Case Note: Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 - Heard before Massey DCJ on 9-11 September 2024, judgement delivered on 20 December 2024
As email fraud and scams become increasingly sophisticated, the recent case of Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 (Mobius Group) highlights the importance of individuals and companies being vigilant in taking steps to verify bank account information (including updates to billing information) provided by email
This case demonstrates the potential legal and financial consequences of failing to take reasonable steps to verify bank account information provided by email compromised before making a transaction. Ultimately, who bears the loss?
Mobius Group Pty Ltd (Plaintiff) is an electrical instrumentation and controls systems engineering consultant and installation contractor. In January 2022, the Defendant Inoteq Pty Ltd (Defendant) agreed to perform electrical works in exchange for a fee payable by the Plaintiff. The agreement, at least in part, included terms contained in a document headed New Supplier Information Form (Agreement).
The Plaintiff undertook works pursuant to the Agreement, and rendered two relevant invoices (for the purposes of the proceedings) for payment by the Defendant.
Without the knowledge of either party, an unknown third party (Fraudster) gained access to the plaintiff's email account. The Fraudster sent an email from the Plaintiff's email account to the Defendant (the Fraudulent Email) telling it to correct the details of its bank address in the earlier invoices as it said the Plaintiff's bank details had changed. That email attached an invoice with the purported new bank details (the Fraudulent Invoice).
An employee of the Defendant telephoned the Plaintiff after receiving the Fraudulent Email. The representative of the Plaintiff recalls informing the employee that the Plaintiff’s details had not changed, however the Defendant said there were issues with the quality of the call. The Defendant then sent an email to the Plaintiff seeking information to substantiate the change in details (such as a notice letter or the new bank details on letterhead).
The Fraudster, from the Plaintiff’s email address, sent the Defendant a further fraudulent email attaching a fraudulent letter purporting to be from HSBC Australia on their letterhead.
The Defendant then paid the sum of $235,400.29 to the account nominated by the Fraudster in the Fraudulent Invoice.
Upon the fraud being discovered, the police were notified and the bank contacted. The bank was able to recover only the sum of $43,541.13.
The crux of the question before the Court was whether or not the Defendant was liable to pay the sum of $191,859.16 to the Plaintiff which was broken down into four issues:
Ultimately, the Court determined that the Plaintiff did work as required under the Agreement, rendered an invoice and was entitled to payment. Whilst the actions of the Fraudster are not justifiable, the Defendant was in the best position to protect itself against the fraud and the Court made orders that there be judgment for the Plaintiff in the sum of $191,859.16.
The Agreement included an indemnity from the Plaintiff to the Defendant against damages or losses arising out of the performance or non-performance of the Services (defined in the Agreement).
The Defendant argued that the indemnity extended to the invoices issued by the Plaintiff, as a result of the Plaintiff's email account (which was designated for the purposes of contact between the Plaintiff and the Defendant) being compromised.
The Court determined that the Plaintiff did render an invoice which falls within ‘Services’ but securing its email accounts did not. The subsequent actions of the Fraudster hacking the Plaintiff’s email account and sending the Fraudulent Email were caused by the Fraudster, and not the Plaintiff. On that basis, the Defendant’s loss arose out of the intervening events by an unknown third-party, which did not fall within the indemnity.
The Defendant argued that the Plaintiff owed a duty of care to take reasonable steps to avoid unauthorised communications being sent from its email accounts, and to implement security measures to protect its email account from unauthorised emails being sent, and that the Plaintiff breached this duty which resulted in the Defendant suffering loss.
The Court determined that, whilst the Defendant did make a telephone call to the Plaintiff to verify the change in details, the telephone call was inadequate in all the circumstances and should have prompted a subsequent telephone call given the Defendant’s employee was not able to hear the answer to their question whether the bank details had changed. The Court also determined that the Plaintiff could have taken steps to protect its email account, but there was no evidence before the Court to satisfy that the cost of these protections were justified against the practicability of implementing the measures given the size of the Plaintiff’s business.
Ultimately, the Court found that the Defendant should have taken further steps (including a further telephone call) but instead paid a very large amount of money to the Fraudster. It was noted that no precautions could stop a hacker with sufficient skill and determination from breaking into a network, so ultimately only the Defendant was in a position to be able to take measures to stop itself from being a victim of a fraud.
The Defendant submitted that the details in the Fraudulent Email constituted a notice of change in details under the Agreement.
This argument was unsuccessful on the basis that the reality of the situation was that the Fraudulent Email was sent by the Fraudster, and not the Plaintiff. It was also relevant that an inference was drawn that the Defendant had some doubts as to the legitimacy of the Fraudulent Email given it called the Plaintiff after its receipt.
Sections 5AK(1) and 5AI of the Act allows the Court to limit the liability of a defendant where there are ‘concurrent wrongdoers’ to reflect that proportion of the damage or loss claimed that the court considers just having regard to the extent of the defendant's responsibility for the damage or loss.
On the basis that the Court found that no duty of care arose, and even if it had found a duty arose, it was not in a position to find that the Plaintiff has caused or contributed to the Defendant’s loss.
Mobius Group is a timely reminder for all individuals and business owners to take greater responsibility of protecting themselves from the acts of fraudsters and scammers.
Whilst it is important that individuals and businesses take steps to protect their information systems and email accounts, everyone is at risk of having their systems compromised by sophisticated hackers. Accordingly, reasonable steps need to be taken to verify that changes to bank information are legitimate.
It is important that businesses have clear policies and protocols in place to verify details by phone and to ensure that additional steps are taken if required.
On this occasion, because it did not take adequate steps, the Defendant paid twice (less the sum the bank was able to recover), once to the Fraudster and then to the Plaintiff.
Simple steps are often sufficient to guard against such risks, such as making independent contact to determine if a change of payment account is genuine. This requires use of a number available on a site independent of anything on the documentation advising of the supposed account change.
Thank you to Andrew Freeman, Solicitor, for his valuable research and assistance with this article.
