Business email compromise and invoice fraud – a duty of care on the innocent?

a) If a threat actor infiltrates your business email accounts, the Court’s decision does not rule out the possibility that you may be liable if that compromise could reasonably have been prevented. A reasonable cybersecurity program is essential to provide legal cover if a threat actor compromises your business email to perpetrate fraud against others.

b) The decision also confirms that if your business erroneously pays an invoice through fraud, you may be liable to also pay the legitimate invoice (and so pay twice). A reasonable verification process is essential to protect against payment of fraudulent invoices, especially where bank account details are changed, or you are setting up a new vendor. The law’s view is that you must take reasonable steps to protect yourself from risk of fraud.

Factual background

The plaintiff (Mobius) had issued invoices to the defendant (Inoteq), which had not yet been paid. A threat actor compromised Mobius’s business email and sent emails to Inoteq purporting to change payment bank details and attaching a fraudulent new invoice. Inoteq paid the amount owing to the new account, and the threat actor sent the money overseas.

Mobius then sued Inoteq for payment of its original legitimate invoice. In response, Inoteq sought repayment of the fraudulent invoice from Mobius. Ultimately, Inoteq was unsuccessful: it was ordered to pay the actual invoice and could not recover the erroneous payment from Mobius. It had to pay twice.

There were two issues that led to that conclusion:

1. First, although Inoteq had attempted to confirm the change in bank details, its verification efforts had not gone far enough; and
2. Second, Inoteq had not proven that Mobius had failed to appropriately secure its email accounts.

An accounts payable issue – verification of changes in bank details

After Inoteq had received the fraudulent email, an employee of Inoteq called Mobius to verify the change in bank details. The phone connection was poor, and the employee could not properly hear the telephone call. Instead of calling back, the employee emailed seeking verification. The threat actor promptly responded by return email, attaching a fraudulent letterhead.

The judge was particularly critical of Inoteq’s conduct. Although it was “clearly prudent practice” for Inoteq’s employee to call to verify the change in banking details, the judge considered it “astonishing” and “inadequate” that, after making the call and not being able to hear the answer, no follow-up call was made. The employee’s decision to instead reply to the email address which had generated suspicion was “unwise”.

The judge found that although Inoteq was vulnerable to loss because Mobius’s email was compromised, Inoteq had the ability to protect itself against that vulnerability. In our experience, that protection is best achieved through a comprehensive process to verify purported changes to banking details. In addition, training personnel about email compromise attacks and the need to use out-of-channel verification is crucial. As the judge put it:

“This case is a salutary reminder for those paying money to ensure the veracity of any banking details provided”.

A cybersecurity issue – business email compromise

Inoteq argued that Mobius owed it a duty of care, which required Mobius to protect against unauthorised access from threat actors who might issue fraudulent invoices. In support, Inoteq adduced evidence from a cybersecurity expert, who gave evidence as to what reasonable steps should be taken at a general level.

But, the expert was not briefed to do a security assessment of Mobius, and there was no evidence as to how the fraudster accessed Mobius’s email account. The Court also accepted evidence that even if the recommended safety measures were implemented, a “determined and skilful” hacker could still get through.

On those bases, the Court found that the alleged duty of care did not apply to the case at hand. But, in our view, this conclusion should not be overstated. The Court did not find that the duty of care could not apply: only that, on those facts, it did not apply. That is, the law did not prevent such a duty of care being found in other cases. What such a duty of care would require a party to undertake with regard cybersecurity is likely to include an assessment of “reasonable steps” to secure its email systems.

Although the risk that a threat actor will gain access can never be entirely avoided, implementing a well-designed cybersecurity framework is essential. Invoice fraud continues to be a ripe area for threat actors and, as this case demonstrates, there is risk to both parties should they fail to implement appropriate controls.

Footnote

1. Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114.