A recent court case highlights the risks of Business Email Compromise, where scammers trick businesses into fraudulent payments. Learn what happened, who was liable, and how to protect your business.

Cyber scams targeting small businesses are on the rise, and one Australian company recently learned this the hard way. In Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114, a business email compromise (BEC) scam led to a $191,859 payment being sent to fraudsters instead of the intended supplier. The court ultimately ruled that the business that mistakenly sent the payment was still liable for the original invoice, forcing them to pay twice.

What Happened?

Mobius Group, an electrical contractor, had been working with Inoteq Pty Ltd on a project and had issued invoices for payment. Unknown to both companies, cybercriminals had gained access to Mobius Group’s email system.

Using this access, the scammers monitored email conversations between Mobius and Inoteq. At the right moment, they intercepted an invoice email and sent a fraudulent message to Inoteq, posing as Mobius. The email contained new bank details and instructions to transfer payment to the updated account, an account controlled by the scammers.

Thinking they were following legitimate instructions from Mobius, Inoteq processed the payment of $191,859 to the fraudulent account. The scam was only discovered weeks later when Mobius followed up about the unpaid invoice. By then, the stolen funds had already disappeared.

Inoteq argued that it shouldn’t have to pay the invoice again, as it had already sent the money, even though it went to the wrong place. Mobius, however, insisted that it had never received the payment and that Inoteq was still responsible for settling the invoice.

Who Was Held Liable?

The court ruled in favour of Mobius, finding that Inoteq was still legally responsible for paying the original invoice. The judge determined that the loss resulted from an external cyberattack, not from any fault of Mobius Group. Since Mobius had not actually received the money, the court found that Inoteq was still obligated to pay the full amount again.

This decision highlights a crucial point: if a business mistakenly transfers funds to a scammer due to a fraudulent email, it is still liable for the payment, meaning it could be forced to pay twice.

Why Does This Matter for Small Businesses?

These scams are a growing threat, and small businesses are often prime targets because they may not have the same level of cybersecurity as larger organisations. Scammers use tactics like email impersonation and invoice fraud to divert payments, and once the money is gone, it’s usually impossible to recover.

This case is a clear warning, just because you’ve sent a payment doesn’t mean your obligation is fulfilled if the funds end up in the wrong hands.

How to Protect Your Business

To avoid falling victim to this type of scam, take these simple steps:

• Always verify payment details: If you receive an email requesting a change in bank details, pick up the phone and call a verified contact to confirm. Never rely solely on email.
• Enable multi-factor authentication (MFA): This adds an extra layer of security, making it harder for hackers to access your email accounts.
• Train your team: Educate employees about phishing scams and fraudulent emails so they know what to look out for. Solutions like My Business Cyber provide businesses with targeted cybersecurity training to help staff recognise and respond to cyber threats effectively.
• Use email security tools: Spam filters and domain protection measures can help prevent scam emails from reaching your inbox.
• Review your processes: Conduct regular checks on your financial security processes to ensure you’re not vulnerable to cyber threats.

Cybercriminals are getting smarter, but small businesses can stay one step ahead. Taking a few precautionary steps now can save you from a costly mistake in the future.