Cyber Fraud and Email Scams: The Customer Pays the Price (twice)

Many businesses sensibly adopt the practice of making a phone call to verify bank details before making a large funds transfer. The consequences of failing to do this were illustrated in a recent case in the District Court of Western Australia, Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114. The decision demonstrates the Court’s approach to allocating responsibility and loss in situations of email fraud, where third party scammers obtain payment for services, with the burden falling squarely on the customer.

The facts

The plaintiff Mobius Group Pty Ltd (Mobius Group) invoiced the defendant Inoteq Pty Ltd (Inoteq) for electrical services provided by Mobius Group.

A fraudulent third party obtained access to the email account of Mobius Group’s director Mr Harrington and sent an email from that account to Inoteq advising of a change of bank details and attaching a fake invoice with those changed details.

An employee of Inoteq telephoned Mr Harrington to confirm the change in bank details, but the employee was not able to hear Mr Harrington’s response. Inoteq sent a follow up email to Mr Harrington’s (compromised) email address which referred to difficulties with the telephone line, and requested substantiation of the change of bank details.

The fraudster then sent a further email from Mr Harrington’s email address which attached a fake letter on Mobius Group letterhead which purported to notify a change of bank details.

Inoteq paid the invoiced amount into the fraudulent bank account, with the result that $190,000 was received by the fraudster and unable to be recovered.

Mobius Group sued Inoteq on the basis that it had not been paid $190,000. In its defence, Inoteq argued that Mobius Group failed in its duty of care to Inoteq to take reasonable steps to secure its systems and prevent unauthorised emails being sent from Mobius Group’s emails, and that the fraudulent emails should be viewed as effective notices from Mobius Group under the supply contract between the parties.

Summary

Even though the court in this case found that Mobius Group did not comply with a number of “best practice” procedures (discussed below) for cybersecurity, such as using multi factor authentication (MFA), the evidence from Inoteq’s cybersecurity expert was that no precautions could have stopped a skilled and determined hacker.

Ultimately, the court found that the onus was on the payer, Inoteq, who was better placed to verify the payee’s bank account details and Inoteq was required to pay $190,000 a second time.

Safety measures

In support of its breach of duty of care case, Inoteq led evidence from a cyber security expert, who gave evidence as to what steps Mobius Group could reasonably have been expected to take to prevent (or more accurately, to minimise the chances of) fraudulent access to its computer system. Those practices included the following which are recommended by the Australian Cyber Security Centre (ACSC):

• as a general statement: “The best defence against email scams is training and awareness for your employees, including how to identify scams or phishing attempts”;
• use of MFA for email, banking and all business critical online services;
• not permitting reuse of passwords across different websites or services, especially email and online banking;
• implementing policies, procedures and training to:
  • manage change of banking or payment details, which should include obtaining confirmation via a “known good” out-of-band medium – ie, a call to a known and previously used or verified phone number, not a phone number given in the potentially suspect email; and
  • training staff to recognise fraudulent requests (such as emails which do not contain personalised salutations or contain grammatical errors).

The expert also gave evidence that there had recently been an increase in “adversary-in-the middle” attacks, where an attacker intercepts the victim’s login session, where MFA would not be effective.

The Court’s decision and key findings: no duty of care

In considering the breach of duty of care issues, the Court made the following findings regarding Mobius Group’s IT system:

• its servers were hosted online, and access to emails were password protected;
• Mobius Group did not use a number of “best practice” procedures which the cyber security expert witness recommended, such as use of MFA.

No evidence was presented as to how the fraudster hacked into Mr Harrington’s email account. A matter of importance was that the IT specialist conceded that there were no precautions which could be taken which would stop a hacker with sufficient skill and determination from breaking into a network. Therefore, even if Mobius Group had taken all reasonable, or even best-practice, safety measures, its email account could still be hacked into.

This led the Court to the conclusion that the asserted duty of care in this case did not exist. Ultimately only a party in the position of the customer Inoteq was in a position to be able to take measures to stop itself from being the victim of a fraud. In that regard, the Court was critical of Inoteq’s employee who made the telephone call to Mr Harrington and was not able to hear the answer to the crucial question seeking verification of a change in bank details, but did not make any follow up call before Inoteq proceeded to pay the money.

The Court also did not accept the submission that the fraudulent emails could be considered to be a form of notice under the supply contract between the parties or could be treated as having come from Mobius Group. The steps which Inoteq took to verify the change of bank details, inadequate as they were, indicated a level of consciousness about the possibility of fraud and a concern about whether the fraudulent email had actually come from Mobius Group. The Court found that although the fraudulent email and invoice had come from the email address of Mobius Group, none of those emails were in reality sent by Mobius Group they were sent by the fraudster. Inoteq was required to pay $190,000 a second time.

Key take aways

The key take aways from this decision are:

• a party making a payment (ie, the customer) is in a better position to protect itself from fraud than the supplier, notwithstanding that the fraud has occurred through the infiltration of or weaknesses in the supplier’s IT system or email account;
• the Court may not attach much weight to shortcomings in the supplier’s IT security on the basis that hackers may be able to access the supplier’s IT system or email even if recommended or best-practice security measures were in place;
• The onus is on the payer to verify the authenticity of the payee’s bank account details and any change of bank account notifications- if funds end up in the hands of a scammer, it is likely the customer will be required to pay the price a second time.

Watch this space

It is noteworthy that the Mobius Group case involved two companies. It remains to be seen how the Courts may respond in situations involving natural person victims and where other considerations come into play, such as breach of privacy laws or data breach reporting requirements.

A major piece of proposed legislation is now making its way through the Commonwealth Parliament – the Scams Prevention Framework (SPF) Bill 2024, which is currently at the second reading stage. The aims of the SPF include:

• the regulation of multiple industry sectors such as telco providers, banks and digital platform providers (whose services are frequently the medium through which scams are perpetrated);
• the imposition of governance, reporting and other compliance obligations on such regulated service providers in order to detect, prevent and disrupt scams;
• the protection of “SPF consumers” of such regulated services, which include natural persons or small businesses (employing less than 100 people) in Australia;
• The introduction of processes for dealing with customer complaints and compensation claims, including through an external dispute resolution scheme (EDR).

MPH regularly advises clients in relation to debt recovery, consumer protection and commercial litigation and is available to assist at short notice.  Should you have any questions regarding commercial litigation, please contact Nigel Pakes or Cheryl Sun on +61 (0) 8 9221-0033 or by email npakes@mphlawyers.com.au and csun@mphlawyers.com.au.