Legal columnist HUGH SELBY looks at the dangers of being scammed while paying bills by email without first double-checking the banking details. Get it wrong and you could be paying twice!

If you send your bills by email, or if you have been paying bills received by email, then be warned.

Here are a few examples of pending sorrow. 

• Following an inspection at the seller’s home or dealership, you decide to buy a second-hand car. The seller emails you their banking details. You pay by EFT.
• You seek legal advice. You sign a hard-copy costs agreement. That agreement includes the law firm’s banking details. Following receipt of the legal advice, you receive an emailed tax invoice that includes banking details. You pay by EFT to the invoice banking details.
• You and your partner plan an overseas trip with a reputable travel agency. By email you receive the booking details for travel, accommodation and pre-paid tours. Another attachment is their tax invoice, which includes banking details. You pay by EFT.

Sadly, criminal skills now include intercepting any email between seller and buyer and changing the details that are in the email and any attachment. The banking details, the phone contact for the seller, even the contact emails can all be changed before the (now fraudulent) email hits the buyer’s email inbox.

Neither seller nor buyer knows about the interception. The buyer pays in good faith – but to a bank account that has no connection with the seller.

The principle that will apply in most such cases is: the buyer has been scammed, but the seller is still entitled to be paid for their goods, advice or services, so the buyer will be paying twice.

However, “most cases” does not mean “all cases”. Sellers must take steps to ensure that they cannot be found to have induced a buyer to rely on some representation from the seller that will shift the loss to the seller. 

The convenience and trust that most of us may have had in emails and their attachments has gone. Instead, the prudent buyer, and seller, must assume that their emails and attachments can be hacked and altered.

Check before EFT

Do as follows: 

1.  If there is a written contract signed by the parties then it should include the banking and contact details to be used by the parties. In the legal advice example above the hard-copy costs agreement should include such details. It is those details, not any details in a later invoice, which govern the relationship between the parties.
2. Because there is often no written agreement, just a spoken agreement as to what is to be done, by when, at what price, a buyer should not pay a seller’s invoice until they have verified the banking details with the seller (or the seller’s accounts person). This means either checking face to face at the seller’s business or checking by phone when the buyer is confident that they have the seller’s phone number. Having to go back and check like this is a hassle; however, better to be safe than very, very, sorry.
3. Sellers who are using invoicing software should carefully check the software supplier’s terms and conditions. What, if anything, is said about the risk of the invoices being hacked and/or payments being made to scammer accounts? If anything is said it is likely to shift any risk away from the software supplier and on to you. Because you do not want to spend a lot of money in a court case chasing a scammed buyer who paid a hacked invoice on such a system (relying upon its apparent defences against scammers) be sure to require the buyer – in writing – to contact you (face to face, or by pre-agreed phone number) before they pay the invoice.
4. If your invoicing – sending and paying – practices are anything other than very straightforward and infrequent, then seek accounting/legal/ cybersecurity advice about what practices you and your staff should be following. 

Let’s be clear again – having to do this is a pain and a hassle. However, the plight of West Australian company, Inoteq, which has had to pay $191,000  twice, is such a dismal tale that the hassle seems necessary.

The case of Mobius Group Pty Ltd v Inoteq Pty Ltd was decided in Perth just before Christmas. Mobius had done work for Inoteq and invoiced them. A fraudster hacked Mobius’ email account and then sent Inoteq an email from the same email address telling Inoteq that the Mobius’ bank details had changed. Payment was to be made to the scammer’s “new” account. 

Inoteq called an expert who explained how the scam was performed. Everyone else should note:

1. the PDF original invoice was likely modified with a PDF editor and then resent;
2. it is possible to implement a system to prevent email impersonation, but the uptake to date in Australia is low; and,
3. Multi-factor authentication (MFA) should be required for email, banking, and all business-critical online services. However, it can be breached.

To “buyer beware” add, “…and sellers, too”.

Hugh Selby, a former barrister, is the CityNews legal affairs commentator. His free podcasts on “Witness Essentials” and “Advocacy in court: preparation and performance” can be heard on the best known podcast sites.