It’s the ultimate hit-in-the-guts moment.
You’ve just had a call from a business telling you they’re still waiting for payment. The issue? You made the bank transfer a few days ago.
Where did it go?
There’s a very good chance it’s gone straight into the accounts of a hacker. You’ve fallen victim to a sophisticated email scam – where an invoice is intercepted and then replaced with an email mimicking the company’s invoice.
It’s not your average scam email flashing “You’ve won a new iPad and a trip to the Maldives” – you’re fully expecting that invoice! The normal red flags that might be raised by awkward spelling don’t immediately go up.
MV Law’s partner in dispute resolution Alisa Taylor says these types of scams are happening at an alarmingly increasing level.
“I know lots of business owners who’ve had this happen to them,” she says. “People are sometimes losing hundreds of thousands paying an invoice where the invoice has been intercepted and the bank account details have been changed. It’s not unusual – and it’s absolutely increasing.”
She says the scammers are also getting smarter.
“It used to be that you’d get hacking emails and it’d be pretty obvious that it’s not real. The language would be pretty strange. The sophistication of the hacking is very much increasing.”
Unfortunately, what happens next isn’t simple. You can call the bank immediately to stop the transfer – but in many cases, it’s simply too late. Alisa says it’s common in situations where the money is not retrievable for both parties to sit down and negotiate.
But last month, one such situation made it all the way to the ACT Civil and Administrative Tribunal after a Canberra company paid a scam invoice. The intended recipient then took action to recover the debt.
The tribunal decided that regardless of whose end the hacking occurred – it was the payer’s responsibility to ensure the invoice was accurate and the debt was paid.
Alisa says in a situation where the issuer of the invoice is compromised because they have poor cybersecurity, you can argue it’s negligence on their part. But she says courts are reluctant to find a duty of care is owed to prevent loss of money.
So with ultimate responsibility resting on you to pay the correct invoice, what can you do to ensure you don’t lose thousands of dollars in such a trap?
Alisa says businesses can first check whether they’re insured against these losses.
In business-to-business transactions, ensure your contract states from the get-go who bears responsibility in such a situation. But as a customer, you’ll probably find the contract favours the supplier.
“This doesn’t stop the problem, it just forces someone else to be responsible for it,” Alisa says.
To stop the problem, double-check who you’re paying.
Alisa suggests independently finding the company’s phone number and ringing to confirm the details before authorising payment.
“It’s just a quick phone call to ring up and say: `are these your bank details?’. Even in your personal life! I’ve taken this case on board when I had to pay for some curtains. It’s a lot of money, because curtains are expensive – I rang the curtain people and said I want to check.
“She thought I was mad… but it’s important.”
She says it’s vital you don’t take the phone number from the invoice email itself.
“Sometimes the hacking is so sophisticated they even change the phone number. So if you ring the number on your invoice, you get the hacker who will be very happy to tell you the details are correct.”
Above all, ensure you – and your staff – are knowledgeable and have up-to-date cybersecurity systems. And always entertain the possibility that an invoice – even one you’re expecting that morning – could be fake.
After all, if you’re careful about what you purchase, be just as sure you know where the money goes.