Payment fraud is on the rise and directors are responsible for unverified transfers, write Holding Redlich partner Jessica Tsiakis and senior associate Gemma Hannah.
Australian businesses reported losses of $29.5m from payment fraud in 2023, with false billing accounting for $11.8m (ACCC Targeting Scams report). While losses fell to $7.9m in 2024 — attributed to efforts by the National Anti-Scam Centre — businesses continue to face significant financial risks, especially from increasingly sophisticated fraud tactics.
The Scams Prevention Framework Act 2025 is now in force and reshaping the legal landscape for Australian companies caught up in scams. A recent court decision has reinforced that companies are responsible for verifying the payment details they receive and that failing to do so can be costly.
In a recent decision handed down by the Western Australian District Court in Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114, civil engineering company Inoteq was ordered to repay more than $190,000 to Mobius Group, an electrical contractor, after Inoteq was duped into paying a fraudulent invoice.
The case: What went wrong
Mobius, an electrical contractor, was engaged by Inoteq on a Rio Tinto project. After work was completed, Mobius issued invoices totalling $235,400 in 2022. Before payment was made, a hacker gained access to Mobius’ email account and sent fraudulent emails requesting Inoteq to update Mobius’ bank details. Inoteq, unable to reach the contractor by phone, sought confirmation via email. The hacker provided fraudulent proof and Inoteq proceeded with payment. Discovering the fraud, Mobius contacted police and the bank, which recovered only part of the funds. It then sought repayment on the basis that Inoteq had not fulfilled its contractual obligation to pay the invoices.
The court held that while Inoteq had taken some steps to verify the account change, relying on an email response rather than a follow-up phone call was inadequate. It found in favour of Mobius in the sum of $191,859.16 plus interest.
How directors can protect themselves
Such scams are becoming a regular feature in the business landscape. ACCC data shows a recent surge in false billing scams, with reported cases increasing from 13,120 in 2020 to 39,587 in 2023.
A Bendigo Bank case in 2024 illustrated just how costly a payment redirection scam can be, with one business narrowly avoiding the loss of $938,600 after unknowingly transferring funds to a criminal account. The bank recovered most of the funds, but the case highlights how easily legitimate email accounts can be compromised.
Phishing and investment scams are also increasing in sophistication. In 2024, phishing was the second most commonly reported scam among small businesses. Investment scams, while fewer in number, caused the highest losses per incident ($945m reported lost).
What boards can do
With new legal obligations in place (businesses that don’t meet their obligations under the framework can be fined up to $50m) boards must take an active role in protecting their organisation.
While most billing scam losses fall on the company, those directors who fail to act proactively — especially now the law explicitly recognises scam prevention duties — face increasing regulatory scrutiny and legal exposure. Here are five ways directors can mitigate the risk:
Provide additional staff training: Ensure all staff are trained in handling suspected fraud. Programs in the market and in-house sessions provided by financial institutions can be used to improve awareness and resilience.
Use proper verification systems: Businesses are not automatically liable for losses caused by third-party fraud, particularly if the target could have done more to verify the payment instructions. Therefore, businesses should implement multi-layered verification protocols.
Review contractual terms: Businesses should establish clear contractual terms that stipulate the conditions under which payments can be made — and review third-party agreements.
Get appropriate insurance: Given the sophistication of modern scams, it makes sense to secure policies that specifically address cyber and payment fraud risks. This can mitigate the impact of losses even the most fortified risk management frameworks might not entirely prevent.
Ensure active oversight: The Act’s stringent obligations signify directors can’t rely solely on middle management or IT to safeguard the organisation. Directors must ensure comprehensive scam-prevention measures are in place and periodic reviews conducted to assess effectiveness. Proactive engagement in risk management is now a critical part of the board’s fiduciary duties.
Additional insights
Strategic leverage in broader business initiatives: Compliance with the Act can serve as a competitive differentiator. Organisations demonstrating robust fraud-prevention mechanisms can be viewed more favourably by investors, customers and regulators.
Alignment with global best practice: Boards can capitalise on this by benchmarking their existing measures against international standards, ensuring the company not only complies with local legislation, but is well-positioned to compete in an interconnected global market.
Data-driven decision-making: With mandated reporting to the ACCC, organisations need to develop data analytics capabilities that provide real-time insights into potential fraud. Directors can leverage advanced analytics, machine learning and AI to detect anomalies in payment processes.
The lesson from Mobius v Inoteq is clear. Directors cannot assume cyber scams are someone else’s problem. Scam prevention must now be seen as part of good corporate governance.
Additonal author: Gemma Hannah, senior associate Holding Redlich.
This article first appeared under the headline 'Jamming the scammers' in the September 2025 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content