A. A hypothetical case
An accounting employee at a mechanical engineering company notices in mid-January, while reconciling the open items list, that the CNC milling machine delivered in mid-November and invoiced to the industrial client in northern Italy—an amount of EUR 1.8 million—still remains unpaid. Communication, as usual, runs via e-mail between the sales representative of M-TEC GmbH and the purchasing department of the customer.
A call to the customer’s contact person leads to astonishment: they insist the invoice was paid on time. The e-mail instructing payment to a different bank account than the one stated on the original invoice seemed a little odd, but such things do happen.
During the subsequent review, in which both sides are on high alert, it is discovered that the Italian buyer had in fact received a convincingly forged e-mail, requesting payment to a different bank account from the one originally provided.
B. Legal assessment
A discussion about fault quickly develops, which may not always be entirely objective. It is worth analysing the legal implications, as the crucial question remains whether the seller in our example can still claim payment or not.
One will first recognise that the framework for analysing such a case is identical to any other action for payment arising from delivery of goods between business entities. A purely substantive legal analysis is typically not productive—instead, the central question is how a purchase price claim could be successfully enforced.
I. Competent court or arbitral tribunal
As in every other supply relationship, the question arises as to which court or arbitration tribunal has jurisdiction. Complex questions of international civil procedure law or the validity of arbitration clauses frequently arise here.
In our example—absent an arbitration or jurisdiction agreement—a payment claim would have to be brought before the courts at the Italian buyer’s seat pursuant to Article 4(1) of the Brussels Ia Regulation, unless, as we will assume here, jurisdiction can be established at the place of performance (Article 7(1)(b) Brussels Ia Regulation), as would be the case if the parties agreed on the Incoterms clause FCA. In this case, proceedings could be brought before a German court at the place of delivery (FCA).
II. Claim for “renewed” payment of the purchase price
Unless excluded by agreement, the German court would apply the CISG (UN Convention on Contracts for the International Sale of Goods), which has been ratified by both Germany and Italy. Art. 54 CISG imposes a clear obligation to pay the purchase price.
The central question, however, is whether the buyer has already fulfilled their payment obligation. Under current law, it is disputed whether this is to be assessed under CISG or under German law; there is, as yet, no conclusive position by the courts on this question. In practice and according to prevailing opinion, however, German law—especially the BGB—applies.
By now, German law—clarified by court decisions in these scenarios—gives a clear answer: transferring funds to a third-party account in response to manipulated payment instructions does not constitute fulfilment under Section 362(1) in conjunction with Section 185 BGB. This was already established by the German Federal Court of Justice (BGH) on 7 June 2001 (Case No. IX ZR 173/00), and was further specified by the Karlsruhe Higher Regional Court (OLG Karlsruhe, judgment of 27 July 2023, Case No. 19 U 83/22) with regard to phishing attacks. The Federal Court of Justice most recently confirmed these principles in its judgment of 8 October 2025 (Case No. IV ZR 161/24), even though that case was factually analogous rather than identical.
Thus, it must first be stated that payment to a third-party account does not discharge the obligation. However, this does not necessarily mean that the buyer must pay again: courts will, in such cases, examine whether the buyer may have a claim for damages under Section 280(1) BGB if the seller breached protective duties under Section 241(2) BGB. It therefore becomes crucial to establish exactly what happened. Did a third party hack into the seller’s systems? Was this a case of spoofing or phishing? Only here—at this stage—does a detailed factual investigation of the events become relevant. Issues of evidence and often technically complex factual determinations will arise as to whether the incident could have been prevented by the seller through better measures. Depending on the value in dispute, it may be worthwhile to investigate these aspects more deeply.
Conclusion
An incident like the one in our hypothetical case should prompt the following measures:
- Even if not the main focus here, IT security measures should be reviewed.
- Both seller and buyer should promptly file a police report and check whether an insurance claim can be made and reported without delay.
- In parallel, the seller should carefully assess the legal situation regarding payment of the purchase price and evaluate the prospects of successful litigation. On this basis, it may be possible to reach an understanding with the buyer. At this stage, the focus should be on classic commercial litigation, with IT-specific issues dealt with later.
