Invoice fraud: Who pays when scammers strike?

A common form of cyber-fraud perpetrated against unsuspecting businesses is supply chain invoice fraud leading to misdirected payments.

We discuss below:

• the nature of the problem;
• the general law position – payer beware;
• why suppliers may still be at risk;
• what suppliers can do;
• what payers can do.

The fraudster gains access to the IT environment of a supplier business and uses that access to try and direct payments for invoices genuinely and properly issued by the supplier to a bank account controlled by the fraudster.

The fraudster may do this by tampering with payment details on an invoice and/or by sending email communications from the email accounts of relevant employees of the supplier advising of/confirming changed payment details.

The fraudster can take steps to ensure that the relevant employees are not alerted to these fraudulent communications, for example, by activating email account rules which ensure that the communications do not appear in inboxes or feature in notifications.

If the paying business does not have proper administrative controls to verify payment details, or those controls are not observed for some reason, payment could be made to the fraudulent account. This may not come to light until some time later when the supplier follows up on the unpaid invoice, by which time the money is long gone.

When this happens who foots the bill? Is the payer business still liable to pay the supplier for the goods or services it has supplied even though it is a victim of the fraudulent communications, which were only possible because the supplier’s IT system was compromised? What can businesses do to guard against and mitigate the consequences of this type of risk?

The starting point is that the supplier has not been paid and the payer business remains liable to pay the supplier. A number of legal cases discuss the relevant principles and provide guidance on what businesses can do to protect themselves. The most recent of these is Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 a decision of the Supreme Court of Western Australia in late 2024. The Court in that case also considered the earlier Queensland case of Factory Direct Fencing Pty Ltd v Kong AH International Company Limited [2013] QDC 239.

In each of the above cases the Court found that the payer business remained liable to pay the supplier. In the circumstances of those cases the supplier was found not to owe any duty of care to the payer business. While there were vulnerabilities in the supplier’s IT systems and steps that the supplier could have taken to prevent the fraud (such as 2 factor authentication for email accounts) the payer was able to readily protect itself by ensuring that the changed payment details were independently verified by telephone. The Court found that the payer was not sufficiently vulnerable to warrant the imposition of a duty of care upon the supplier.

It is important to note that the outcome could be different in different circumstances, as the sophistication of this kind of fraud evolves such as with the increased use of AI tools, and with heightened general expectations as to appropriate cyber security controls. For example:

• what if a supplier business was on notice that IT account(s) may have been compromised?
• terms and conditions of trade may modify the rights of the parties in the case of such a fraud;
• what if the fraudster initiated a telephone call apparently from the relevant supplier employee using voice impersonation technology to “confirm” the change in payment details?

Of course, even if a supplier is legally entitled to be paid when the payer business falls foul of this kind of invoice fraud:

• commercial considerations might require the supplier to bear some or all of the loss, in order to maintain a valuable commercial relationship with the payer business;
• the supplier may suffer broader reputational loss and loss of trust from its customers.

The supplier may also be exposed to other risks because of the compromise of its IT environment – such as denial of service or the theft/disclosure of personal or commercially confidential information and to investigation, containment and remediation costs. It is also possible that via the supplier, the fraudster could obtain access to the IT systems of the supplier’s customers thus, in turn, compromising the payer’s systems.

From the supplier’s perspective the most obvious protection is to have in place cyber security controls in line with good industry practice. Depending on the relative size of the supplier and the payer business there may be specific cyber security standards that the supplier is contractually required to meet and failure to do so may result in financial liability to the payer and/or enable the payer to terminate its contract with the supplier.

If commercially practicable, a supplier could further protect itself by including terms such as the following in its terms and conditions of trade:

• placing responsibility on customers to take all necessary steps to verify payment details;
• any payment made by the customer to an incorrect account will not amount to payment to the supplier for any purposes;
• an appropriate release from liability in respect of such a payment.

If a supplier becomes aware of an invoice fraud targeting its customers and other payers it should consult with its legal advisers about commissioning an investigation protected by legal professional privilege.

From the payer/customer perspective the most obvious step is to ensure that it has in place and follows a strict invoice verification policy, which should include customer-initiated telephone or in-person verification of payment details.

The customer should, where practicable, include in its terms of trade, terms such as the following:

• requirements for suppliers to have in place good industry practice cyber security controls;
• requirements for suppliers to give prompt notification of any cyber incident or system compromise;
• specific indemnities from the supplier in relation any loss that is caused or contributed to by a failure on the part of the supplier to have in place or observe adequate cyber security controls.

Other prudent steps to guard against the risk of loss due to wrong payment details and supply chain cyber security risks generally include having in place due diligence processes for the on-boarding and monitoring in respect of supplier cyber security practices.

If a payer finds itself a victim of supply chain invoice fraud it should obtain legal advice at the outset to establish its legal position and be able to take appropriate forensic investigatory steps to obtain evidence of how the fraud occurred and the extent to which the supplier’s security controls were inadequate.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

DMAW Lawyers has you covered when it comes to identifying your legal obligations, assessing risk and exposure, and putting in place strategies to manage legal risks and meet regulatory obligations, whether that be:

• digital information security obligations and protections in your supply chain contracts;
• privacy, data breach assessment, incident response and notification laws;
• on-boarding and off-boarding processes; or
• fit for purpose employment contracts and digital security policies.

Find out how our cyber and information security experts can help protect your business.

The Cyber Alliance Group is a collaboration between DMAW Lawyers, Comunet and Digital Trace Australia to provide comprehensive cyber security advice and services to business.

Whether you are responding to a cyber security incident or are looking to proactively enhance your cyber security processes and governance, we can provide a range of services that will enable you to re-focus your attention where it’s needed – your business.

Find out more about our involvement with the Cyber Alliance Group here.