Hacker accessed email system to alter bank account details, leading to significant financial loss
A Western Australian court has ordered Inoteq Pty Ltd to pay over $190,000 to Mobius Group after it fell victim to a sophisticated invoice scam involving a compromised email account.
The decision, handed down by the District Court just before Christmas, marks a significant outcome in the battle over who should bear the financial burden of such frauds.
The scam began in March and April 2022 when Mobius Group, an electrical contractor, sent invoices totalling $235,400 to Inoteq for work on a Rio Tinto project.
However, hackers gained access to Mobius's email system and sent fraudulent emails that appeared to come from the Mobius director, containing altered bank account details.
Inoteq staff were initially suspicious of the new information and attempted to confirm the change by calling Mobius, but the call was hindered by poor reception. Instead, they sent an email asking for confirmation, which was met with a response from the hacker.
Despite the initial suspicion, Inoteq went ahead and made the payment, sending the funds to the fraudulent account.
When Mobius later followed up on the payment, the scam was uncovered, and the police were alerted. The bank was able to recover the sum of $43,541.13, while Mobius was not paid $191,859.16.
In court, Inoteq argued that it should not be held liable, citing an indemnity clause in its contract and claiming that Mobius had failed in its duty of care by not securing its email accounts further.
However, Judge Gary Massey rejected this, emphasising that Inoteq could have taken more steps to protect itself.
"It would have taken little effort to make another telephone call and receive a clear answer to the question posed. That telephone call could have meant that the loss was avoided, these proceedings never occurred, and the fraudsters left unfulfilled."
"It had the ability to protect itself against that vulnerability. It failed to do so."
As a result, Inoteq's failure to properly address the suspicious email ultimately led to the court ordering payment of $191,859.16 plus interest​.