In an increasingly digitalized world, businesses face new challenges from ever escalating  cyber threats, and the legal implications of these incidents are evolving alongside them. A recent case from the District Court of Western Australia has set a precedent that highlights the responsibility of businesses in verifying payment details and sets a legal precedent, . The case, involving Inoteq Pty Ltd and Mobius Group, underscores the need for vigilance in safeguarding against invoice fraud.

The Background of the Case

The incident began with an agreement between two companies: Mobius Group, an electrical contractor, was hired by Inoteq Pty Ltd to work on a Rio Tinto project. In March and April 2022, Mobius issued invoices to Inoteq for $235,400 for services rendered. What neither party realized was that hackers had already hacked  the email account of Mobius Group’s director, creating an opportunity for fraud.

On the day Inoteq intended to pay the invoices, the hackers, operating from Mobius’ compromised email account, sent fraudulent emails with updated bank account details. These emails appeared legitimate as they came from the CEO’s actual email address.

Inoteq’s Attempts to Verify the Change

Inoteq’s initial response to the fraudulent email was prudent. Recognizing the unusual nature of the request, a staff member called Mobius to confirm the updated bank details. However, the call could not be completed due to poor phone connectivity. Instead of persistingwith another follow up call, Inoteq relied on a follow-up email which was responded to by the scammers using the hacked email to confirm bank details.

Believing the matter to be resolved, Inoteq proceeded to transfer the funds to the fraudulent account. It was only a week and a half later, when Mobius inquired about the payment, that the scam was discovered. By then, most of the money had been transferred overseas, with only $43,541 recovered.

The Legal Precedent

Mobius initiated legal action against Inoteq to recover the outstanding $191,859. Inoteq argued that it should not be liable for the payment, citing an indemnity clause in its contract and alleging that Mobius had failed in its duty of care to protect its email systems from compromise.

The case hinged on the question of whether Inoteq’s actions—or lack thereof—were sufficient to meet its responsibility to verify payment details. Judge Gary Massey ultimately ruled in favor of Mobius, stating that while Inoteq’s initial telephone call was a prudent step, it was “inadequate in all the circumstances” and should have prompted a subsequent call to confirm the changes. By failing to take further action, Inoteq bore the responsibility for the fraudulent payment.

The Court’s Decision

Judge Massey’s decision required Inoteq to pay the unrecovered amount of $191,859, plus six percent annual interest. The ruling emphasized that while Mobius’ compromised email account enabled the scam, Inoteq was ultimately responsible for verifying the payment details before transferring a substantial sum.

Implications of the Case

This decision has significant implications for businesses across Australia, as it is likely to influence how courts handle similar cases in the future. It serves as a warning to companies about the importance of robust verification processes and proactive measures to prevent fraud.

Practical Lessons for Businesses

1. Double-Check Payment Requests: Even if a request appears to come from a trusted source, it is essential to confirm any changes to payment details through multiple channels. A phone call to a verified contact——is a critical and should be a compulsory step in this process.
2. Implement Cybersecurity Measures: Businesses must invest in robust cybersecurity to protect their systems from compromise. This includes measures like multi-factor authentication, regular password updates, and employee training to recognize phishing attempts.
3. Review Contracts and Terms: The court’s decision highlights the importance of clear terms and conditions in contracts. Businesses should consider including clauses specifying that payments will only be made to pre-approved accounts and detailing procedures for verifying any changes.
4. Train Staff on Fraud Prevention: Employees handling financial transactions must be trained to identify red flags, such as urgent or unexpected payment requests, and to follow strict verification protocols.

Broader Trends in Invoice Fraud

According to data from the Australian Competition and Consumer Commission (ACCC), false billing scams have increased significantly, with reports rising from 13,120 in 2020 to 39,587 in 2023. This growth reflects the increasing sophistication of scammers and the need for businesses to adapt accordingly.

Andrew Bower, a director at Solomon Hollett Lawyers, noted the unique nature of this case, as the fraudulent emails originated from a legitimate but compromised email account. This distinguishes it from cases where scammers use similar but slightly altered email addresses to deceive their targets. Bower emphasized the importance of businesses taking proactive steps to protect themselves, as courts are likely to hold them accountable for lapses in verification.

A Push for Systemic Change

In response to the rising threat of scams, the government has introduced draft laws aimed at protecting victims and improving compensation mechanisms. Banks are also working towards implementing measures like cross-checking account names before processing payments.

Commercial lawyer Marcus Ahern observed that the case is likely to prompt businesses to reassess their practices and contracts. Future contracts may specify that payments will only be made to designated accounts listed in the agreement, with no changes permitted without stringent verification processes.

Final Thoughts

The WA court’s decision in the Inoteq and Mobius case serves as a wake-up call for businesses across Australia. It underscores the importance of vigilance in verifying payment details, the need for robust cybersecurity measures, and the value of clear contractual terms. As scams become increasingly sophisticated, businesses must adapt to protect themselves and their clients from financial and reputational damage.

By learning from this precedent-setting case, businesses can better safeguard their operations against the growing threat of invoice fraud. Ultimately, the responsibility to prevent such losses lies with everyone involved in the payment process—a reminder that due diligence is not just a best practice but a legal imperative.

Reference: https://www.abc.net.au/news/2025-01-16/court-orders-inoteq-to-pay-190k-after-fraudulent-invoice/104783454