Liability for bank payment fraud – lessons from Mobius v Inoteq

According to the Australian Banking Association, 250,000 cases of misdirected bank payment fraud cost Australian businesses an estimated A$320 million last year. Yet so far there have been relatively few decisions in Australian courts on the question of liability for misdirected bank payments. Just before Christmas last year, Australian cyber lawyers received an unexpected present: a decision on liability for bank payment fraud. Nicholas Blackmore looks at the decision and what it means for disputes about misdirected bank payments.

Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 (Mobius) involved a case of misdirected bank payment fraud, a species of fraud which is a growing problem for Australian businesses. While there are many variations, misdirected bank payment fraud generally works along the following lines:

• a hacker obtains unauthorised access to A’s email account;
• the hacker identifies a recent invoice sent by A to its customer, B;
• the hacker sends an email to B informing it that A’s bank account details have changed and providing a new set of details (which belong to an account accessible to the hacker);
• B pays the invoice; and
• A follows up with B some time later, requesting payment of the invoice, and the parties discover the fraud.

The hacker may send the email to B from A’s real email address or from a lookalike email address. While the latter approach creates a risk that B may notice the change in email addresses, it avoids the risk that A will notice unauthorised correspondence in its account.

In some cases, B will question the change of bank account details. If B questions the changes by email, the hacker can simply respond by email, and will often engage in several rounds of correspondence to explain the change and ask B to proceed with payment as soon as possible. If B questions the change by telephone, SMS or other means, they will speak to the real A, and there is a good chance that the parties will discover the fraud before payment is made. However, there are cases where a lack of clear communication means that B still ends up making the payment.

If the fraud is discovered quickly after the payment is made, the bank may be able to recover some or all of the payment. However, it is common for some time to pass before A follows up the invoice, meaning that it is often too late.

If all or part of the payment is unable to be recovered, there often ensues an argument about who was at fault. B will often refuse to pay the invoice “again”, arguing that it has already done so, and that the fraud was caused by the compromise of A’s email account. A may argue that B could have avoided the loss by verifying the change in bank account details by telephone before making the payment.

Given misdirected payment fraud is so common, it is perhaps surprising that there are few decisions regarding responsibility for misdirected payment fraud in Australian case law.

Until now, the only Australian judgment that dealt with bank payment fraud was the Queensland District Court decision of Factory Direct Fencing Pty Ltd v Kong AH International Company Ltd [2013] QDC 239 (Factory Direct). Factory Direct involved a Chinese supplier whose email account had been hacked, leading to its Australian customer making a payment to the hacker. The court refused to impose a duty of care on the Chinese company to secure its email account, and instead concluded that the Australian customer should have taken reasonable steps to verify the payment details by telephone. Mobius is another District Court decision, this time from Western Australia.

The facts

The fraud in Mobius followed the typical pattern outlined above. Mobius performed electrical engineering services for Inoteq. In March and April 2022, Mobius had issued invoices to Inoteq for amounts totalling $235,400. The fraudster obtained unauthorised access to Mobius’s email account on 28 April 2022 and sent an email to Inoteq stating that Mobius’s bank details had changed, and attaching a fraudulent invoice containing new bank account details. Inoteq made a payment of $235,400 to the account specified in the fraudulent invoice. After the fraud was discovered, Inoteq’s bank was able to recover $43,541. Inoteq refused to pay the remainder of the amount owing to Mobius. Mobius commenced proceedings for the outstanding debt of $191,859.

An important issue in the case was the way in which Inoteq had attempted to verify the change of bank account details. After receiving the fraudster’s email, an employee of Inoteq had telephoned their contact in Mobius’s accounts payable department to ask whether Mobius’s bank account details had changed. The Mobius employee recalled telling the caller that Mobius’s bank account details had not changed. However, it was a bad line and Inoteq’s employee could not understand what Mobius’s employee was saying. Rather than calling again, the Inoteq employee then sent an email to Mobius’s email address asking for evidence to substantiate the change of bank details. This email was received by the fraudster, who provided a fraudulent letter from Mobius confirming the change.

Indemnity clause argument

First, Inoteq argued that the loss should be indemnified by Mobius under a clause in the contract between the parties which provided that Mobius must indemnify Inoteq against all loss “arising out of the performance or non-performance of the Services”.

The court rejected this argument. The court held that the loss had arisen out of the actions of the fraudster, not out of the performance of the services by Mobius. The court also noted that, while it could be argued that the loss had been caused by Mobius’s failure to secure its email account:

• the security of [Mobius’s] email account is a matter which relates to its own internal management and is unrelated to the performance of the Services.

While not every case will involve an indemnity, the court’s position that a party’s administration of its email security is distinct from its performance of services for a customer will be relevant to many contractual clauses which provide indemnity or limit liability for matters “related to or arising from the performance of services”.

Negligence argument

Second, Inoteq argued that Mobius owed a duty of care to Inoteq to take reasonable steps to secure its email account to prevent unauthorised emails from being sent from the account. It argued that Mobius had failed to put adequate security arrangements in place to prevent the fraudster accessing and misusing the account. It argued that Mobius should have foreseen that if it did not secure its email account, fraudulent communications may be sent and its customers may suffer losses as a result.

