Scammers are out there, and they want your money. The bad news? They’re getting better at it. The worse news? They might already be lurking in your inbox or those of your customers or suppliers. Scam invoices are absolutely prolific and it has become quite the lucrative business model. The ACCC says there were 39,587 email scams in 2023.
If you’ve ever tried to sell something on Facebook Marketplace, you know how many hackers are online. Some of them are easy to spot but it is getting harder.
Sophisticated scams can involve fake ABNs and business social media profiles. Hackers can also gain access to existing social media profiles and bait customers through an otherwise genuine looking business. Business email compromise scams are still happening constantly. It is clearly a deficiency of our banking system that there is no central register to verify a bank account.
Most of us are used to the warnings to call and verify bank details by phone before paying an invoice to avoid losing our money. Despite this, I still speak to a few people a month who have paid the wrong contractor. Or have an elderly relative who paid a fake invoice and want to know what to do. Many of them put it down to learning an expensive lesson of the importance of picking up the phone before you pay!
One example from March 2022 made its way to the WA District Court resolving a dispute between two businesses as to who was liable for $235,400 which was paid to the wrong account.
Picture this: You’re a business owner. You send an invoice for $235,400. You wait for payment. Days pass. 10 of them in fact. You follow up. ‘What do you mean, we’ve already paid you’ they say. That’s when your stomach drops…
Mobius and Inoteq and the case of the missing $235,400
Mobius Group was a subcontractor to Inoteq, and together they worked on a Rio Tinto project.
In March and April 2022, Mobius emailed Inoteq invoices for $235,400. However, a hacker entered Mobius’ email systems and changed the outgoing email with the invoices to provide new (scam) bank details.
Inoteq called Mobius to confirm the change to bank details but there was a poor phone connection so they sent a follow up email requesting proof of the account change.
The scammer replied with a letter on Mobius’ letterhead as the “proof.”
A week and a half later, Mobius chased the overdue payment and unearthed the scam. Police were called and while $43,541 was recovered, the rest had been sent overseas.
Mobius sued to get their money from Inoteq who paid it to the scammer. They argued that Inoteq failed to take reasonable care to verify the change. Inoteq argued that Mobius failed to take reasonable care to protect their email systems.
The judge ruled that had Inoteq taken the reasonable step of verifying by phone, the email compromise would have been discovered. And having failed to protect itself against vulnerability, Inoteq was ordered to pay the remainder of the $235,400 plus 6% interest per year.
There was a clause in the contract between them that attempted to make Mobius liable for lost amounts. But the court did not agree that the clause extended to this situation.
Sorry Gen Y, Gen Z, Alphas… You’re gonna have to make a phone call
Prior to this case, we didn’t have any court guidance about how these matters would be treated. We can now see the importance the courts will place on phoning to verify bank details and how important that step is in the process if you want to protect yourself.
The Senate Economics Legislation Committee is now reviewing a Scams Prevention Framework Bill 2024. This proposes changes to the law around who has to do what to prevent payment scams and “serious civil penalties” for companies which fail to protect customers. They are particularly looking at the role of social media companies and banks in preventing these scams.
Next time you’re about to pay an invoice, stop and ask yourself. Have I actually spoken to this person, or am I about to donate to a scammer’s retirement fund? Many of our clients now put their account details into their terms and conditions or contracts and guarantee that they won’t be changed.
For me, I make sure that everyone in my business calls before we pay and that we recognise the voice of the person we are paying money to. The more layers of protection the better – voice verification is of course not foolproof either. (Did anyone else see the case of the woman who thought she was dating an AI version of Brad Pitt?!) I have some other tips and tricks that I won’t publish on the internet and risk giving hackers a ‘how to’ guide on how to scam me. But sign up to our newsletter for more! Just scroll to the bottom of this page to subscribe.
