Buyer beware with funds transfer fraud

Given that Australians have lost hundreds of millions of dollars to funds transfer fraud in the past decade and a half, there is a surprising lack of authority indicating how courts apportion responsibilities and losses between funds Transferee and Transferor.

In both the available decisions to date:

• Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 (‘Mobius Group’); and
• Factory Direct Fencing Pty Ltd v Kong AH International Company Ltd [2013] QDC 239 (‘Factory Direct Fencing’)

the Court found in favour of the Seller/Transferee¹ rather than the Buyer/Transferor on the basis that:

• There is no general duty to protect transaction counterparties from loss arising from funds misdirection and email intrusion, nor will a duty to do so be readily implied in a supply contract.
• Neither contract included express provisions.
• The fraudulent payment instruction was not authorised by the Seller/Transferee or an agent.²
• The recipient of an email had the last clear opportunity to avoid the loss by verifying the account details prior to making the payment.
• Accordingly, no apportionment between the parties is required.

In the most recent case (Mobius Group), this applied even where the Seller’s email system had been compromised such that the Buyer had been sent a “genuine” (although unauthorised) email indistinguishable from other email traffic originating from that business.³

Funds redirection refresher

The basic technique is fairly simple:

• Insert yourself into someone else’s communication stream, usually by phishing their email account;
• Alter or forge an invoice or payment instruction; and
• Use measures of varying sophistication to increase the chances of the target acting on it.

While simple, such techniques can be devastatingly effective. Over the past 20 years hundreds of billions of dollars⁴ have been stolen in this way. Targets include sophisticated companies – like Google and Facebook who have lost tens or hundreds of millions of dollars in one hit.⁵

Advertisement

In most cases it is a genuine invoice in the sense that a legitimate payment is due, the only change being to the destination account.⁶ The likelihood of the fraud succeeding increases if the email to which the forged invoice is attached originates from the Seller/Transferee’s email system, but this is not essential. The alteration can be done either at the Seller’s end or the Buyer’s, or even delivered using an external email account⁷ although this approach is more amenable to detection by a sharp-eyed recipient.

How have Australian courts apportioned loss?

The starting point is the Transferee has not been paid and the fact the Transferor attempted to do so does not alter that reality. The Transferor has lost their money and they bear the practical onus of establishing liability elsewhere. Only if the Transferee had a duty to prevent the loss would the measures taken to prevent it become relevant.⁸

While risk of economic loss to third parties from a compromised network is certainly foreseeable, no general duty to prevent such loss has been identified to date. In Mobius, a Contractor issued an invoice for about $250,000. The fraudster (which had breached the director’s email account) used the contractor’s email system to send an additional message instructing the customer to pay the invoice to an alternate bank account.

The customer’s administration team rang the contractor but due to poor call quality was unable to understand the response. They “confirmed” via email and – unsurprisingly, – the attacker assured them that the change was legitimate.

The facts in Factory Direct Fencing are similar. The Plaintiff/Buyer imported aluminium fencing from China⁹ following a course of dealing in which orders were placed and invoices issued via email. The Seller did not have its own email system, employees used @yahoo.cn free email which made spoofing and substitution extremely easy. At least one email appears to have been sent using the email account the Seller’s employee did set up, others were spoof accounts set up by the attacker with minor variations. At some point the Buyer became suspicious and asked for confirmation of the account changes but then accepted further emailed documents as such.

In both cases the Court applied the usual principles for determining whether a duty to prevent pure economic loss to transaction counterparties applied and concluded that, absent a special relationship, representation or contractual term no such duty applied in the case of arm’s length buyers and sellers of goods and services,¹⁰ especially where no evidence has been led of simple and cost effective steps the Seller could have taken to prevent email compromise.¹¹

Advertisement

Lessons to be learned:

For sellers

• Ensure that your supply contract and other standard documentation clearly warns customers not to transfer substantial amounts of money without verification via real-time telephone communication on a confirmed number.¹² Expressly disclaim any warranty of email security (Although note a complication arising from AI-powered voice spoofing).
• Use a proper e-signature system so that a recipient is warned if a signed document has been opened or altered prior to receipt.
• Adopt email protection measures appropriate to your organisation’s size and resources.
• Be careful of either making or accepting glib promises about cybersecurity. If you represent to those you are dealing with that you “take cybersecurity seriously” then be prepared to prove it.

