased or summarised. It might not be up-to-date with changes in the law and we do not guarantee the accuracy of any information provided at the time of reading. It should not be construed or relied upon as legal advice in relation to a specific set of circumstances.

The Legal 500 - The Clients Guide to Law Firms

UK Chambers logo

Best Companies - One to watch logo

Cyber Essentials Certification Logo