Preventing online scams – here's what you can do

Following a ground-breaking decision by a WA court, where both a payer and payee had not done enough to protect themselves, experts urge companies to review their systems and procedures to guard against online scams.

The District Court of Western Australia ordered utility system construction company Inoteq Pty Ltd to pay electrical contractor Mobius Group after Inoteq unwittingly sent $235,400 to a cyber scammer instead.

The scammer had hacked the email of a Mobius’ director and sent a fraudulent invoice with new bank details. Unable to confirm the new details over the phone due to a bad connection, Inoteq settled for confirming via an email to which the scammer replied.

Mobius recovered about $43,000, leaving it out of pocket by about $190,000. But the court found Inoteq had not done enough to protect itself.

Snedden Hall and Gallop director Gerald Santucci says despite the ruling, liability in complex cases like these will likely be judged on a case-by-case basis. But businesses should view it as a cautionary tale.

“I think at the very least this case proves that businesses are not automatically liable for losses stemming from third-party fraud. In making any payment, the onus is shared between sender and recipient,” Mr Santucci says.

“Businesses must be hyper-vigilant when making payments and work harder than they have to verify the authenticity of those payments.”

But while Mobius won its case, Mr Santucci says companies issuing invoices should equally ensure they’re doing their part to protect clients by providing instructions on how best to verify the legitimacy of their requests. That might mean “going back to basics”.

“In our firm we have a policy – we’ll send invoices with bank details via an online portal, but in our correspondence we instruct clients to call us and speak to the front desk to confirm the bank account details before making payments,” he says.

“If they don’t do that and the money doesn’t arrive, we’d argue we’re not liable. It hasn’t happened yet, but technology is skyrocketing and sometimes the best way to stay out of the crosshairs is to go back to basics. Pick up the phone.”

But if both parties take every precaution and the worst still comes to pass, what then? That’s where insurance may come in.

Social engineering insurance has traditionally been offered on an opt-in basis under the cyber security insurance banner. But Allinsure account executive Jessica Waldron says it’s becoming increasingly standard.

“I think that reflects the fact that this kind of cyber fraud is increasing and protection is more and more critical for businesses,” she says.

“In an insurance policy it’s usually called Social Engineering or sometimes ‘Invoice Manipulation’.”

Ms Waldron says in the Inoteq versus Mobius case, the right policy could have covered the defendant for its loss. Had the ruling gone the other way, a newer kind of cover would have taken care of Mobius.

“The name can vary but it’s generally called ‘Third Party Loss’ and covers losses for the business whose system is hacked,” she says.

In an ever-evolving cyber landscape, choosing the right cyber insurance can be daunting.

Ms Waldron says asking yourself some simple questions will take you part of the way.

“Check first what’s standard and what’s optional, and ensure you’ve opted into the cover you want,” she says.

“When deciding on your cyber insurance, it’s important to look at the sub-limit offered and review that against your regular payments. If you’re regularly making payments of over $100,000, an appropriate limit would be above that.

“As always, different insurers have different levels and inclusions in their cover and it can get overwhelming. If there’s even the slightest doubt, the right advice from a broker could end up saving you big.”

For more information contact Allinsure.

REGION MEDIA PARTNER CONTENT