Invoice fraud - who bears the cost when a scam is successful?
Invoice scams, where a fraudster impersonates a legitimate supplier with a fake invoice and false bank account details, are a fact of the modern commercial landscape.
Security measures such as telephoning the supplier to confirm remittance details are now standard practice.
But who bears the loss if payment for a legitimate invoice is made to a fraudster’s bank account and is irrecoverable?
In a 2020 article we noted the absence of Australian authority on the point. Since then, two reported Australian decisions have altered that, the latest being Mobius Group Pty Ltd v Inoteq Pty Ltd, a decision of the District Court of Western Australia.
Background
Mobius Group completed electrical work for Inoteq and invoiced the company a total of $235,400.29 in March and April 2022.
A fraudster hacked Mobius Group’s email account and used it to send a fraudulent email to Inoteq noting a change in bank details. That email attached a sham invoice with the purported new details.
An Inoteq staff member called Mobius to confirm the details but was unable to do so because of a poor phone line.
Inoteq sent a follow-up email requesting proof, which the scammer intercepted and replied to from the Mobius Group email account, confirming the change.
Inoteq then transferred the payment, unknowingly, to the fraudster’s account.
When the fraud was discovered, Inoteq refused to make a second payment to Mobius Group, maintaining it had fulfilled its obligation by making payment, even if the funds were misdirected.
Mobius Group sued Inoteq for the unpaid sum, arguing that the contractual obligation to pay remained, despite the fraud.
The judgment
The Court held that Mobius Group owed no duty of care to take reasonable steps to avoid economic harm to Inoteq arising from unauthorised communications being sent from its email account.
While phoning Mobius Group to confirm the change to the banking details was clearly prudent, the Court said the call was inadequate in all the circumstances and should have prompted a subsequent call.
Further, Inoteq was better placed to take precautions to protect itself from the fraud than Mobius Group. While it may have been vulnerable to loss if Mobius Group’s email account was compromised, Inoteq had the ability to protect itself against that vulnerability. It failed to do so.
In squarely placing responsibility for the loss on Inoteq, the Court said: This case is a salutary reminder for those paying money to ensure the veracity of any banking details provided.
Takeaway
Councils make payments to a large number of suppliers in any given financial year. There is every prospect that a council will face multiple attempts at false invoicing.
Rigorous protocols, including phone calls, should be implemented to ensure banking details for payment provided by the supplier are genuine.
Otherwise, on current authority, in most cases the council will be liable for any payment made by a mistake induced by fraud.
Provisions might also be included in contracts to shift the risk to the supplier. However, in a standard form contract a council would need to make the provision as balanced as possible to avoid it being deemed an unfair contract term when dealing with a small business (annual turnover under $10 million).
As always, prevention is better than cure.
Author: David Creais
Read Council Connect April 2025 issue
This publication is intended as a source of information only. No reader should act on any matter without first obtaining professional advice.