Invoice redirection fraud commonly occurs where a third party fraudster will intercept tax invoices sent by email from one party to another or where the third party fraudster impersonates a business and convinces an innocent party to redirect funds into an account set up by the fraudster. This occurs by the fraudster gaining access to an email account or the fraudster using an email address that appears legitimate and almost identical to a trusted business which then requests the invoices be paid to the fraudsters account.
Once the amount of the tax invoice is paid to the fraudster’s bogus account, the question arises: who should have to bear the loss? The person/ organisation who paid the funds into the fraudster’s account or the business whose tax invoice has not been paid?
The victim of the fraud is the party who has paid the funds into the wrong account.
Arguments can arise as to whether the victim of the fraud should wear the loss if the other party involved in the transaction failed to maintain adequate internet and administrative security measures, including but not limited to cyber security measures, which allowed the fraudulent alteration of the tax invoice to occur.
To determine how the fraud occurred may involve experts examining the computer from which the email was sent, the records of the service providers through whom the emails passed and the computer which received the email.
There is limited authority in Australian Courts concerning the argument as to who is to wear the loss caused by the fraudulent third party.
In Factory Direct Fencing Pty Ltd v Kong AH International Company Limited  QDC 239 the Queensland District Court considered whether a duty of care was owed.
This case concerned whether a supplier of materials (defendant) owed a duty of care to the buyer of the materials (plaintiff) where a fraudulent email was sent impersonating the supplier of the materials and providing bank account details which were different to an account into which the buyer had previously paid for the materials supplied.
The Court considered, that if such a duty of care were to exist that it would be a novel one, and as such a consideration of the salient features of the relationship were necessary and included consideration of: –
- The foreseeability of harm;
- The nature of the harm;
- The degree and nature of control able to be exercised by the supplier of the materials to avoid the harm;
- The degree of vulnerability of the buyer of the materials to harm from the supplier of the materials’ conduct, including the capacity and reasonable expectation of the buyer of the material to take steps to protect itself;
- The degree of reliance by the buyer of the material upon the supplier of the material; and
- Any potential uncertainty of liability.
In this case it was decided that although the economic loss ($130,000.00) to the buyer of the materials was foreseeable given the high rates of cybercrime of this nature, the buyer of the materials was almost entirely able to mitigate the loss by telephoning to confirm the correct bank information with the seller of the materials prior to making payment.
Moreover, the Court pointed out that if a duty was to be imposed on the seller of the materials to confirm each and every email they sent to ensure that only current information was sent it would present too broad of a duty on the seller of the materials.
How this scenario would play out in other Australian jurisdictions or whether such an approach would be adopted by a higher Court remains unclear.
It is clear that businesses need to protect themselves from cybercrime.
One way to achieve some protection is to insist on two-factor authentication before making any payment (email and telephone, email and fax). A further way is to insure against the loss and the legal and other costs associated with cyber fraud.