03 9785 7162

10 – Landmark Cybersecurity Court Ruling on Email Fraud: Who Pays the Price?

by | Jan 31, 2025 | Podcast

Cybersecurity Court Case: Business email compromise - Mobius vs Inoteq

Email fraud is the most common cyber security attack we see in Small and Medium-sized business.  A recent court case in the West Australian District Court has highlighted the risks and the impact that business Email Compromises (BECs) can have.

The Case – Mobius Group vs Inoteq

The December 2024 case in the West Australian District Court between Mobius and Inoteq, has set a very interesting precedent as to who should pay when a supplier is hacked and a fraudster issues a fake invoice from the supplier’s email system.  This Business Email Compromise led to the customer paying into the hacker’s account over $200,000.  Once again, the hacked account was a Microsoft 365 account.

The court ruled that Inoteq (the customer) had to pay all the money owed, totalling $194,000. 

This is despite:

  • The email account had been set up by the Mobius themselves with little security (no MFA or geoblocking).  Was this Best practice?  Had reasonable steps been taken to protect the account?
  • Inoteq had tried to verify the change of bank account details with Mobius, but the call failed due to issues with their phones.    Follow-up questions to payment details should never be sent by email.

Have a listen to the podcast for the full details, there are a number of lessons learnt from the court case, including best practices and the importance that a court places on supplier agreements and terms and conditions.

Tips to protect your business as well as possible from Business Email Compromises.

  • Enable MFA on all your email accounts.
  • Verify large, urgent, changed account details or unusual payment requests by phone.
  • Train employees in how BEC works and what to look out for.
  • Monitor your Microsoft 365 Secure Score.
  • Use email protections like SPF, DKIM and DMARC.  (These won’t protect you from BEC, but it will protect against emails sent from some other domains.

Talk to your local Cyber Security experts to see if there is more you need to do to protect against BECs, but the key thing is non-technical – great Accounts Payable procedures.

  • I am not a lawyer and this is not legal advice.