
29 June 2026
Protecting against online fraud: Contractual and compliance strategies after Logix Aero
Exploring Offshore Litigation
About
While some may think it odd to pursue an "innocent" counterparty for losses caused by fraud, Logix Aero Ireland Limited v Siam Aero Repair Company Limited demonstrates that such an approach is not doomed to fail, but the contract terms must do the heavy lifting in advance.
As we observed in our Offshore Litigation Blog post on the Logix Aero decision, a breach that merely provides the setting for a third-party fraud will not ground a claim in damages.
Online fraud is not going away. For any defrauded party considering seeking damages from a contractual counterparty, the key lessons from Logix Aero are clear: secure the right protections before signing and ensure internal protocols and conduct match those commitments.
As Phillips LJ confirmed in Logix Aero, a confidentiality clause protecting commercial information from competitors will not support a damages claim where loss is caused by payment fraud. The clause must target the risk.
To obtain protection against payment fraud, parties may wish to consider the following contractual protections:
Payment verification protocols: A clause requiring each party to verify bank account details and payment timing through a separate, pre-agreed channel (eg telephone confirmation to a known number) before making any payment. The clause should also stipulate that no change to bank details will be effective unless confirmed in writing by an authorised signatory and verified by call. These simple mechanisms would have prevented Logix Aero's loss entirely.
Indemnity for fraud losses: A mutual indemnity providing that, if one party's failure to comply with agreed security protocols results in the other suffering loss through third-party fraud, the non-compliant party will indemnify. A well-drafted indemnity sidesteps causation difficulties by creating a primary payment obligation.
Liability cap carve-out: Where a contract contains a limitation of liability, ensure losses arising from failure to comply with anti-fraud obligations are carved out from any cap if you want all losses to be recoverable.
IT security obligations: An express obligation to maintain reasonable IT security measures (such as multi-factor authentication and encrypted communications) to prevent unauthorised interception.
Notification obligations: A requirement to notify the other party immediately upon becoming aware of suspicious communications or a potential security breach, and to cooperate in any investigation or recovery efforts.
Securing robust contractual protections is only half the battle. Logix Aero makes it clear that a company whose team fails to follow reasonable anti-fraud protocols may find any claim against a counterparty undermined. Logix Aero's automated email system flagged the unfamiliar sender address with a warning, but the subtle change went unnoticed, and Logix Aero paid without independently verifying the bank details. Phillips LJ observed that, had the matter proceeded to trial, Siam Aero might have raised a defence of circuity of action, given that Logix Aero was itself in breach of the confidentiality clause (committing the first breach). As Heather Williams J observed at first instance, "both parties unwittingly enabled the fraud to take place".
Companies must ensure their internal procedures at least match their contractual commitments, and should do their utmost to ensure their staff are aware of, and know how to protect against, the latest operational risks:
Act on system warnings: If your email platform flags an unfamiliar sender or domain change, investigate before proceeding.
Verify bank details independently: Particularly if a contractual requirement, confirm account details through a separate channel before making any significant payment.
Train staff regularly: Ensure employees understand email interception risks, mitigation strategies and any specific contractual requirements.
Document compliance: Keep records showing verification protocols have been followed. Contemporaneous evidence...
As we observed in our Offshore Litigation Blog post on the Logix Aero decision, a breach that merely provides the setting for a third-party fraud will not ground a claim in damages.
Online fraud is not going away. For any defrauded party considering seeking damages from a contractual counterparty, the key lessons from Logix Aero are clear: secure the right protections before signing and ensure internal protocols and conduct match those commitments.
As Phillips LJ confirmed in Logix Aero, a confidentiality clause protecting commercial information from competitors will not support a damages claim where loss is caused by payment fraud. The clause must target the risk.
To obtain protection against payment fraud, parties may wish to consider the following contractual protections:
Payment verification protocols: A clause requiring each party to verify bank account details and payment timing through a separate, pre-agreed channel (eg telephone confirmation to a known number) before making any payment. The clause should also stipulate that no change to bank details will be effective unless confirmed in writing by an authorised signatory and verified by call. These simple mechanisms would have prevented Logix Aero's loss entirely.
Indemnity for fraud losses: A mutual indemnity providing that, if one party's failure to comply with agreed security protocols results in the other suffering loss through third-party fraud, the non-compliant party will indemnify. A well-drafted indemnity sidesteps causation difficulties by creating a primary payment obligation.
Liability cap carve-out: Where a contract contains a limitation of liability, ensure losses arising from failure to comply with anti-fraud obligations are carved out from any cap if you want all losses to be recoverable.
IT security obligations: An express obligation to maintain reasonable IT security measures (such as multi-factor authentication and encrypted communications) to prevent unauthorised interception.
Notification obligations: A requirement to notify the other party immediately upon becoming aware of suspicious communications or a potential security breach, and to cooperate in any investigation or recovery efforts.
Securing robust contractual protections is only half the battle. Logix Aero makes it clear that a company whose team fails to follow reasonable anti-fraud protocols may find any claim against a counterparty undermined. Logix Aero's automated email system flagged the unfamiliar sender address with a warning, but the subtle change went unnoticed, and Logix Aero paid without independently verifying the bank details. Phillips LJ observed that, had the matter proceeded to trial, Siam Aero might have raised a defence of circuity of action, given that Logix Aero was itself in breach of the confidentiality clause (committing the first breach). As Heather Williams J observed at first instance, "both parties unwittingly enabled the fraud to take place".
Companies must ensure their internal procedures at least match their contractual commitments, and should do their utmost to ensure their staff are aware of, and know how to protect against, the latest operational risks:
Act on system warnings: If your email platform flags an unfamiliar sender or domain change, investigate before proceeding.
Verify bank details independently: Particularly if a contractual requirement, confirm account details through a separate channel before making any significant payment.
Train staff regularly: Ensure employees understand email interception risks, mitigation strategies and any specific contractual requirements.
Document compliance: Keep records showing verification protocols have been followed. Contemporaneous evidence...