Mobius Group Pty Ltd v Inoteq Pty Ltd
[2024] WADC 114
•20 DECEMBER 2024
JURISDICTION : DISTRICT COURT OF WESTERN AUSTRALIA
IN CIVIL
LOCATION: PERTH
CITATION: MOBIUS GROUP PTY LTD -v- INOTEQ PTY LTD [2024] WADC 114
CORAM: MASSEY DCJ
HEARD: 9-11 SEPTEMBER 2024
DELIVERED : 20 DECEMBER 2024
FILE NO/S: CIV 3520 of 2022
BETWEEN: MOBIUS GROUP PTY LTD
Plaintiff
AND
INOTEQ PTY LTD
Defendant
Catchwords:
Third party fraud - Negligence - Duty of care - Economic loss from fraudster's interference in email communications - Duty of care to maintain security of email account - Indemnity - Civil Liability Act 2002 (WA) - Concurrent wrongdoers - Contract - Notice provisions
Legislation:
Civil Liability Act 2002 (WA)
Result:
Judgment for the plaintiff
Representation:
Counsel:
| Plaintiff | : | Mr S C M Wong |
| Defendant | : | Mr J C Yeldon |
Solicitors:
| Plaintiff | : | Arns & Associates |
| Defendant | : | Huggins Legal |
Case(s) referred to in decision(s):
Andar Transport Pty Ltd v Brambles Ltd (2004) 217 CLR 424
Caltex Refineries (Qld) Pty Ltd v Stavar [2009] NSWCA 258
CSR Ltd v Adecco (Australia) Pty Ltd [2017] NSWCA 121
Davis v The Commissioner for Main Roads (1967) 117 CLR 529
Factory Direct Fencing Pty Ltd v Kong AH International Company Ltd [2013] QDC 239
Samways v Workcover Queensland [2010] QSC 127
MASSEY DCJ:
Introduction
The plaintiff is an electrical instrumentation and control systems engineering consultant and installation contractor.
In about January 2022, the plaintiff entered into an agreement with the defendant (the agreement) whereby the plaintiff agreed to perform electrical works on the Rio Tinto managed aquifer reinjection scheme project for the defendant. As part of the agreement the defendant agreed to pay the plaintiff a fee for the work provided.
The agreement, at least in part, included terms contained in a document headed New Supplier Information Form (the New Supplier Information), dated 11 January 2022, and in Purchase Order PO28001125 (the Purchase Order), issued on 18 February 2022.
The plaintiff did the work pursuant to the agreement. In March 2022 an invoice was rendered and paid.
Invoice 1105, in the amount of $200,687.59, was rendered by the plaintiff to the defendant on 27 March 2022, with a due date for payment of 26 April 2022. On 4 April 2022 Invoice 1107 was rendered by the plaintiff to the defendant in the amount of $34,712.70, with a due date for payment of 4 May 2022.
Invoice 1105 was not paid by the due date and on 28 April 2022 the plaintiff sent a reminder by email.
The defendant responded by saying that it had received the invoices, had actioned them and would be completing its payment run the following day.
Without the knowledge of either the plaintiff or the defendant, an unknown third party (the fraudster) gained access to the plaintiff's email account. On 28 April 2022 the fraudster sent an email from the plaintiff's email account to the defendant (the fraudulent email) telling it to correct the details of its bank address in the earlier invoices as it said the plaintiff's bank details had changed. That email attached an invoice with the purported new bank details (the fraudulent invoice).
The defendant paid the sum of $235,400.29 to the account nominated by the fraudster on 29 April 2022.
That amount of money was sent to a bank account in the name of an unsuspecting individual which had been set up by the fraudster. The money paid by the defendant was then sent overseas.
Upon the fraud being discovered the police were notified and the bank contacted. The bank was able to recover the sum of $43,541.13.
The plaintiff has not received payment of the sum of $191,859.16.
The above recitation of the background of this matter is not in dispute between the parties and I make findings of fact in those terms.
On 18 August 2022 the plaintiff issued a writ for payment of the amount owing.
The trial of the matter took place between 9 September 2024 and 11 September 2024.
Ultimately this trial is about whether or not the defendant is liable to pay the sum of $191,859.16 to the plaintiff.
Issues on the pleadings which were abandoned or were not the subject of evidence
There were several issues raised on the pleadings which were not the subject of evidence or which were abandoned during the trial.
Paragraph 13 of the statement of claim alleged that the defendant failed to take reasonable steps to provide the plaintiff with access to the site where the services were required to be performed in breach of the agreement and that, as a consequence, it suffered loss and damage. No evidence at trial was led in relation to this issue nor as to any loss and damage suffered by the plaintiff. To the extent that I need to, I dismiss that part of the plaintiff's claim.
