Key takeaways
- Indemnity clauses: Indemnity clauses will be construed strictly, and losses caused by third-party fraud are unlikely to fall within the scope of such clauses unless explicitly stated.
- Duty of care: Businesses are not automatically liable for losses caused by third-party fraud, especially where the victim (in this case, the Defendant) could have taken steps to verify the authenticity of the instructions.
- Verification of payment details: Businesses should implement robust verification processes for changes to payment details, particularly in high-value transactions. A simple follow-up phone call could prevent significant losses.
- Apportionment of liability: In cases involving third-party fraud, courts will carefully consider the actions of all parties before apportioning liability. The party in the better position to prevent the loss may bear the primary responsibility.
Recap on BEC Scams
As discussed in our previous articles regarding this topic, business email compromise (BEC) scams are growing in frequency and sophistication in Australia and internationally. A BEC scam is a form of cybercrime that occurs where a hacker gains access to a business email account to scam organisations out of money or goods. On 20 December 2024, the Western Australian District Court handed down a decision on BEC scams: Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 (Mobius v Inoteq). This article discusses the impact this case has on liability for loss caused by BEC scams.
Australian position prior to Mobius v Inoteq
Prior to Mobius v Inoteq, there was no judicial authority providing guidance on judicial treatment of BEC scams and Australian lawyers speculated as to the position of Australian law and which party would be held liable by looking to United States and Canadian cases.1
These international courts based liability on duty of care principles and found that compromised businesses had breached their duty to ensure robust IT security, by allowing fraudsters to compromise their IT systems. The international courts allowed victims to recover losses that are said to have been caused by such breach.
However, in general, Australian courts have been reluctant to widen the scope of existing duties of care and negligence. Academic and industry commentary speculated on other bases of liability, including examining the conduct of the parties and looking at which parties could have prevented the loss.2
Mobius v Inoteq background facts
Mobius Group Pty Ltd (the Plaintiff), an electrical engineering contractor, entered into an agreement with Inoteq Pty Ltd (the Defendant) to perform electrical works on a Rio Tinto project. The Plaintiff issued invoices for the work, but before payment was made, a fraudster gained access to the Plaintiff’s email account and sent a fraudulent email to the Defendant, instructing them to change the bank account details for payment. The Defendant paid the invoice amount ($235,400.29) to the fraudulent account, and the funds were subsequently transferred overseas. The Plaintiff sought payment of the outstanding amount ($191,859.16) from the Defendant, leading to this litigation.
The court addressed four key issues:
- Indemnity clause: Whether the Plaintiff was liable to indemnify the Defendant under the agreement for the loss caused by the fraudster.
- Duty of care: Whether the Plaintiff owed the Defendant a duty of care to secure its email account and prevent unauthorised communications.
- Notice of change in bank details: Whether the fraudulent email constituted effective written notice to change the Plaintiff’s bank account details under the agreement.
- Apportionment of Liability: Whether the Defendant’s liability should be limited under the Civil Liability Act 2002 (WA).
1. Indemnity clause
The Defendant relied on clause 10.1 of the New Supplier Information (part of the parties’ agreement), which required the Plaintiff to indemnify the Defendant for losses arising out of the performance or non-performance of the Services (as defined in the agreement).
The Defendant argued that the loss arose from the Plaintiff’s failure to use IT security to secure its email account, which was used to send the fraudulent email. The Defendant argued that the invoicing is an activity arising out of the performance of the Services and that the fraudulent email came from the email nominated in the agreement and would therefore be captured by the indemnity.
The court rejected this argument, holding that the indemnity clause did not extend to losses caused by third-party fraud. The loss arose from the fraudster’s actions, not from the Plaintiff’s performance or non-performance of the Services. The court emphasised that the indemnity clause should be construed strictly, and any ambiguity should be resolved in favour of the indemnifier.
The obligation to pay under the agreement remains unaffected by the indemnity.
2. Duty of care
The Defendant argued that the Plaintiff owed a duty of care to use IT security measures to protect its email account from unauthorised access, and that the Plaintiff’s failure to implement adequate security measures (such as multi-factor authentication) breached this duty, causing the Defendant’s loss.
The Defendant had made a call to the Plaintiff to check the change of bank account details, but the Defendant could not hear the Plaintiff due to a bad line. The court considered that the Plaintiff’s employee had thought that the Defendant was merely doing its due diligence and therefore there was no need for the Plaintiff’s employee to take any further steps after the call, particularly because he was not aware that the Defendant’s employee did not hear him.
Ultimately, the court found that no duty of care existed. While the Plaintiff could have taken additional IT security measures, the court noted that even the best security practices could not prevent a determined hacker. Importantly, the Defendant was in a better position to protect itself by verifying the change in bank details through a follow-up phone call. The court held that the Defendant’s failure to take these steps was the primary cause of the loss.
3. Notice of change in bank details
The Defendant argued that the fraudulent email constituted valid written notice under the agreement, and that it acted in good faith by paying the invoice to the new bank account. The court rejected this argument, holding that the fraudulent email did not constitute valid notice because it was sent by a third party, not the Plaintiff. The court emphasised that the Defendant’s own actions (such as the telephone call to verify the bank details) indicated that it had doubts about the authenticity of the email.
4. Apportionment of liability
The court considered whether the Defendant’s liability should be apportioned under the WA Civil Liability Act, which allows for the apportionment of liability among concurrent wrongdoers. However, the court found that the Plaintiff did not breach any duty of care, and therefore, the question of apportionment did not arise. The court noted that even if the Plaintiff had breached a duty, the Defendant’s failure to verify the bank details was the primary cause of the loss.
Conclusion and recommendations
The court held that the Plaintiff was entitled to payment for the work performed, and the Defendant was liable for the outstanding amount of $191,859.16. The court emphasised that the Defendant was in the better position to protect itself from the fraud by verifying the bank details through a follow-up phone call.
We recommend that purchasing organisations should:
- include in purchase contracts, an indemnity against loss suffered as a result of a breach of the seller’s IT systems by a fraudulent third-party;
- include in purchase contracts, a clause setting out a ‘hard coded’ payee bank account which can only be changed if personally verified;
- include warranties in purchase contracts, that the seller has adequate IT security standards, such as ISO27000; and
- review their insurance policies to ensure they are covered for social engineering fraud.
We recommend that selling organisations ensure that they have adequate IT security standards in place, such as ISO27000 and undertake frequent penetration testing.
Finally, if you are unsure of what steps to take, seek legal advice.
This article was written by Bill Singleton, Partner and Lauren Neale, Solicitor.
1 Bill Singleton and Alexandra Trezise, ‘Business Email Compromise Scams – the Legal Position’, HWL Ebsworth Lawyers (Firm Insights, 30 June 2021) 1 <Business Email Compromise Scams – The Legal Position – HWL Ebsworth Lawyers>.
2 Bill Singleton and Kate Morrow, ‘Checks and Cheques – Practical Tips to Prevent Cybercrime in the Construction Industry’, HWL Ebsworth Lawyers (Firm Insights, 16 September 2024) 1 <Checks and cheques – practical tips to prevent cybercrime in the construction industry – HWL Ebsworth Lawyers>.