Invoice Scams: A $16.2 Million Wake-Up Call for Australian Businesses

Feb 01, 2025

Did you know invoice scams cost Australians and businesses over $16.2 million last year alone? That’s a 3% increase from the previous year, according to the ACCC. These scams are a form of social engineering, where attackers exploit trust by mimicking real invoices or hacking into email systems to redirect payments. The result? Victims pay into the wrong accounts, and the fallout can be messy.

How It Works

Attackers either hack into an invoicer’s email system or craft a fake invoice that looks almost identical to the real one. The only difference? The bank account details. In sophisticated attacks, even that difference is hard to spot.

This scam is opportunistic and alarmingly easy to pull off. When it happens, the victim is often left holding the bag, as they’re seen as responsible for failing to verify the invoice details. But what happens when the invoicer’s systems are compromised? Who’s really to blame?

The Case That Changed Everything: Mobius Group Pty Ltd v Inoteq Pty

In this landmark case, Mobius Group’s email was hacked, and a fraudulent invoice was sent to Inoteq. Despite attempting to verify the invoice by phone, Inoteq couldn’t reach Mobius and paid the invoice. When Mobius followed up for payment, the scam was uncovered.

Inoteq argued that Mobius was responsible for the breach, while Mobius claimed they hadn’t been paid for their services. The case went to court, becoming the first major ruling in Australia on who bears responsibility in such scenarios.

The Court’s Decision

The WA District Court ruled in favor of Mobius, aligning Australia with precedents in the USA and Canada. The court found:

No Duty of Care: Mobius didn’t owe a duty of care to Inoteq to prevent the hack. A determined attacker, the court argued, could bypass even robust security controls.
Invalid Notification: The fraudulent email didn’t count as valid notification for changing bank details. Inoteq’s failed attempt to verify the change via phone further weakened their case.

What Does This Mean for Businesses?

For buyers: Always verify payment changes through a secondary channel (e.g., a phone call) and include this requirement in contracts.
For sellers: While the ruling favors you, litigation is costly and can damage client relationships. Strengthen your IT controls—like implementing multi-factor authentication (MFA)—to reduce the risk of being hacked in the first place.

The Bigger Picture

This ruling raises important questions: Should companies be held accountable for poor cybersecurity practices? If a determined attacker can breach any system, where does liability end? With cases like Optus’s data breach still fresh in our minds, it’s clear that Australia needs clearer laws on duty of care in cybersecurity.

Conclusion: Buyer Beware

The age-old principle of “Caveat Emptor” (Buyer Beware) holds true. While technical controls can reduce risks, the best defense is a contractual agreement that outlines how payment changes should be verified.

Don’t wait for a scam to hit your business. Stay ahead of the curve with expert guidance. Reach out to Cyber and Me today to strengthen your cybersecurity strategy and protect your business from costly scams.

What’s your take? Who should be responsible in these cases? Share your thoughts below!