This case note examines the decision in Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 (Mobius), a case concerning email fraud and its implications for businesses. It highlights the complexities surrounding liability when a third party intercepts email communications, and the Court's view on the duty of care. This case serves as a reminder to all businesses about the importance of robust security measures and diligent practices.
In Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114, Mobius Group Pty Ltd (Mobius Group), an electrical engineering consultant, contracted with Inoteq Pty Ltd (Inoteq) for work on a project. Following the completion of the work, Mobius Group sent Inoteq two invoices for payment between 27 March 2022 and 4 April 2022.
Mobius Group and Inoteq were both unaware that an unidentified third party (the Fraudster) had gained access to an email account belonging to a director of Mobius Group responsible for issuing invoices to Inoteq. Whilst there was not sufficient evidence to determine the exact state of Mobius Group’s computer systems’ security, there were indications of a lack of email security hardening for the domain name Mobiusgroup.com.au. On 28 April 2022, the Fraudster sent Inoteq an email from the Mobius Group email, informing Inoteq that Mobius Group had a new bank account and instructing Inoteq to make payment to the new bank account.
On receipt of the Fraudster’s email from Mobius Group’s account, Inoteq attempted to telephone Mobius Group to verify the change to the bank details. Due to connection issues, Inoteq’s representative was unable to clearly hear the Mobius Group’s director’s response, which was that they had not changed the bank account details. Inoteq then sent an email to the Mobius Group’s director requesting confirmation of the change in bank details. The Fraudster, (having intercepted the emails), responded to the enquiry confirming the change.
Acting on the instructions in the Fraudster’s emails and, believing that it was making payment to Mobius Group, Inoteq then paid $235,400.29 to the Fraudster’s account on 29 April 2022. Mobius Group did not receive this payment and commenced proceedings against Inoteq for recovery of the invoiced amounts.
The Western Australian District Court identified several issues for determination, two of which directly related to the terms of the New Supplier Information Agreement between the parties in relation to the project (Agreement). These were:
The Court also considered broader issues surrounding the suitability of the security measures implemented by both Mobius Group and Inoteq.
The Court found in favour of Mobius Group, finding that Inoteq was liable to pay the outstanding amount. The Court made the following key findings:
Inoteq argued that the Agreement required Mobius Group to indemnify Inoteq against all loss arising out of the performance or non-performance of the ‘services’ under the Agreement, and that the indemnity should be interpreted to cover the financial loss suffered by Inoteq due to paying the Fraudster
Mobius Group argued that the indemnity did not extend to loss arising from the fraudulent acts of a third party, as the loss did not originate from the performance or non-performance of the defined 'services' in the purchase order.
Ultimately, the Court found that the security of Mobius Group’s email account was unrelated to the performance of the services. Rather, the Court held that the financial loss suffered by Inoteq arose from the intervening fraudulent act of a third party hacking the Mobius Group’s director’s email account, not from Mobius Groups performance of the services.
The Court reasoned that the indemnity could not be used to resist payment of a legitimate invoice and, thus, Mobius Group was not liable to indemnify Inoteq in accordance with the Agreement.
Inoteq argued that the fraudulent emails, sent from Mobius Group’s nominated email contact, constituted written notice of a change in bank account details under the Agreement and that Inoteq acted on this notice in good faith by paying into the new account.
Mobius Group contended that the notice clause prescribed the mode of communication for notices relating to the legal relationship between the parties, such as breach or termination notices, and did not confer a right on Inoteq to rely on any written communication to discharge its payment obligations.
The Court found that the Agreement seemed to intend that written notice be provided for matters affecting the rights of the parties, and the provision of bank details was not necessarily such a notice. Further, the Court noted that Inoteq itself had doubts about the legitimacy of the email, evidenced by the telephone call made to Mobius Group, and to accept Inoteq’s argument would not reflect the “commercial reality” of the situation and would potentially encourage other fraudsters.
Therefore, the Court held that the fraudulent emails did not constitute effective written notice to change the bank account details.
The Court considered evidence provided by an expert witness regarding “best practice” measures for cyber security. Whilst the Court suggested these measures may be acceptable generally, the Court could not make any determinative findings on the suitability of Mobius Group’s security measures as there was a lack of evidence as to the cost and practicability of implementing these measures within Mobius Group specifically. Rather, the Court concluded that Inoeq was in the best position to protect itself from the fraud by verifying the change in bank details, particularly after the inconclusive telephone call.
This case underscores the critical need for businesses to understand the nature of their contractual obligations and to implement robust security measures to protect against email fraud. Some tips for businesses include:
If you require assistance updating your contracts, resolving a payment dispute, or you’d like to discuss data protection policies or data incident response plan for your business, Jackson McDonald can help. Our team of lawyers has extensive experience in contract management, dispute resolution and data protection.
This case note is for general information purposes only and does not constitute legal advice.