Customer’s Ultimately Responsible for Email Fraud of Service Provider
In December 2024, the District Court of Western Australia delivered judgment in Mobius Group Pty Ltd v Inoteq Pty Ltd,[1] finding that Inoteq Pty Ltd (Customer) was liable to pay $191,859.16 to Mobius Group Pty Ltd (Service Provider), following a fraudster gaining access to the Service Provider’s email account and providing fraudulent payment details to the Customer.
This case has significant implications concerning customer liability for payments made, even when the customer’s email systems have not been compromised.
Background
In January 2022, the Service Provider entered into an agreement with the Customer for the provision of electrical works (Agreement). In accordance with the Agreement, the Service Provider subsequently issued invoices totalling $235,400.29.
Before the invoices could be paid by the Customer, the fraudster accessed the Service Provider's email account and provided to the Customer the details of the fraudster’s bank account (Fraudulent Email).
Under the mistaken belief the Service Provider had provided new bank details, the Customer paid the full amount into the fraudster's account. Only $43,541.13 was recovered by the bank and the remaining $191,859.16 was unrecoverable (Unrecovered Payment).
The Service Provider sought payment from the Customer of the Unrecovered Payment owing under the invoices.
Three key issues were considered in this case:
(a) whether a contractual indemnity clause indemnifies the Customer for the Unrecovered Payment when the loss was caused by fraudulent activity originating from the Service Provider’s email account;
(b) whether the Service Provider owed a duty of care to the Customer to take reasonable steps to avoid loss arising from unauthorised communications from the Service Provider’s email account; and
(c) whether the Fraudulent Email constituted ‘notice’ of a change of bank details pursuant to the Agreement, thereby requiring the Customer to make payment accordingly.
Scope of indemnity clause
The Agreement required the Service Provider to indemnify the Customer for any loss or damage arising from the performance of the services defined in the purchase order (Services).
The Customer submitted that their loss, due to the Unrecovered Payment from the Fraudulent Email, fell within the scope of the indemnity clause under the Agreement.
The Service Provider had legitimately invoiced the Customer. While invoicing was deemed a Service, the Court declined to extend the indemnity clause to losses arising from a legitimately rendered invoice. The Court considered it would be untenable for the Service Provider to be liable for loss suffered from payments made by the Customer on legitimate invoices. In any event, the loss did not arise from the legitimately rendered invoices.
The Court then considered that security of the Service Provider’s email account was unrelated to the performance of Services under the Agreement since it relates to internal management. Further, the Court found that the third party’s fraudulent use of the email account did not have anything to do with the performance of Services, and accordingly, the indemnity could not extend to loss and damage caused by the compromised email account.
Ultimately, the loss arose from the intervening fraudulent event and not from the Services, so the indemnity did not apply.
Duty of care
The Customer submitted that they were not liable to pay the Unrecovered Payment because the Service Provider owed a duty of care to the Customer to take reasonable steps to avoid loss arising from unauthorised communications from the email account.
Weighing against the imposition of a duty, the Court considered the fact that the Customer was not vulnerable to harm from the Service Provider’s conduct because it had the ability to take steps to protect itself by verifying the bank details.
In fact, an employee of the Customer attempted to verify the new bank details by phone but failed to completethe verification due to a bad telephone line. No further attempt was made to verify the details. Accordingly, this phone call weighed against the existence of a duty because no loss would have occurred had the Customer properly verified the details.
Further, the phone call was taken as evidence that the Customer knew of the risk of paying to a new bank account and that the Customer likely had doubts about the sender's identity.
Additionally, since security measures can never eliminate the risk of a breach, it was determined that ultimately the only person in a position to prevent itself from being the victim of fraud was the Customer.
Taken together, these factors lead the Court to conclude that no duty could be established.
Compliance with ‘notice’ of change of bank details
The Customer submitted that that it acted on a written direction from the Service Provider pursuant to the Agreement, by making payment in accordance with the Fraudulent Email.
However, the Court found the Fraudulent Email did not come from the Service Provider, it came from the third party fraudster. Further, the steps the Customer took to attempt to verify the new bank details in fact weakened its contention that the notice complied with came from the Service Provider, since it is clear they had some reservations as to that assertion.
What should businesses and customers do?
Both sellers/service providers and customers should implement security policies and financial security procedures to reduce the risk of falling victim to fraudulent activity.
Such measures may include:
(a) implementing due diligence measures when making payments, such as confirming bank account details over the phone to a known phone number;
(b) ensuring email accounts are secure by frequently updating passwords and setting up multi-factor authentication;
(c) securing financial documents, such as ensuring invoices are secured when rendering electronically via email;
(d) implementing training and awareness programs to educate employees on how to identify fraudulent activity and reduce cyber security risks; and
(e) speaking with their insurance broker to take out cyber insurance to protect against these unfortunate events.
Conclusion
Despite the Fraudulent Emails originating from within the Service Provider’s legitimate email account, the Customer in this case was liable to repay the unrecovered balance on the outstanding invoices.
This case highlights the increasingly sophisticated activities of fraudsters and illustrates the importance of verifying payment details when making payments.
Furthermore, it suggests that liability may lie with the party who is in a better position to protect itself against fraud.
Please reach out to our commercial team at hello@pragma.law if you would like to discuss further ways in which you can protect yourself and your business.
[1]Mobius group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114.