In its amended defence the defendant alleged that the plaintiff breached cl 5.1 of the New Supplier Information by failing to put security arrangements and access controls in place to prevent unauthorised emails being sent from the plaintiff's email account (at par 4(e) of the amended defence and par 3 of the counterclaim). During the course of his opening counsel for the defendant abandoned that contention (ts 24). That issue is therefore not one which I need to determine.
The issues for determination
There are essentially four issues which I need to determine in this matter. They are as follows:
(a)Issue 1: is the plaintiff liable to indemnify the defendant pursuant to cl 10.1 of the New Supplier Information?;
(b)Issue 2: did the plaintiff owe the defendant a duty of care to avoid economic harm to the defendant arising from an unauthorised communication sent from the plaintiff's email account and, if so, was the plaintiff in breach of that duty?;
(c)Issue 3: did the emails sent by the fraudster on 28 April 2022 constitute effective written notice to change the plaintiff's bank account details pursuant to cl 1.7 of the New Supplier Information?; and
(d)Issue 4: if the plaintiff breached any duty of care, should its liability be limited under the Civil Liability Act 2002 (WA) (the Act)?
Documents constituting the agreement
There was some dispute on the pleadings as to what precisely constituted the contract. That is not a dispute which I need to resolve because the terms relevant to this dispute are contained in the New Supplier Information and the Purchase Order, which was issued on 18 February 2022. It is accepted by both parties that those documents contain the terms relevant to this dispute.
The evidence at trial
A number of documents were tendered during the course of the trial. Additionally, I heard oral evidence from Mr Ryan Harrington (Mr Harrington) on behalf of the plaintiff. Mr Harrington is the director and lead engineer at the plaintiff and is a qualified chartered professional engineer and a qualified electrical contractor and a qualified electrician. The defendant also called an expert witness, Mr Daniel Streefkerk.
Relevant documentary evidence
The fraudulent email was sent on 28 April 2022 at 11.20 am. The body of the email reads as follows:
Please correct the details of our bank address in invoice sent earlier to the attached invoice as our bank details have changed.
Kindly pay attention and update your records.
Please acknowledge receipt of this email.
Thank you
Ryan Harrington Director
MIE(Aust), CPEng, NER, CEC Accredited, [redacted]
On 28 April 2022 an employee of the defendant telephoned Mr Harrington (the telephone call). I will refer to this call further in due course.
After the telephone call occurred, the defendant sent an email on 28 April 2022 at 12.11 pm to Mr Harrington (the Accounts Payable email). The text of that email is set out below:
From:Accounts Payable Inoteq [redacted]
Sent:Thursday, 28 April 2022 12:11 PM
To:Ryan Harrington; [redacted]
Cc:Stefan Grabs
Subject:RE: Reminder: Invoice 1105 from Mobius Group Pty Ltd
…
Hi Ryan,
Apologies for the issue with the call as we are currently experiencing difficulties with our line. Before we can update your bank details in our system, could we please kindly ask for any substantiation you may have regarding the change (e.g. notice letter, bank details on a letterhead)?
Thank you!
At 12.47 pm on 28 April 2022 an email from Mr Harrington's email address was sent to the defendant (the second fraudulent email). The text of that email reads as follows:
From:Ryan Harrington [redacted]
Sent:Thursday, 28 April 2022 12:47 PM
To:Accounts Payable Inoteq
Subject:Re: Reminder: Invoice 1105 from Mobius Group Pty Ltd
…
Hello, attached is a letterhead stating the change of bank details.
Thank you
Ryan Harrington Director
MIE(Aust), CPEng, NER, CEC Accredited, [redacted]
The attachment to the email (the fraudulent letter) is copied below:
MOBIUS GROUP CHANGE OF BANK DETAILS
Dear Valued Customer,
We are changing Banking details.
Please be advised our banking details have changed, below is our new bank details that comes into effect from Thursday 28th April 2022.
HSBC AUSTRALIA
A/C NAME: Mobius Group Pty Ltd
BSB: 342-099
Account number: [redacted]
All expected payment should be made into the newly stated account.
Thank you for your Business
Ryan Harrington
Director
MIE(Aust), CPEng, NER, CEC Accredited, [redacted]
Mobius Group Pty Ltd
After the plaintiff told the defendant that it had not been paid, it received an email from Chloe Loong of the defendant dated 9 May 2022, which was sent at 10.30 am (the Loong email). The text of that email is as follows:
From:Chloe Loong [redacted]
Sent:Monday, 9 May 2022 10:30 AM
To:Ryan Harrington; Stefan Grabs
Subject:RE: Mobius March INVs 1105, 1106, 1107
…
Good morning Ryan,
Please see attached emails we had received regarding the change in details.
