Cyber scammed – who is liable to pay after a fraudulent invoice and misdirected payment?
A District Court of Western Australia decision, in Mobius Group Pty Ltd v Inoteq Pty Ltd[1], provides some guidance on liability in relation to a misdirected payment of a fraudulent invoice due to a cyber incident.
We consider the recent decision and its implication for Australian businesses and insurers.
Background
Mobius Group Pty Ltd (Plaintiff) is an electrical instrumentation and controls systems engineering consultant and installation contractor. In January 2022, the Plaintiff entered into an agreement with Inoteq Pty Ltd (Defendant) to perform electrical works in exchange for a fee on a project for the Defendant. The agreement, at least in part, included terms contained in a document headed New Supplier Information Form (Agreement).
The works were complete and an invoice in the amount of $200,687.59 was rendered on 27 March 2022, with a due date of payment of 26 April 2022. On 4 April 2022, a further invoice was rendered in the amount of $34,712.70. The first invoice was not paid and the Plaintiff sent a reminder by email to the Defendant.
Unbeknownst to the parties, an unknown third-party fraudster (fraudster) gained access to the Plaintiff’s email account. On 28 April 2022, the fraudster sent an email from the Plaintiff’s email account to the Defendant (fraudulent email) telling it to correct the Plaintiff’s bank account details as they had changed. The email attached an invoice with the purported new bank details.
On 29 April 2022, the Defendant paid the sum of $235,400.29 (the total of the two invoices) to the account nominated by the fraudster.
Upon the fraud being discovered, the police were notified and bank contacted. The bank was able to recover the sum of $43,541.13, meaning the balance of the invoices ($191,859.16) remained unpaid.
Issues
The key questions in the matter were whether or not the Defendant remained liable to pay the sum of $191,859.16 to the Plaintiff. The Defendant’s defence and counterclaim set out what would be the main issues for determination.
The central issues were as follows:
- was the Plaintiff liable to indemnify the Defendant under an indemnity clause in the Agreement?
- did the Plaintiff owe the Defendant a duty of care to avoid economic harm to the Defendant arising from unauthorised communications sent from the Plaintiff’s email account, and, if so, was the Plaintiff in breach of that duty?
- did the emails sent by the fraudster notifying of change of bank details constitute written notice to change the Plaintiff’s bank account details under the Agreement?
- was liability apportionable under the Civil Liability Act 2002 (WA) (the Act)?
Evidence at trial
At trial, evidence was heard from the Plaintiff’s director, Mr Harrington, who was also the lead engineer. The Defendant called evidence from a cyber security expert, Mr Streefkerk (expert). Relevant email correspondence was also tendered..
The court made the following findings of fact.
- After an employee of the Defendant received the fraudulent email on 28 April 2024, they telephoned Mr Harrington to confirm the change in bank account details. He replied by saying no, they had not.
- After the telephone call occurred, the Defendant sent an email to Mr Harrington asking for substantiation of the change in bank account details (eg notice letter, bank details on a letterhead). The Defendant’s email refers to there being a ‘difficulty with our line’ or connection during the telephone call.
- Shortly thereafter, the fraudster sent a second fraudulent email to the Defendant enclosing a communication on letterhead fraudulently stating the change in bank account details. Payment was then processed by the Defendant.
- Mr Harrington’s email account was hosted online and security measures for access were limited to the use of a password (no multi-factor authentication).
- Mr Harrington did not send the fraudulent emails or fraudulent invoice. He thought the telephone call from the Defendant was part of its usual due diligence before paying a significant amount of money.
- The Plaintiff did not use ‘best practice’ procedures as recommended in the expert’s evidence to protect the integrity of its email account, such as using multi-factor authentication.
Decision
Is the Plaintiff required to indemnify the Defendant under the Agreement?
The Defendant relied on an indemnity clause contained in the Agreement. The clause states that the Plaintiff is to indemnify the Defendant against all damage, claims and expense, loss or liability of any nature suffered directly or indirectly by the Defendant out of the performance or non-performance of the services.
The Defendant submitted that a reasonable person would interpret the indemnity clause to provide an indemnity in this situation, because the Defendant paid money to an incorrect account as a result of the Plaintiff’s email account (which was designed for the purposes of contact between the Plaintiff and Defendant) being compromised.
