Business Email Compromise:
Lessons from the Mobius v Inoteq case
Key takeaways
• It is the responsibility of the remitting party to verify they have the correct payment details prior to remitting funds.
• The compromised party may still owe a duty of care to take the appropriate steps to ensure their technology infrastructure is secure.
• Your payment procedures should include multiple forms of payment authentication.
• Review your terms of trade and contracts to ensure indemnity clauses explicitly address liabilities from criminal acts.
Introduction
Business email compromise (BEC) scams are a prevalent form of cyberattack that organisations must actively defend against. In essence, an organisations email system is breached or impersonated, and the hacker monitors email traffic and sends fraudulent emails which appear to be legitimate.
A recent decision by the Western Australian District Court in Mobius Group Pty Ltd v Inoteq Pty Ltd highlights the significant financial & operational risks associated with business email compromise scams and highlights the need for proactive measures to verify payment details.
The Case Background
Mobius Group, is a company based in Perth that provides integrated electrical instrumentation and control systems primarily to the mining sector. In January 2022 Mobius was hired by Inoteq to perform work on a Rio Tinto project. Following the completion of the work, Mobius issued two invoices, one in March 2022 ($200,687.59) and one in April 2022 ($34,712,70).
Before payment, a hacker gained access to a Mobius director's email account and sent a fraudulent email to Inoteq, falsely claiming that Mobius’ bank details had changed. This email included a counterfeit invoice with altered bank account information. In the 2023-2024 financial year Australian businesses lost in excess of $84 million through this type of fraud, with the average loss of over $55,000 per incident.
When Inoteq attempted to verify the change via a phone call the verification process failed due to a poor connection, and no follow-up call was made. Instead, Inoteq relied on an email response - also from the compromised account - which included forged documentation confirming the new bank details. Based on this fraudulent confirmation, Inoteq transferred the funds to the hacker’s account, which was quickly emptied and sent overseas. Less than $45,000 was recovered.
The fraud came to light when Mobius followed up on the payment, prompting a legal dispute over the unpaid amount of $191,859.
Court Findings
The Court ruled in favor of Mobius, holding Inoteq liable for the unpaid invoices, plus interest. Key findings included:
Verification Failures:
o Inoteq’s initial attempt to verify the account change via a phone call was reasonable. However, the failure to follow up after the poor connection and reliance on the suspicious email response were deemed inadequate, highlighting the need for multiple independent verification techniques.
o There was considerable emphasis on Inoteq being the paying party. The Court noted as the paying party, Inoteq was in the best position to protect itself from fraud by implementing robust verification measures.
Indemnity Clauses and Duty of Care:
o The indemnity clause cited by Inoteq did not apply, as the fraud was caused by an external hacker and not directly related to Mobius’ contractual obligations.
o The Court rejected Inoteq’s argument that Mobius owed a duty of care to secure its email systems. The judge noted that even with reasonable cybersecurity measures, determined hackers could breach systems, and Inoteq failed to provide sufficient evidence to support its claim.
o A duty of care may apply to secure your email systems, private and confidential information will apply in other cases.
Implications for Organisations
This case highlights the need for vigilance and proactive measures to mitigate the risk of BEC scams. Organisations can adopt the following strategies:
1. Procedural & Process Change Control: Implement stringent protocols for changing bank details, and payment instructions, including mandatory in-person verification, waiting periods, and multi-level approvals. This is particularly relevant to the property sector which is the main target for BEC scams.
2. Multifactor Authentication of Changes: Verify changes through separate communication channels, such as a known phone number or in-person meetings, rather than relying solely on email. Make gathering this information part of the onboarding for the new client or project.
3. Employees are the Frontline: These scams rely on inattention, regularly train staff to recognise and respond to threat attempts, emphasising the importance of verifying payment details through multiple channels.
4. Review Contracts: Clearly define indemnity clauses in your terms and conditions to address liabilities arising from external criminal acts, ensuring there is no ambiguity in similar disputes.
5. Payment Security Platforms: Utilise third-party platforms designed to detect and prevent fraudulent payment requests.
6. Cybersecurity Measures: Implement comprehensive cybersecurity frameworks to reduce the risk of cyber incidents in general. This applies to all organisations, failure to meet industry, legislative or regulatory standards can result in a breach of duty. While no system is foolproof, reasonable measures can provide legal and practical safeguards.
Conclusion
The Mobius decision underscores the dual responsibility of organisations to protect their payment processes and implement robust cybersecurity measures. While external factors such as hacking cannot always be controlled, clear verification protocols and employee awareness can significantly reduce vulnerabilities. Organisations must remain proactive to safeguard against the financial and reputational damage caused by BEC scams and other cyber incidents.