Our AP had tried to call the Mobius office on the 28th of April after receiving updated invoice 1105 with the change in bank details.
The phone connection was not comprehendible, and they could not hear any communication regarding bank details.
The WorkPac team has asked if a police report has been filed on your end?
Thanks,
ChloeChloe Loong
Management Accountant
Evidence of Ryan Harrington
Mr Harrington testified in examination‑in‑chief that:
(a)he had worked full‑time with the plaintiff since 2016;
(b)in 2022 the plaintiff used Microsoft Office 365 SharePoint sites for the storage of project-related documentation and QuickBooks for accounting documentation;
(c)emails were set up by him using the software package Microsoft Office 365. Only he and another engineer, Shaun Garrett, as well as Trevor Harrington had computer access at the plaintiff;
(d)the plaintiff had a website with its address, landline and a contact email;
(e)he was introduced to the defendant through Kieran McElchar in late November 2021, after having met him at a previous project;
(f)Mr McElchar told him that the defendant had a project for Rio Tinto and was looking for an electrical contractor to complete the installation. Mr Harrington responded by saying that he would be happy to have a look and, as a consequence, Mr McElchar emailed him all the relevant documentation;
(g)he then prepared a quote (the quote) and sent it to the defendant in mid-January 2022. The total amount quoted for the work was $440,090.20;
(h)he signed the New Supplier Information as the authorised representative;
(i)after completing the New Supplier Information and the quote he received the Purchase Order;
(j)after receiving the Purchase Order the plaintiff mobilised to site on about 22 February 2022 and provided services until the end of May 2022;
(k)he used the accounting software package QuickBooks to issue the quote and also to generate invoices sent to the defendant. Within QuickBooks there was a button on the quote which said 'Create Invoice' which allowed the invoice to be generated and hours to be allocated to each line item. Once the invoice was completed he would click the save and send button, which also generated an email to send the invoice to the recipients;
(l)his dealings in relation to invoices with the defendant were through one of its managers, Stefan Grabs. He used various forms of communication including messaging and email;
(m)Invoice 1103 was despatched in March via QuickBooks for roughly $100,000 and was paid on time in early April. He then generated three other invoices: Invoices 1105, 1106 and 1107;
(n)payment was not received by the due date of 26 April 2022 for Invoice 1105 and so a reminder was issued via Quickbooks. Mr Harrington subsequently received an email from QuickBooks to say that the reminder had not been received by the defendant. He then sent it to his own (Mr Harrington's) email to check there was nothing wrong with QuickBooks and, after receiving that email from QuickBooks, subsequently forwarded it on to Mr Grabs through his own email account (the Quickbooks email);
(o)he received a response by email on 28 April 2022 (Exhibit 1.25) which said that the defendant would be completing a payment run the following day;
(p)on 28 April 2022 he also received the telephone call from a female employee of the defendant but did not recall whether she identified herself. The telephone call was short and the female enquired as to whether the plaintiff's bank account details had changed. He responded by saying 'No, they haven't'. He did not recall anything else from the telephone call;
(q)his next contact with the defendant in relation to the outstanding invoice was in early May. After waiting a week for payment without it being received, he contacted Mr Grabs again and told him that payment had not been received. Mr Grabs told him that he would investigate and Mr Harrington received the Loong email;
(r)one of the documents attached to the Loong email was the fraudulent email;
(s)the fraudulent email was not sent by him or instructed to be sent by him, and nor was the fraudulent invoice;
(t)after receiving the Loong email with the attachments, Mr Harrington told the defendant that the attachments were fraudulent and not from him or anyone instructed by him; and
(u)the security measures for the plaintiff with respect to accessing emails were to password protect access. The sort of password used was alphanumeric special character and that if an attempt to enter a password was wrong there would be a number of attempts permitted, after which a capture dialogue would be required to be completed. Subsequent failures caused an extension of time of a lockout and he said that ten attempts could be made before that occurred.
