Cyber scammed – who is liable to pay after a fraudulent invoice and misdirected payment?

Insights21 Jan 2025

A District Court of Western Australia decision, in Mobius Group Pty Ltd v Inoteq Pty Ltd[1], provides some guidance on liability in relation to a misdirected payment of a fraudulent invoice due to a cyber incident. 

We consider the recent decision and its implication for Australian businesses and insurers.

Background

Mobius Group Pty Ltd (Plaintiff) is an electrical instrumentation and controls systems engineering consultant and installation contractor. In January 2022, the Plaintiff entered into an agreement with Inoteq Pty Ltd (Defendant) to perform electrical works in exchange for a fee on a project for the Defendant. The agreement, at least in part, included terms contained in a document headed New Supplier Information Form (Agreement).

The works were complete and an invoice in the amount of $200,687.59 was rendered on 27 March 2022, with a due date of payment of 26 April 2022. On 4 April 2022, a further invoice was rendered in the amount of $34,712.70. The first invoice was not paid and the Plaintiff sent a reminder by email to the Defendant.

Unbeknownst to the parties, an unknown third-party fraudster (fraudster) gained access to the Plaintiff’s email account. On 28 April 2022, the fraudster sent an email from the Plaintiff’s email account to the Defendant (fraudulent email) telling it to correct the Plaintiff’s bank account details as they had changed. The email attached an invoice with the purported new bank details.

On 29 April 2022, the Defendant paid the sum of $235,400.29 (the total of the two invoices) to the account nominated by the fraudster. 

Upon the fraud being discovered, the police were notified and bank contacted. The bank was able to recover the sum of $43,541.13, meaning the balance of the invoices ($191,859.16) remained unpaid. 

Issues

The key questions in the matter were whether or not the Defendant remained liable to pay the sum of $191,859.16 to the Plaintiff. The Defendant’s defence and counterclaim set out what would be the main issues for determination.

The central issues were as follows:

  • was the Plaintiff liable to indemnify the Defendant under an indemnity clause in the Agreement?
  • did the Plaintiff owe the Defendant a duty of care to avoid economic harm to the Defendant arising from unauthorised communications sent from the Plaintiff’s email account, and, if so, was the Plaintiff in breach of that duty?
  • did the emails sent by the fraudster notifying of change of bank details constitute written notice to change the Plaintiff’s bank account details under the Agreement?
  • was liability apportionable under the Civil Liability Act 2002 (WA) (the Act)?

Evidence at trial

At trial, evidence was heard from the Plaintiff’s director, Mr Harrington, who was also the lead engineer. The Defendant called evidence from a cyber security expert, Mr Streefkerk (expert). Relevant email correspondence was also tendered..

The court made the following findings of fact.

  • After an employee of the Defendant received the fraudulent email on 28 April 2024, they telephoned Mr Harrington to confirm the change in bank account details. He replied by saying no, they had not. 
  • After the telephone call occurred, the Defendant sent an email to Mr Harrington asking for substantiation of the change in bank account details (eg notice letter, bank details on a letterhead). The Defendant’s email refers to there being a ‘difficulty with our line’ or connection during the telephone call.
  • Shortly thereafter, the fraudster sent a second fraudulent email to the Defendant enclosing a communication on letterhead fraudulently stating the change in bank account details. Payment was then processed by the Defendant.
  • Mr Harrington’s email account was hosted online and security measures for access were limited to the use of a password (no multi-factor authentication).
  • Mr Harrington did not send the fraudulent emails or fraudulent invoice. He thought the telephone call from the Defendant was part of its usual due diligence before paying a significant amount of money.
  • The Plaintiff did not use ‘best practice’ procedures as recommended in the expert’s evidence to protect the integrity of its email account, such as using multi-factor authentication.

Decision

Is the Plaintiff required to indemnify the Defendant under the Agreement?

Did the Plaintiff owe the Defendant a duty of care. If so, was it breached?

Were the fraudulent emails notice of change of bank account details?

If duty of care was breached, is the liability apportionable under the Act? 

Decision

Implications

The decision provides guidance in terms of where potential liability may rest for social engineering and payment misdirection. Australian companies should take care to ensure it verifies any purported change in bank account details from its vendors. The judgment also provides a useful basis for entities seeking to recover unpaid amounts from buyers following payment misdirection. 


[1] [2024] WADC 114.
[2] [2013] QDC 239.
[3] [2009] NSWCA 258.

Contact

Hall & Wilcox acknowledges the Traditional Custodians of the land, sea and waters on which we work, live and engage. We pay our respects to Elders past, present and emerging.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of service apply.