It sure could be!…
So you’ve invested in the latest virus and security software. Employed a crack team of security analysts to check your border. Send all the employees on a crack course of identifying fraud. Your all set to combat any fraud, hack or trojan besieged on your organisation.
Well guess what, Western Australia District Court has ruled against you and your now liable for the losses incurred by your client and or vendors. Read on.
How can this happen ?
This story to this case involved Mobius, a leading software development firm, and Inoteq, a renowned tech solutions provider. The two companies had established a business relationship based on mutual trust and collaboration. Both companies had engaged in various projects together, resulting in a seamless workflow and mutual benefits. However, this harmonious relationship faced a severe setback that ended in court proceedings, late 2024.
The fraud actually happened in March and April of 2022. At this time Mobius sent a series of invoices to Inoteq for work purportedly completed. These invoices, which appeared legitimate at first glance, were meticulously crafted to include accurate project details, timelines, and costs. Mobius claimed that the work detailed in these invoices was part of their ongoing contractual obligations with Inoteq. These invoices totalled $234400.
Little did either company know the Emails system if Mobius had been compromised and the invoices where not legitimate. With he first of these Emails, legitimately addressed from Mobius’s Director, explaining that a new bank account had been opened and the invoices represented the new details. “kindly pay attention and update your records”.
This action of course triggered security protocols at Inoteq, to which a staff member rang Mobius directly to confirm the Emails where indeed legitimate and to confirm the new bank details. However, court records show that the conversation was not completed due to bad phone line quality, with Inoteq saying “they would send an Email”.
So Inoteq sent a follow up Email requiring proof and confirmation of the new bank account, which of course was forth coming from the hijacked Email accounts.
A week or two latter, Mobius followed up on the outstanding payments that the scam was uncovered and the police called in. By this stage of course most of the money had left the country, but thankfully $43,541 was recovered.
It was discovered at this point by a cyber security expert who testified in the case that the scammer had indeed gained access to the Mobius directors email account. Meaning of course that there was no way for Inoteq to be able to tell if the Emails where legitimate or not electronically.
Judge Gary Massey preceding over WA district court was clear with his ruling. Judge Massey ruled that Inoteq would again have to pay the outstanding monies of $190,000 with interest. He told the court Inoteq should have tried to protect itself better. He ruled that all Mobius needed to do to protect itself from being scammed in this instance, was to attempt to make more phone calls to verbally confirm the new details.
What can we learn from this fraud case ?
We all know of someone or a company that this has happened to. Being in the IT sector we at PIP see this sort of scam every week and unfortunately we see many Australian companies fall victim to such scams. This ruling by Judge Massey, is the first in its nature. Surprising as it is these cases have rarely seen any court, I personally ascribe that to corporations too embarrassed to admit they have been hacked or on the other side, reputational damage and looking foolish, been a victim of scammers. This case may open the doors for many more. More importantly this case has set the first and most likely sticky precedent for substitute invoice scams. Putting all Australian companies on high alert.
What is an invoice scam ?
An invoice scam is a type of financial fraud that targets businesses and individuals by issuing fake or fraudulent invoices. These scams often involve sophisticated techniques to deceive the recipient into believing that the invoice is legitimate and due for payment. The perpetrators may impersonate a known supplier or vendor, use professional-looking documents, send fraudulent emails or as in this case, even hack into email accounts to intercept and alter genuine invoices and other correspondence. The goal is to trick the recipient into transferring funds to the scammer’s account instead of the legitimate vendor’s account.
To execute an invoice scam, the fraudsters typically gather information about the target’s business transactions and relationships. This can involve phishing attacks, social engineering, or hacking into company systems. Once the necessary details are obtained, they create a fake invoice that closely resembles a legitimate one, including accurate logos, layouts, and wording. The invoice is then sent to the targeted company, often with a sense of urgency or a plausible explanation for why the payment needs to be made quickly. If the target falls for the scam, they unknowingly transfer funds to the scammer, resulting in financial loss and potential disruption to their business operations.
What security measures should we put in place to stop being scammed by invoice scammers ?
Preventing invoice scams requires a combination of vigilance, strong internal controls, due diligence and employee training. Companies should establish verification processes for all invoices, such as confirming payment details directly with the vendor through two or more, known and trusted communication channels. Regular audits and monitoring of financial transactions can help detect anomalies and suspicious activities. Additionally, educating employees about the common signs of invoice fraud and promoting a culture of scepticism and verification can significantly reduce the risk of falling victim to such scams. In summary
- Ensure Email passwords are extremely long and complicated on all your Email addresses.
- Change Email passwords regularly
- Never give out your Email password
- When a strange, unexpected or altered invoice arrives, validate its legitimacy via at least two trusted mediums.
- Have access to mobile numbers of larger clients and vendors.
- Use the banks Account Verification tools
- Train employees to be vigilant and sceptical of any discrepancy or uncommon occurance.
- Contact PIP or your trusted IT provider for guidance
- If in doubt, dont pay… WAIT.
This case has set a legal precedent to put the onus on businesses that fall victim to invoice scams and not those businesses that have been hacked. Whether you agree or no, this case will set a long term legal precedent as high tech cases are hard to judicate no matter what district, state or country. It will be interesting to see if similar cases come forward this year.
