A recent court case in Western Australia, Mobius Group Pty Ltd v Inoteq Pty Ltd, serves as a stark reminder of the financial and legal risks businesses face when cybersecurity measures fall short. The case highlights how a simple email compromise can lead to devastating consequences—including paying the same invoice twice.
A hacker infiltrated Mobius Group’s email system and sent fraudulent invoices to Inoteq, changing the payment details to their own account. Inoteq paid the fraudulent invoice, and the funds were sent overseas. When Mobius discovered the fraud, they sued Inoteq for the original payment. The court ruled that Inoteq had to pay Mobius again—meaning they paid twice for the same invoice.
The court’s decision hinged on two key issues:
- Inoteq’s Weak Verification Process: Inoteq attempted to verify the new bank details by calling Mobius, but the call quality was poor. Instead of calling back, they emailed—which went straight to the hacker. The judge called this approach “astonishing” and “inadequate.”
- Mobius’s Cybersecurity Measures: Inoteq argued that Mobius failed to secure its email system, but the court found no evidence of negligence. The judge noted that even with strong cybersecurity, a “determined and skilful” hacker could still breach systems.
This case underscores the importance of robust cybersecurity and verification processes. Here’s what businesses can learn:
- Verify Changes in Payment Details: Always use out-of-channel verification (e.g., phone calls to a known number) to confirm changes in bank details. Don’t rely solely on email.
- Strengthen Email Security: Implement multi-factor authentication, encryption, and regular employee training to prevent email compromises.
- Train Your Team: Educate staff about phishing scams and the importance of verifying unusual requests.
- Prepare for the Worst: Even with strong defenses, breaches can happen. Have a response plan in place to minimize damage.
The court’s decision didn’t rule out the possibility of businesses being held liable for failing to take reasonable cybersecurity steps. This means companies must proactively protect themselves to avoid legal and financial fallout.The Mobius v Inoteq case is a wake-up call for businesses to prioritize cybersecurity and verification processes. Email fraud is on the rise, and the consequences can be catastrophic. Don’t wait until it’s too late—take action now to protect your business.