Who Bears the Loss When a Scammer Intercepts Payment?

The case of Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114

Background

In Mobius Group Pty Ltd v Inoteq Pty Ltd, the District Court of Western Australia considered who bears the loss when a scammer hacks email communications and diverts payment.

Mobius carried out electrical works for Inoteq and issued invoices totalling $235,400. In April 2022, a fraudster hacked Mobius’ email account and sent altered invoices with ‘new’ bank details.

Before paying, an Inoteq employee telephoned Mobius’ director, Ryan Harrington, who said that Mobius’ bank details had not changed. Despite this, Inoteq claimed that it could not properly hear Mr Harrington and transferred the full amount to the fraudster’s account. Only $43,541 was later recovered. Mobius sued for the unpaid balance of $191,859.

The Court’s Decision

Judge Massey found in favour of Mobius as follows:

• No indemnity: The contract did not shift liability for fraud to Mobius ([99]–[102]).

• No duty of care: Mobius was not legally obliged in the circumstances to protect Inoteq from economic loss caused by a sophisticated cybercrime – particularly given that Inoteq was best placed to take measures to protect itself ([103]–[104], [151]-[160]).

• Invalid notice: The fraudulent emails did not constitute effective notice of changed bank details in this case ([20(c)], [186]-[187]).

The Court ordered Inoteq to pay Mobius $191,859 plus interest.

The Telephone Call – Why it Mattered

The Court gave weight to the fact that Inoteq had actually called Mobius prior to making payment to the scammer – with Inoteq having been told that the Mobius bank details had not changed ([29(p)], [60], [143]).

Despite this, Inoteq relied on a follow-up fraudulent email and proceeded to make payment. The judge rejected Inoteq’s claim that line issues meant the denial was unclear.

Ultimately, the Court held that Inoteq’s verification was inadequate. Faced with contradictory information, a reasonable payer should have escalated inquiries or required further confirmation before making such a significant payment ([143], [151]-[154]).

Key Takeaways for Business

1. The payer typically bears the risk. Unless a duty of care and corresponding breach of that duty can be specifically shown in the particular circumstances of the matter, the odds are that the payer will bear responsibility for the situation.

2. Email compromise doesn’t shift liability. A hacked email account does not necessarily create a duty of care on the supplier ([103]–[104], [128], [151], [153]-[159]).

3. Verification must be meaningful. Simply making a call is not enough if you ignore the answer ([29(p)], [37], [60]).

4. Certainty in commerce. Courts will protect the right of suppliers to be paid for legitimate invoices.

Practical Lessons

• For payers (debtors):

• Treat any request to change bank details as suspicious.

• Verify changes using known, trusted contact details – not those in the email.

• Escalate internally for large payments.

  
  

• If still in doubt, consider sending a test dollar.

• For suppliers (creditors):

• Consider using multi-factor authentication (MFA) and cyber security best practice ([67]).

• Warn clients in invoices and contracts that your bank details will not change without verified written confirmation.

• For everyone:

• Implement clear payment verification policies.

• Train staff to spot red flags such as unusual requests, grammar errors, or urgent payment demands ([48(g)]–[48(h)]).