Business Email Compromise (BEC) scams continue to pose a significant threat to Australian businesses. With increasingly sophisticated tactics such as voice phishing and deepfake audio, even vigilant organisations with previously adequate cyber-security and payment verification standards are vulnerable to foul-play. Recent high-profile breaches, including the Qantas incident this past winter, highlight the growing prevalence of cyber-hacking, and in turn, a greater risk of loss for well-intentioned businesses caught in BEC scams.
Under Australian negligence law, businesses owe a duty of care to take reasonable steps to prevent foreseeable harm. In BEC scenarios, disputes often arise between the payer, who inadvertently made the payment to a bad-faith actor, and the hacked entity, who’s data systems were compromised. The payer may argue that it is the hacked entity’s failure to maintain adequate cyber security which caused the loss, while the hacked entity may contend that the payer is liable, by making the payment without sufficient verification.
Australian case-law and regulatory guidance in this landscape has previously been relatively limited, however, the recent decision in Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 (Mobius) offers timely guidance on how Australian courts may assess liability in BEC-related disputes. In this case, Mobius’s email account was compromised, and a fraudulent invoice was sent to Inoteq. Inoteq paid the invoice without successfully verifying the bank details. Although Inoteq attempted to contact Mobius by phone, the verification was incomplete.
The court held that Mobius did not owe a duty of care to prevent unauthorised access to its email account. The judge noted that even robust cybersecurity measures may not deter a determined hacker. Instead, liability was placed on Inoteq for failing to adequately verify the payment instructions before transferring funds. The court emphasised that responsibility lies with the party best positioned to prevent the fraud. In making this determination, the court followed the approach commonly applied by courts in the USA, which generally place liability on the payer. This reflects the principle that making a payment is a deliberate act requiring positive action, whereas falling victim to a cyberattack may occur despite reasonable precautions.
This decision reinforces the importance of implementing and documenting robust verification procedures. Businesses should ensure that payment verification processes are regularly reviewed and updated to keep pace with increasingly sophisticated threats. Verification protocols should be clearly communicated to staff, with training provided to ensure consistent application. Multi-factor authentication, secure portals for payment instructions, and layered approval processes are now essential components of a sound risk management strategy.
As the threat landscape continues to evolve, risk protection remains a top priority. With major corporations falling victim to cyber breaches, businesses are strongly encouraged to review their internal procedures and ensure that verification processes are not only in place but are actively enforced. GrilloHiggins has experience advising clients who have fallen victim to BEC scams, please contact a member of our team if you would like to discuss this evolving area.
This article was written with assistance from Meghan Dennehy, Foreign Qualified Lawyer.
