As more and more businesses begin relying upon online services and electronic communication due to the necessities of the COVID-19 pandemic, hacking, phishing and other cybercrime have been steadily increasing.
It’s happening all the time now, and it generally seems innocuous – the supply manager who you regularly email with about invoices and payments sends you a quick note, just letting you know that the company is changing its bank accounts as it found a better deal with a different bank, and attaches a document with the new bank details.
You have emailed back and forth with this person multiple times a week for months or maybe years, and they might have changed their payment arrangements multiple times before. You send through the new payment details to your accounts department and think nothing of it. A week or two later, you receive word from this supplier that their IT system was hacked and all invoices paid in those weeks went to a fraudulent account.
Or perhaps the supplier sends a follow-up email asking about the invoice, and on closer inspection you realise the email address that sent through the bank details has an extra full stop or other character that is easy to miss. In either case, the supplier tells you that its invoices remain payable in full to the correct bank account.
Are you liable to pay those invoices a second time, or is the supplier liable for failing to have adequate cyber security? The answers to this question will depend on the precise circumstances that occurred surrounding the fraudulent payments. There are, however, some basic principles that have been considered.
Phishing vs hacking
While the law in this area remains undeveloped, logic says that there is an important distinction between “phishing” and “hacking”.
“Phishing” (or “spoofing”) incidents are sometimes referred to as “social engineering”, because the scammers rely on human error on the part of the person making the payment. This is obviously in contrast to a technology-based “hack” of an IT system.
Spoofing or phishing scams are normally designed to leverage existing relationships of trust (e.g. service provider / client, or business owner / financial controller). Typically the scammer will send an invoice which appears to have been sent by a trusted party and the scam succeeds when the person making the payment fails to spot the scam. In these circumstances, even though the person has paid a fraudulent invoice that was purportedly from trusted party, that trusted party probably had no involvement in the scam (i.e. their IT systems were not compromised). In those circumstances, logic says the paying party has no reasonable prospect of obtaining a credit towards future invoices to be issued by the legitimate party. Of course, their contract may have something to say, but a well-drafted contract would not let the paying party off the hook in this scenario.
An actual hacking incident involves a breach of the supplier’s cybersecurity and emails being sent by the scammer from the business’ actual email servers. A business email hack can be very difficult to spot from the payer’s point of view, as often the scammer is sophisticated enough to copy syntax and phrasing from previous emails so it reads exactly as if it were from the real supplier employee In these circumstances, there is an element of fault by the supplier in failing to maintain adequate security, however it is not clear precisely where liability will lie.
Consideration in the courts
No Australian case has directly considered the liability for payments made in accordance with fraudulent invoices in a hacking situation, however the Queensland District Court case of Factory Direct Fencing Pty Ltd v Kong AH International Company Limited  QDC 239 does provide some insight. The case involved a fraudster interposing between a buyer in Australia (Factory Direct) and a Chinese supplier (Kong AH) to request payment into a different bank account for an invoice. The parties had only ever communicated via email, and Andrews SC DCJ accepted evidence that a mix of fraudulent emails were sent or intercepted from the actual supplier’s email address (hacking) and from a deceptively similar email address (spoofing).
After being provided with the new account details, Factory Direct requested the details be provided on official letterhead, and once this was duly provided attempted to make payment. The payment was initially rejected by the bank as Kong AH’s details did not match the account number, however rather than raising this issue with Kong AH, Factory Direct simply resubmitted the payment application which was accepted.
Once the fraud was discovered, Factory Direct commenced proceedings demanding it be provided with the goods from Kong AH, arguing it had made payment in accordance with emails it received and alternatively arguing that Kong AH had a duty of care to ensure that its customers were not the victim of fraudulent emails. Both of these claims failed – Andrews SC DCJ found the imposition of a duty of care would be too broad, and the loss could be mitigated relatively easily by verifying the account over the phone.
Andrews SC DCJ found in favour of Kong AH, concluding that Factory Direct was not entitled to the goods as it had not paid, ordering that Kong AH be paid the remaining invoice amount in accordance with its crossclaim. The District Court particularly considered that Factory Direct could have taken reasonable steps to verify the payment details in circumstances where the director of Factory Direct had some suspicion in relation to the initial email, and the payment was initially rejected by the bank.
The case of Factory Direct v Kong AH shows that in at least some circumstances it may be found that the customer paying the fraudulent invoice is liable to pay the invoice amount again if the matter is brought before the courts.
Tips to avoid invoice redirection scams
- Always verify any changes to accounts, email addresses or payment details over the phone (using a number already on file) or in person;
- Closely review the email addresses of any change requests to ensure they are not spoof emails;
- Ensure that adequate cybersecurity insurance has been taken out, and closely review precisely what forms of cyberattack are covered. Similar to the distinction above, it is common for an insurance policy to distinguish between hacking and phishing, with the former being covered and the latter uncovered by the policy. There are a number of US cases considering this distinction, most recently the case of Medidata Solutions Inc. v. Federal Insurance Co., case number 1:15-cv-00907 (ALC) (July 21, 2017, U.S. D.C. S.D. New York); and
- If invoice fraud is discovered, notify the other entity in the transaction and the relevant bank immediately to have the most chance of recovering the funds, and lodge a fraud report with the Australian Cyber Security Centre.