Business email compromise scam: Who bears the risks

An invoice has been issued to a customer for payment. On chasing up payment, the customer says that the invoice has already been paid. On further investigation, the account details in the invoice the customer received had been substituted by a scammer with the scammer’s account details. A scammer somewhere in the world has the money and the supplier remains unpaid.

Does the customer need to pay for the services again? Is this the supplier’s problem and unless they can find the scammer, that they will remain unpaid?

An endemic problem

The situation above is an increasingly common one. In the first three months of 2026, the National Anti-Scam Centre recorded 45,816 scam reports in Australia, with an estimated $76,703,589.00 in losses to scammers over this period.

Emails remain the most common method for scammers to make first contact.

For businesses, business email compromise scams (BEC scams) is a key concern. These are targeted attacks in which fraudsters impersonate trusted representatives to induce victims to transfer funds or disclose sensitive information. Such scams are often sophisticated, involving the compromise of email accounts, phishing attacks, or the spoofing of domain names and display identities to appear legitimate. Fraudsters frequently issue false invoices or notify counterparties of purported changes to bank account details.

Who is responsible?

A recurring legal issue following a BEC scam is whether, as described in the situation set out in the introduction, a supplier can recover the balance of an unpaid legitimate invoice from a victim who has already transferred funds to a fraudster.

Three cases have been published dealing with the issue, two from district courts and the other from a civil and administrative tribunal. Despite the prevalence of BEC Scams, no superior court has determined the issues. Notwithstanding, the three cases do provide guidance and assistance for how future matters will likely deal with the issues.


Factory Direct Fencing Pty Ltd v Kong AH International Company Limited [2013] QDC 239 (Factory Direct)




In Factory Direct Fencing Pty Ltd v Kong AH International Company Limited, Factory Direct Fencing (FDF) entered into an agreement with Kong AH International (Kong) to purchase fencing products. FDF paid a 30% deposit with the remaining 70% to be paid once the fencing products were received. Correspondence between FDF and Kong was conducted entirely over email. A fraudster impersonating Kong emailed FDF requested the balance of the 70% once the fencing products landed in Australia which FDF paid. Kong, having not been paid, refused to authorise the carrier to release the fencing products until it was paid the balance of the contractual sum.

FDF alleged that the fraud came about because one of Kong’s emails was intercepted by a third-party fraudster and that Kong owed it a duty of care not to allow a third parties to intercept emails between it and FDF.

The Court rejected FDF’s argument finding that it was impractical and costly to find this duty of care and that a purchaser in FRF’s position was not vulnerable enough to warrant a duty of care to arise. The Court ordered that FDF pay the balance of the contractual sum to Kong.


The Trustee for the DRB Group Act Trust v Canberra Hydraulic Engineering Services Pty Ltd (Civil Dispute) [2022] ACAT 30




In this case, Canberra Hydraulic Engineering Services Pty Ltd (Canberra Hydraulic) entered into an agreement with the DRB Group to purchase a machine. The DRB Group would supply a machine and send an invoice for the machine. Once paid, the machine could be collected by Canberra Hydraulic.

Subsequently, Canberra Hydraulic received an email from ‘SALES [email protected]’ which contained an invoice containing bank account details that did not belong to the DRB Group. The invoice was paid and the fraud was subsequently uncovered.

Ultimately, the Tribunal in this case approached it as a simple debt claim. Drawing an analogy that if a debt was paid by cheque, and that cheque was lost, the debt was not extinguished. The Tribunal found in favour of the DRB Group.


Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 (Mobius v Inoteq)




The most significant decision in this area comes from Mobius v Inoteq. In this case, Mobius Group Pty Ltd (Mobius) was an electrical engineering contractor who entered into an agreement with Inoteq Pty Ltd (Inoteq) to perform electrical works. Mobius issued invoices for their work. However, a fraudster gained access to Mobius’ email account and sent Inoteq instructions to pay the outstanding invoices to a different bank account.

On receipt of the email, Inoteq called Mobius and asked Mobius’ representative to confirm that the details were correct. However, Inoteq’s representative could not clearly hear the answer. Inoteq proceeded to transfer the money without making a follow up call. The money was not recovered and Mobius sued Inoteq seeking payment of the outstanding invoices.

Several arguments were raised in the course of the proceedings.

First, Inoteq relied on an indemnity clause in the agreement as a defence to argue that Mobius indemnified it for losses arising out of performance or non-performance of the works which included damages and financial loss. This argument was rejected. The Court construed the clause strictly and found that the indemnity only applied to the actions (or non-actions) of Mobius, it did not extend to the actions of a third-party fraudster.

Second, Inoteq argued that Mobius owed it a duty of care to take reasonable steps to prevent unauthorised communication from being sent from its email account. The Court rejected this argument on the basis that a determined hacker could (even with best practice IT measures in place) still gain access to Mobius’ email accounts. Importantly, the Court decided that Inoteq was in the best position to protect itself, and it should have made a further telephone call to confirm the supposed change in bank account details.

Third, Inoteq argued that the email from the fraudster constituted a valid notice under the Contract to change bank details. This argument was rejected on the basis that the email was sent by a third party and that Inoteq had doubts about the authenticity of the email (as evidenced by the initial telephone call).

Fourth, Inoteq argued that Mobius was a concurrent wrongdoer within the meaning of the Civil Liability Act (WA) 2002 and that any damages awarded should be reduced. The Court found that as Mobius did not owe Inoteq a duty of care, it was not a concurrent wrongdoer and as such, the apportionment did not arise.

Ultimately, the Court found in favour of Mobius.

Key takeaways

The foregoing demonstrates that, in the absence of an express indemnity relating to cyber-fraud, the onus is on the payer to establish that invoices and changes in bank account details are legitimate. The usual best practice of calling a supplier to confirm changes in banking details or before payment is made is apposite.

Conversely however, payees or suppliers should not assume that every case involving BEC Scams will be decided in their favour, particularly where a superior court has not provided a determination on the issue. The cases above were decided in matters involving arm’s length commercial transactions. It is not hard to imagine other scenarios which fall outside of this premise, for instance, in a regulated industry where there are legislative competent or minimum standards which may create a foothold to argue the existence of a duty of care. Further, it could also be imagined that a business, aware of a data or technology breach but who had done nothing to mitigate it’s effects, could be found negligent where a BEC Scam originated from the breach.