Lloyd's Maritime and Commercial Law Quarterly
DUAL CAPACITY BROKERS, SEEN THROUGH THE PRISM OF MAN-IN-THE-MIDDLE FRAUDS
Matthew McGhee*
There has been a recent spate of “man-in-the-middle” attacks against joint brokers, where a fraudster contacts a jointly-appointed agent seeking to divert fraudulently to themselves payments genuinely owed by one of the agent’s principals to the other. This has drawn into focus a lack of clarity as to how a joint broker’s dual capacity operates when passing messages between its principals. The question of capacity often determines which party bears the risk of this form of fraud. It is suggested that the correct analysis is that the agent first acts in its capacity as agent for a party from whom it receives a message, before “switching hats” and acting in its capacity as agent for the other party, to whom the agent then passes the message. This is of particular relevance in the shipping industry, where shipbrokers often act as jointly-appointed agents on behalf of both an owner and a charterer, and where the broker’s role includes the passing of communications between those parties. It is suggested that, following the analysis above, it is ordinarily the charterer who will bear the loss when the broker is duped by a fraudster and instructs the charterer to pay what turns out to be the incorrect (ie, the fraudster’s) account.
MAN-IN-THE-MIDDLE ATTACKS
There has been a recent surge in a form of fraud colloquially known as a “man-in-the-middle” attack. Targets of such frauds range from individual consumers to large multi-nationals. The mechanism of the fraud is as follows.
A fraudster creates one or more email addresses that are visually similar to those of one party—say, Party A—to a legitimate commercial arrangement. For example, Party A’s email address might be “operations@partya.com”, so the fraudster might create the address “operalions@partya.com” (ie, substituting an “l” for the “t” in “operations”). The fraudster then contacts Party A’s counterparty—say, Party B—using the visually similar email address, misrepresenting himself to be Party A. The fraudster hopes that Party B will not notice the change in the email address (which is apparent on the face of the email received by Party B) and will instead simply press “Reply” to the fraudster’s email. The fraudster can then continue to communicate with Party B, unbeknown to and to the exclusion of Party A. Generally the fraudster will seek to divert payments that Party B
436