The proof is in the message

Could you be hoodwinked by a fake email? We may comfort ourselves that we would be better than Malcolm Turnbull at spotting a bogus message, but David McGrath warns of the perils that await the unwary.

With detailed instructions available in the Internet to guide potential email fraud, it pays to examine very closely how you would establish the credentials of a message to a court.

Guarding your system against intruders who could access to your email accounts or mail server is one step, but fake emails can also be produced by a third party completely independently of your systems.

Effective fakes can be created by simply mocking up a printed document to look like a printed email. Fake emails, with fake sender names and headers can also be spoofed electronically.

Given that discovered documents in legal proceedings will in the first instance be copies, it is open to exploitation by this type of fake.

Thankfully, whilst faking an email might be easy, sustaining its authenticity in a court is an altogether more difficult proposition.

As the case of Rana v University of Adelaide (No 2) [2008] FCA 494 demonstrates, the first line of defence is to use your mail server logs to show that the email does not exist.

In that case, Rana alleged that the university sent an email to the South Australian police and others making false and serious criminal allegations against him. He annexed a printed copy of the email to his court documents. The email was alleged to have been sent by a university employee, Helen McIver, on 21 December 2007. McIver denied creating or sending the email.

The university called its IT security specialist who searched its mail server logs but only found two “out of office” auto response emails from McIver on the day in question, neither of which went to the email addresses alleged. There was other evidence casting doubt on the authenticity of the alleged email.

The university’s job was made easier when Rana failed to turn up for the hearing. Its evidence was not subjected to any scrutiny. As the judge noted, the only evidence was that the email was not authentic and he came to the conclusion that the email was not sent by the university. The case was dismissed and Rana ordered to pay the university’s costs.

Covering your tracks

In another case, the battle over the fake email was fought more fiercely. What is interesting is just how difficult it can be to for a forger to cover his tracks properly.

In PM Sulcs & Associates Pty Ltd v Oliveri [2009] NSWSC 456 the court had to decide whether two emails, central to the case, were authentic or fakes.

The directors of Sulcs and Associates were Mr. and Mrs. Hooper. Mr. Oliveri represented Mr. Hooper’s companies for around 10 years and evidently there was a friendship during that time.

In June 1998, times were good as Sulcs and Associates, with Oliveri at the legal helm, successfully sued Daihatsu for a multi-million dollar sum.

The good news story however turned sour when it came to payment of Oliveri’s fees. Clearly this contributed to a breakdown in their relationship.

When the matter finally came to court, Hooper claimed there had been an oral agreement that Oliveri was to be paid around 10% of the judgment sum after third party costs had been deducted, a sum of about $225K. Oliveri sought fees of $1.8M. This was calculated at the rate of $500 per hour, the same hourly rate charged by Hooper’s prior solicitors in the matter.

In support of his claim, Hooper produced emails between Hooper and Oliveri dated 1 November 2001 whereby Oliveri confirmed that “professional fees will be 10% of the net amount received by PMS after all other accounts have been paid”. Oliveri claimed these emails were fakes. Both parties engaged computer experts. Oliveri duly produced his laptop and office CD-ROMs for inspection but the emails were not found.

When it came to searching Hooper’s computer equipment, Hooper claimed that Oliveri had his computer. Furthermore, a hard drive which should have contained a backup of the emails had been discarded as it had been damaged. Although late in the proceedings, Hooper now added a fresh claim against Oliveri for the return of his computer. The judge wasn’t impressed.

Neither was the judge impressed by the fact that Hooper did not actually produce copies of the disputed emails to a third party (in this case a costs assessor) until April 2004.

The judge also found that Hooper had computer skills sufficient to fabricate the emails in question (an article from the internet showed how it could be done from a single computer) whereas Oliveri probably did not have sufficient skills to try to delete it.

Moreover, the judge found that the emails were at odds with the dealings between the parties. He made special note of the fact that there was a document dated 6 February, 2003 that showed they were still discussing the terms of a costs agreement.

Finally, the judge found it would be surprising that Oliveri would agree to such a deal when he entitled to have recovered well in excess of that amount simply by claiming Hooper’s party/party costs against Daihatsu.
These two cases reaffirm that whilst you can readily create a fake email it is far more difficult to perpetrate the fraud that the email supports.

So what is the procedure if you believe the other side has given you a fake email? Also, what precautions should you take do to ensure that the authenticity of your own emails is not open to question?
The next case illustrates the procedure perfectly. In NAK Australia Pty Ltd v Starkey Consulting Pty Ltd [2008] NSWSC 1142, NAK Australia sued Starkey Consulting alleging that, whilst engaged as a consultant, Mr. Starkey had diverted commercial opportunities to himself, and away from Nak.

Central to its claim was an email alleged to have been sent by Mr. Starkey to one of NAK’s suppliers or manufacturers. The email was electronically discovered to Starkey as a PDF file.

Starkey cried foul disputing the email’s authenticity and sought to inspect the computer from which the email had been recovered.
Starkey argued that the PDF could have been altered. Instead of ordering the inspection, the judge ordered discovery of the discovered emails in their original format.
NAK then upped the ante by further discovering, through its IT manager, a complete “snapshot” of the contents of Starkey’s computer at the time he completed his engagement.

The defendant’s renewed its request to inspect NAK’s computer systems.
Despite the fact that the hearing was looming, and evidence was closed, the judge granted the request saying that
where one party wanted to put into evidence a ‘snapshot’ of a computer that the other side was entitled to inspect it to (a) verify its accuracy and (b) see whether there was other material on it to put into evidence.

The inspection was to be carried out of using an independent computer expert aka a forensic examiner, retained by Starkey.

There are a couple of lessons here.
First, in order to examine the authenticity of an email, you will need to see the original. The forensic advice is to examine the email header. You will of course need an appropriately qualified forensics expert to conduct the inspection or analysis for you.

Second, always be prepared to have your own systems inspected. Unless it can be shown to be completely baseless, once an allegation of forgery or tampering is made, the court will be hard pressed to ignore it until the matter is finally determined at a hearing.

What this means for each organisation depends on its individual circumstances. Suffice it to say that most organisations which have not already considered how it could prove the authenticity of its emails, or disprove the authenticity of emails fabricated against it, would benefit enormously from the exercise.