The court rejected this argument and refused to impose a duty of care on Mobius. It agreed with the court in Factory Direct that this was a novel duty of care and should only be imposed with a close analysis of the facts bearing on the relationship between the parties. It held that Inoteq had not provided adequate evidence as to how Mobius could have protected Inoteq and how costly that protection would have been, and that Inoteq was not in the type of vulnerable position required for imposing a duty of care.

Inoteq had called an expert witness on cyber security, who testified about the security measures which are available to secure an email account. However, the expert admitted that he was speaking in general terms, and that he did not have specific knowledge of Mobius’s IT systems, or whether it would have been practicable for Mobius to adopt additional security measures for its email systems, or whether any of those additional measures would have been effective in preventing the fraudster from accessing Mobius’s email account in this instance.

The court stated:

• I regard the absence of evidence as to how costly the protection would be and the practicability of its implementation in [Mobius’s] business as matters which weigh against imposing the duty of care claimed.

In response to these arguments, Mobius argued that Inoteq was in the best position to take steps to protect itself from fraud, by verifying the change in bank account details by telephone. It argued that when Inoteq encountered a bad line, it should have telephoned Mobius’s representative again, rather than just proceeding with the payment. The court agreed with this argument:

• Astonishingly, after making the telephone call and not being able to hear the answer to the crucial question it asked, no follow-up call was made before paying the money. [Inoteq] clearly had [the Mobius’s representative’s] telephone number, and it would have taken little effort to make another telephone call and receive a clear answer to the question posed. That telephone call could have meant that the loss was avoided, these proceedings never occurred, and the fraudsters left unfulfilled... While it may have been vulnerable to loss if [Mobius’s] email account was compromised, it had the ability to protect itself against that vulnerability. It failed to do so.

Notice argument

Third, Inoteq argued that under the terms of its contract with Mobius, it was obliged to comply with a written notice from Mobius of a change of bank account details, and so it had had no option but to make the payment to the new bank account.

The court rejected this argument. It pointed out that the fraudulent emails were not actually sent by Mobius, and so the contract did not require Inoteq to comply with them. To the extent that Inoteq was arguing that it should be entitled to rely on any notice that was sent from Mobius’s email account, the court pointed out that Inoteq had taken steps to verify the change of bank account details by telephone, which suggested that Inoteq had some doubt that the email was in fact sent by Mobius, or at least knew that it was necessary to conduct some due diligence to check that it was. The court also pointed out that to accept Inoteq’s argument would amount to allowing Inoteq to be wilfully blind to the possibility that any email received from Mobius was fraudulent and to skip telephone verification entirely.

Apportionment of liability

Finally, Inoteq argued that liability should be apportioned between the parties under the Civil Liability Act 2002 (WA), on the basis that Mobius was a “concurrent wrongdoer” whose actions caused or contributed to Inoteq’s loss.

The court rejected this argument on the basis that it had concluded that there was no duty of care on Mobius, and that even if there was a duty, there was insufficient evidence to conclude that Mobius’s email account had not been adequately secured, and therefore had caused or contributed to Inoteq’s loss.

Conclusion

Mobius is now the second District Court decision which has refused to impose a duty of care on a party to adequately secure their email systems, and has held that the other party should have protected itself by verifying the payment details by telephone. District courts are relatively low in the court hierarchy, and so these decisions are not binding as precedent anywhere other than the lower courts in those two States. However, the cases are the first to consider the questions around liability for misdirected bank payment fraud, and their reasoning is instructive, and will at the very least act as a starting point for judicial reasoning on the issues.

We do not think that the decision of the courts in Mobius and Factory Direct rules out the possibility that there is a duty of care requiring businesses to take reasonable steps to secure their email accounts. While such a duty may be novel, there are significant public policy arguments in favour of it. However, even if such a duty of care was recognised, a plaintiff would still be required to prove that the defendant had failed to meet the required standard of care.

This decision certainly demonstrates the difficulties that parties face in trying to prove that a party has failed to adequately secure its IT systems (whether that is in the context of an argument about imposing a duty of care, or about whether a party has failed to meet the required standard of care). Inoteq did call an expert witness on cyber security - however that expert admitted that he did not have specific knowledge of Mobius’s IT systems, or whether it would have been practicable for Mobius to adopt additional security measures for its email systems, or whether any of those additional measures would have been effective in preventing the fraudster from accessing Mobius’s email account in this instance. In order to succeed in this argument, Inoteq would have had to provide specific expert evidence on each of these points, which would have required an in-depth understanding of the state of Mobius’s IT systems and available resources, which would have been difficult to obtain through the discovery process.

Mobius also highlights the importance of verifying change of bank account instructions by telephone. Regardless of whether higher courts follow Mobius in refusing to impose a duty of care, we think it is hard to disagree with the court’s view that telephone verification is a relatively simple step that a party can take to protect itself from the risk of fraud. If a party does not verify by telephone – or as in this case, begins to do so and fails to follow through – we expect that courts will be inclined to regard them as largely responsible for their own loss. This is partly attributable to the relative ease of telephone verification, compared to the difficulty of securing an email system. It is also much easier to prove in court that telephone verification was not done (or not done properly) than to prove that an email system was not adequately secured.