For customers

• Assume email is not secure. Train all staff so they know email is never treated as a source of truth and payment destinations should be checked every time you are contracting with a new supplier or payment details change. Purported verification of payment arrangement via email is not effective.
• Cybersecurity and email protection is not one size fits all. If you want to establish that a service provider did not do enough to protect the communications chain, you will need to obtain expert evidence assessing the reasonableness of their efforts in the context of the size of the organisation and resources available.
• Double check before transferring funds. Be especially wary when dealing with a new supplier or payment changes are specified.
• The fact that a request is made using a business’ “official” letterhead is meaningless. This can be duplicated in seconds.

Application to law firms

A note of caution for law firms: as a fiduciary with a professional duty to maintain client confidentiality¹³ and Trustee, a Court may be more likely to find a general duty of care or implied contractual obligation to avoid losses to clients arising from cybersecurity breaches.

The majority of funds redirection incidents now arise from emails that are sent from impersonator accounts. Provided that the firm has issued appropriate warnings (such as those specified in Lexon’s conveyancing risk pack or email footers) and reacted appropriately to anomalous communication it is hard to see how the firm could be blamed for the loss.

Where the firm’s email system has been compromised, the steps the firm took or failed to take to prevent such intrusion are likely to be relevant.

The Transferor may have other recovery options

Establishing liability on the part of the Transferee may not be the Transferor’s only recourse. Banks and payment platforms have duties to protect consumers from transfer losses, although the traditional position of Courts has been that a bank must follow a clear mandate from the customer.¹⁴

Where the payment instruction comes from the attacker the bank bears the practical onus of establishing that the Transferor should bear liability. Where the customer is tricked into making the transfer themselves or disclosed passcodes the bank’s position is stronger, but establishing liability may still be possible.¹⁵

If the Australian Scam Prevention Framework legislation passes the consumer’s position will be even stronger.

Advertisement

Footnotes
¹ For convenience, the party to whom the Transferor intended to send the money will be described as “the Transferee”, notwithstanding that they did not in fact receive the funds.
² In Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114, the email address was specified as the address for notices however the Plaintiff failed to establish that this alone meant that unauthorised communication originating from that system would be deemed to be notice by the Defendant.
³ The forged email contained formatting and grammatical errors which may have warned the recipient that the communication did not come from the usual party they dealt with, but the email came from the other party’s server.
⁴ The 2022 FBI crime report estimated BEC attacks cost US companies over $3.6 Billion dollars in that year alone: Federal Bureau of Investigation, Internet Crime Report (Report, 2022).
⁵ US Attorney’s Office, Southern District of New York, ‘Lithuanian Man Sentenced To 5 Years In Prison For Theft Of Over $120 Million In Fraudulent Business Email Compromise Scheme’ (Press Release, 19 December 2019).
⁶ On occasion, the entire transaction has been fabricated by the attackers, with middle management duped into transferring money on supposed instructions from the top executives: Pathe News BEC.
⁷ sales@vendorfirm.com.biz vs sales@vendorfirm.com.au, for example.
⁸ The measures taken to protect the Transferee’s systems were the subject of evidence in both Mobius and Factory Direct. Deficiencies were noted, but in both cases it was noted that the evidence did not establish substantial lack of care. Reading between the lines in Mobius, if the cybersecurity standard had been egregiously poor the Court may have been inclined to find at least a basic duty to take care on the part of the Transferee. See comments on this point at [145]-[147].
⁹ And yes – they really should have been called “We import stuff and sell it to you for a markup fencing”
¹⁰ See Woolcock St Investments v CDG Pty Ltd [2004] HCA 16; Caltex Refineries (Qld) Pty Ltd v Stavar [2009] NSWCA 258, [101]-[103] for a list of considerations that apply to finding a general / novel duty to avoid foreseeable risk.
¹¹ See National Australia Bank v Hokit (1996) 39 NSWLR 377, 391 (Mahoney P), Factory Direct Fencing Pty Ltd v Kong AH International Company Ltd [2013] QDC 239, [125].
¹² In the case of a law firm insured by Lexon, the timing and format of such warnings is specified in the Conveyancing Protocol. It may be wise to include it in the contract of retainer as well. For the reasons that real time communication (rather than reliance on recorded messages), see David Bowles, ‘Hackers have a new weapon’, QLS Proctor (online, 20 August 2024).
¹³ Queensland Law Society, Australian Solicitors’ Conduct Rules (at 27 September 2024) r 9.
¹⁴ Phillipp v Barclays Bank UK Plc [2023] UKSC 25.
¹⁵ See for example AFCA determination 12-00-1016692 in which the fact that the customer passed authorisation codes for the transfer to the scammer was ignored on the basis that they were tricked into doing so and therefore such disclosure was not “voluntary”. The case law relied upon to reach this conclusion was extraordinarily thin, but similar conclusions have been reached internationally.