The Plaintiff contended that the:
- indemnity did not cover loss arising from the fraudulent actions of a fraudster; or
- loss did not originate out of the performance or non-performance of services as defined.
The court found that, while the indemnity clause could apply in certain circumstances, it could not be construed in the way the Defendant contended. While the generating and sending of an invoice arises out of the performance of the services, the court did not accept that the indemnity extended to loss arising out of a legitimately generated invoice. The sending of the fraudulent email was not an act performed by the Plaintiff. It was therefore unrelated to the performance or non-performance of the services.
Did the Plaintiff owe the Defendant a duty of care. If so, was it breached?
The Defendant submitted that the Plaintiff had a duty of care to the Defendant to take reasonable steps to avoid economic harm to the Defendant arising out of unauthorised communications being sent from the Plaintiff’s email account.
The Defendant contended that:
- the Plaintiff failed to put in place security arrangements and access controls to prevent unauthorised emails being sent;
- it was reasonably foreseeable that if the Plaintiff did not exercise control over its email account then fraudulent emails could be sent and cause the Defendant economic loss;
- the risk of harm eventuated when the Defendant made payment to the fraudulent account; and
- the Plaintiff’s failure caused the payment by the Defendant to the account nominated by the fraudster.
The Defendant relied on the evidence of the expert to support a contention that the Plaintiff’s security over its email account was inadequate. The Defendant also submitted that the Plaintiff ought to have taken further steps to enquire what prompted the telephone call to verify bank account details in the first place.
The Plaintiff’s position was that a duty of care did not exist as the Defendant was able to take steps to protect itself from harm by verifying the bank account details by telephone. It was not vulnerable to harm from the Plaintiff’s conduct and no loss would have occurred had the Defendant adequately verified the change in bank account details over the phone.
The Plaintiff relied on the case of Factory Direct Fencing pty Ltd v Kong AH International Company Ltd[2] (Factory Direct). In Factory Direct, the court considered the novel concept of duty of care in the context of an email account where there has been payment misdirection.
The Plaintiff says that Factory Direct provides useful guidance. A relevant feature in that case was that the buyer was almost entirely able to mitigate the loss by telephoning to confirm the correct bank information with the seller before making payment. Given its novelty, the court considered the salient features or factors affecting the appropriateness of imputing a legal duty to take reasonable care to avoid harm or injury from Caltex Refineries (Qld) Pty Ltd v Stavar[3] (which relevantly includes vulnerability and foreseeability of loss).
The Defendant’s position was that Factory Direct could be distinguished for a number of reasons, including because the email account used in the relevant transaction was fictitious and the Defendant had called evidence as to steps that could have been adopted by the Plaintiff to protect itself or its email account from being hacked.
The court found that the duty of care claimed to exist by the Defendant did not apply to the circumstances of the case. While the Defendant may have been vulnerable to loss if the Plaintiff’s email account was compromised, it had the ability to protect itself against that vulnerability.
The Defendant failed to protect itself. While the court was satisfied that the Defendant could not hear Mr Harrington say there had not been a change in bank account details, the telephone call was inadequate and ought to have prompted a subsequent telephone call. Indeed, the Defendant recognised the dangers of paying to a new account nominated by email given this prompted the initial telephone call.
Further, while there were measures that could have been taken by the Plaintiff to protect its email account (including multi-factor authentication), the Defendant did not tender evidence as to the costs of any such precautions, nor the practicality of implementing such measures.
Finally, the court found that any loss by the Defendant is pure economic loss. Accordingly, reasonable foreseeability of its loss is not sufficient to create a duty.
Were the fraudulent emails notice of change of bank account details?
The court found that the fraudulent emails did not constitute notice of change of bank account details under the Agreement. Notice of that change was not true, and given by the fraudster.
If duty of care was breached, is the liability apportionable under the Act?
Given the court did not make a finding of duty, it did not make a finding on apportionment of liability. Further, the court was not in a position to find that the Plaintiff caused or contributed to the Defendant’s loss on the facts.
Decision
The court ordered judgment in favour of the Plaintiff in the sum of $191,859.16 plus interest.
Implications
The decision provides guidance in terms of where potential liability may rest for social engineering and payment misdirection. Australian companies should take care to ensure it verifies any purported change in bank account details from its vendors. The judgment also provides a useful basis for entities seeking to recover unpaid amounts from buyers following payment misdirection.
Contact