Can you confirm your bank details please?

Invoice fraud is on the rise, and we are all increasingly aware that invoices sent by email can be intercepted, and bank details changed.

A recent Western Australian court decision has made it very clear that the responsibility for verifying payment information—and the consequences of paying into a fraudulent account—ultimately rests with the payer.

Mobius Group Pty Ltd v Inoteq Pty Ltd [2024]

On 20 December 2024, the District Court of Western Australia ordered Inoteq Pty Ltd to pay $191,859.16 to Mobius Group Pty Ltd. This was after Inoteq had already paid the invoice… but to a scammer’s bank account.

Mobius, an electrical contractor, provided services to Inoteq. In March and April 2022, Mobius issued invoices totaling $235,400.49. Around the same time, Inoteq received an email—seemingly from the Mobius director—advising of new bank account details and requesting that payment records be updated.

Unbeknownst to both parties, a scammer had gained access to the Mobius director’s email and sent the fraudulent message. The deception was sophisticated enough that the email appeared legitimate.

Inoteq did the right thing and attempted to verify the change by calling Mobius, but the call was unsuccessful due to a poor connection. Then they made a fatal mistake—they sent a follow-up email requesting confirmation. The scammer was of course still inside Mobius’ system and saw the email, and replied, confirming the false account details. Inoteq then transferred the full amount to the scammer’s account.

When Mobius followed up on the unpaid invoice a week and a half later, the scam was uncovered. Police were able to recover $43,541.13, but the remaining amount was still outstanding.

Mobius initiated legal proceedings to recover the balance. Inoteq argued that a clause in its contract with Mobius indemnified it against losses ‘arising out of the performance or non-performance of services’, which should cover the invoice fraud.

However, the court disagreed, finding the indemnity clause did not extend to third-party criminal activity like invoice fraud. He emphasized that email security is an internal operational matter, and extending indemnity clauses to include such risks—unless explicitly stated—would be commercially unworkable.

Although Inoteq’s initial attempt to verify the change was considered prudent, the judge found that the failed phone call ‘was inadequate in all circumstances and should have prompted a subsequent telephone call’. Ultimately, the court ruled that Inoteq failed to take reasonable steps to protect itself and ordered it to pay the remaining amount plus 6% annual interest.

Key Takeaways

This case echoes the 2022 ACT Civil and Administrative Tribunal decision in The Trustee for the DRB Group ACT Trust v Canberra Hydraulic Engineering Services Pty Ltd, where the tribunal held that payment into an incorrect account does not discharge the debt. The responsibility lies with the payer to ensure the payment goes to the correct recipient.

Although the Mobius decision is not strictly binding beyond Western Australia, it is likely to be highly persuasive across Australia and may set a precedent for similar cases.

The ruling also highlights two key lessons:

• Contractual indemnities will not be interpreted to cover losses from cybercrime unless expressly stated.
• Businesses must take proactive steps to verify payment details and secure their internal systems.

Our 5-Step Plan to Avoid Cyber Fraud Losses

1. Review Your Contracts
   Ensure your terms of trade address modern risks, including cyber fraud.
2. Verify Payment Details Verbally
   Always confirm bank details with someone you know from the organisation—don’t rely on contact details from the suspicious email itself, and don’t use email, which is likely to be intercepted by any scammer who has access to the system.
3. Understand Your Financial Protections
   Check your bank and insurance policies to see if they cover losses due to cybercrime.
4. Implement Strong IT Practices
   – Keep systems patched and updated
   – Use antivirus software and firewalls
   – Enable two-factor authentication
   – Change passwords regularly and don’t reuse them
   – Conduct periodic cybersecurity audits
5. Train Your Team
   Educate staff about cyber threats and keep them informed with regular security updates. Useful government resources include CERT Australia and Scamwatch.

How We Can Help

MV Law can assist by:

• Reviewing and updating your contract terms
• Advising on debt recovery or payment disputes

If you have questions about anything in this eBrief, please contact us. Our Litigation Team is here to help.