Be scam aware: Companies held responsible for verifying payment details they receive

A recent decision handed down by the Western Australian District Court may have substantial ramifications for how fraud and invoice scams are treated. On 20 December 2024, Judge Massey delivered judgement in Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114, ordering Inoteq Pty Ltd (Inoteq) to pay more than $190,000 to Mobius Group Pty Ltd (Mobius) after it had paid money pursuant to a fraudulent invoice. 

This case will see companies held responsible for verifying any payment details they receive, ensuring they are vigilantly implementing and adhering to safety procedures when making payments.

On 21 February 2025, the Scam Prevention Framework Act 2025 (Act) came into effect, which aims to prevent and redress the losses suffered because of fraud. The introduction of this Act will have an impact on companies, who may face serious penalties for failure to comply with framework principles.

Background

Mobius is an electrical contractor that entered into an agreement to work with Inoteq on a Rio Tinto managed project. After completing the work pursuant to the agreement, Mobius issued invoices to Inoteq for $235,400 in March and April of 2022. Before Inoteq could make payment, unbeknownst to either company, a hacker had gained access to Mobius’ email account. On 28 April 2022, the hacker sent a fraudulent email from Mobius’ account, requesting that Inoteq update the details of Mobius’ bank account.

Unable to reach Mobius by phone to confirm the new details, Inoteq followed-up with an email requesting proof of the bank change. After receiving fraudulent proof from the hacker, Inoteq proceeded with the full payment. When Mobius uncovered the scam, both the police and bank were notified. The bank was able to recover $43,541, but Mobius did not receive the remaining balance.

Decision

Mobius brought a claim against Inoteq seeking repayment of $191,859.16 on the basis that Inoteq had not fulfilled their contractual obligation to pay the invoices for the services that Mobius had provided. Inoteq defended the claim, arguing that Mobius owed them a duty of care and that an indemnity clause covered fraud-related loses.

The issues for determination were:

• whether Mobius was liable to indemnify Inoteq pursuant to the agreement
• whether Mobius owed Inoteq a duty of care to avoid economic harm arising from an unauthorised communication sent from Mobius’ email account and, if so, whether Mobius was in breach of that duty
• whether the emails sent by the fraudster on 28 April 2022 constituted effective written notice to change Mobius’ bank account details pursuant to the agreement
• if Mobius breached any duty of care, whether its liability be limited under the Civil Liability Act 2002 (WA).

The Court found that the fraudulent emails were sent from the email account of Mobius’ director, Mr. Harrington. However, he neither sent the emails nor instructed anyone else to do so. His email account was hosted online, with password protection as his only security measure. Mobius did not implement the ‘best practice’ procedure recommended by Inoteq’s cyber security expert, Mr. Streefkerk, such as using multi-factor authentication, to protect its email account.

The Court held that:

• the indemnity clause provided that Mobius indemnify Inoteq against all damages, claims, expenses (including reasonable legal fees), losses or liabilities incurred directly or indirectly due to the performance or non-performance of services. The Court held that while generating and sending an invoice arises from the provision of services, the indemnity did not extend to losses resulting from a legitimately generated invoice. Additionally, the act of sending the fraudulent email was not conducted by Mobius and therefore could not relate to performance or non-performance of services
• the Court found that the duty of care did not exist. While Inoteq was vulnerable to the fraudulent email, they also had the means of preventing the outcome. Inoteq recognised the dangers of paying into a newly nominated account based on an email and took steps to verify the change by calling Mobius. However, the Court found that relying on an email response – rather than making a follow-up call – was inadequate, particularly given the initial suspicion
• the Court did not find that the fraudulent emails constituted notice of change of bank details under the agreement.

Ultimately, the Court ordered judgment in favour of Mobius in the sum of $191,859.16 plus interest.

Rising scams in Australia – how can businesses protect themselves?

This case is particularly relevant due to the increasing frequency of fraudulent scams. Data from the Australian Competition and Consumer Commission (ACCC) shows that these so-called false billing scams have surged in recent years, with reported cases increasing from 13,120 in 2020 to 39,587 in 2023.

False billing scams often impersonate legitimate businesses or use compromised business emails, highlighting the need for proactive and robust verification systems.

Businesses can protect themselves from similar fraud or cyber security threats by implementing the following measures:

• use proper verification systems: Businesses are not automatically liable for losses caused by third-party fraud, particularly if the target could have done more to verify the instructions regarding payment. Therefore, businesses should implement multi-layered verification protocols which use cross-referencing when changes occur and require verbal confirmation for all financial transactions. These processes may also lean into further investment in cyber security measures
• review contractual terms: Businesses should establish clear contractual terms which stipulate the conditions under which payments can be made. Consider introducing terms that specify payments can only be made to pre-approved accounts. Additionally, businesses should review third-party agreements as indemnity clauses will likely be construed narrowly and losses caused by third-party criminal acts are unlikely to fall within the scope of these clauses, unless specifically stated
• provide additional staff training: Directors and executives are accountable for the decisions and outcomes of their staff. Ensuring that all staff are taught how to handle suspected instances of fraud will limit the liability faced by both the company and its directors.

How is Australia responding to the increase in scams?

The Scam Prevention Framework Act 2025 (Act) aims to combat the number of online scams that are targeting Australians and establishes the Scam Prevention Framework (SPF) which is now included as Part IVF to the Competition and Consumer Act 2010.

The SPF is designed to protect Australian residents (including those abroad), visitors to Australia and small businesses and will strengthen the work done by the National Anti-Scam Centre (NASC).

Under this framework, there are 6 principles that aim to prevent and redress the losses suffered because of fraud – governance, prevent, detect, report, disrupt, and respond (the SPF Principles). For example, the Act now imposes obligations on businesses to ensure actionable scam intelligence involving their services is reported and requires entities to share any scam intelligence with the ACCC to allow the regulator to efficiently disrupt scams on a larger scale.

The Act has divided the penalty provisions into two tiers, depending on the SPF Principle(s) contravened.

The maximum penalty for a tier 1 contravention for a body corporate (that being, a contravention of the prevent, detect, disrupt or respond SPF principles) is the greater of a fine of up to $52.7 million, 3 times the value of the benefit gained or 30% of the turnover in that period of the breach. An individual may face a fine of over $2.6 million.

The maximum penalty for a tier 2 contravention for a body corporate (of the governance or reporting SPF principle) is the greater of $10.5 million, 3 times the value of the benefit obtained or 10% of the turnover during the period in breach. An individual is liable for $528,000.

How we can help

We have a wealth of experience supporting businesses in white collar criminal law and fraud cases. If you have any questions or need assistance, please get in touch with our team below.

Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Jessica Tsiakis

Gemma Hannah

Share this