Mr Harrington was then cross-examined. In summary, his evidence in cross‑examination was that:
(a)he accepted that the bank account details at the bottom of the second quote from the plaintiff for the work included the words 'Mobius Group Prt Ltd' and accepted that 'Prt' was a mistake made by him and was not the account name of his bank account. He accepted that the same mistake made its way into the invoices sent to the defendant by the plaintiff;
(b)the work took more time than he originally thought it was going to take and it was a significant contract for the plaintiff;
(c)his email communications with the defendant were always sent from the same email address;
(d)the plaintiff did not have company servers. Its servers were hosted online;
(e)emails were the main form of communication between him and the defendant leading to the formation of the Purchase Order, but that after the plaintiff arrived on site he was talking to representatives of the defendant on site;
(f)when he received the telephone call he was in Perth;
(g)the Microsoft Office 365 program in use by the plaintiff in April 2022 was a program obtained by subscription, as was QuickBooks. In logging into QuickBooks he used separate logon credentials, including username and password, and his username and password for his QuickBooks account and his Microsoft Office 365 account were different;
(h)he was not aware of email fraud in 2022 happening in the community and he did not recall hearing about it and did not think something like that could happen to him. He was not aware that if he did not exercise control over his email account an unknown third party might step in and gain control of his email address;
(i)he accepted that the fraudulent email had come from his email address and that someone else had gained control of his email address at the time. He denied that this indicated that he did not exercise control of his email address at the time;
(j)after he was alerted to the fraud he contacted Microsoft online to ask it how it could have happened but they could not tell him anything when they called him back. He explained what had happened but was told that Microsoft could not help him;
(k)before contacting Microsoft he reported the matter to the police and had submitted a cybercrime report. He was taken to parts of an email from WA Police Cybercrime dated 27 May 2022 which said that this type of business email compromised scam was common, and contained a recommendation that he have an IT specialist scan the relevant systems for malware to prevent further access to their data. He said that he used Microsoft as the IT specialist to do software scans;
(l)there was nothing in the plaintiff's discovery about a record of his approach to Microsoft because he thought it was not deemed critical. He denied that the lack of discovery of an approach to Microsoft was because he had not conducted any investigation. He did not know how someone obtained access to the email address;
(m)email was a means of communication between him and the defendant. He was asked if it was reasonable for the defendant to rely on emails coming from Mr Harrington's email address as having come from him. He answered 'no';
(n)he acknowledged receiving an email from Mr Grabs to Mr Harrington dated 7 April 2022 which says as follows:
Hi Ryan,
Just FYI I approved all your March INVs 1105, 1106, 1107 for payment today.
Payment should occur when they're due, but please contact me in case you experience any delays.
Thanks,
Stefan Grabs
(o)he contacted Mr Grabs in response to the email on 28 April, which was a reference to the Quickbooks email, which read as follows:
Hi Stefan,
For some reason QB is being blocked access to both your and AP email addresses. Hopefully you receive this.
Thank you
Ryan Harrington
(p)the Quickbooks email was sent by him after QuickBooks was blocked access to the defendant's email addresses. AP meant accounts payable;
(q)he did not have doubts that QuickBooks was working properly. He denied that QuickBooks had blocked access to Inoteq email addresses but accepted that QuickBooks was being blocked access to Mr Grabs' accounts payable email addresses. He did not think this was a problem with the QuickBooks computer program and it did not lead him to suspect that something was wrong with his email system. He accepted that this methodology, of sending an email from QuickBooks to himself and then forwarding it to the defendant, was not his normal way of sending reminders and that reminders were usually sent via QuickBooks. There was nothing wrong with QuickBooks, which was being blocked at the defendant's side. He had previously had emails from the defendant blocked but did not recall if that had happened with QuickBooks. He did not think that the grammar in the QuickBooks email was incorrect;
(r)he was not able to say whether he received the email from Accounts Payable Inoteq which read:
Good morning Ryan,
Thanks for sending this through, I can confirm that we have received these invoices and have actioned it on our end. We will be completing a payment run tomorrow which will include the attached.
Kind regards,
Accounts Payable Inoteq
(s)if that email was sent to his email address he suspected that it was received by him;
(t)he accepted that the fraudulent email was an email which looked like it came through using his email account;
(u)the telephone call went for less than five minutes and he did not recall the name of the person to whom he spoke. He accepted a telephone record of the defendant which showed that the telephone call commenced at 2:01:33 pm and finished at 2:03:07 pm, lasting for approximately a minute and a half;
(v)he never, to his knowledge, lost control of his email account;
(w)he was definitely in his office in Perth on 28 April 2022 when the telephone call took place;
(x)he denied that there were any difficulties with the telephone line during the telephone call;
(y)he agreed that during the telephone call the lady had enquired whether the plaintiff's bank account had changed. He said to her 'No, they haven't'. He had not hung up the phone after saying that. Mr Harrington denied the proposition that all that was said in the telephone call was that the lady had enquired whether his bank details had changed. He did not say that they were the only details and had said that he did not recall the entire telephone call;
(z)he was not concerned about being telephoned about whether his bank account details had changed. It did not cause him to ask why the enquiry was being made. He did not make any more enquiries as he thought that the telephone call was just part of the defendant's process of due diligence, because of the sum of money involved;
(aa)he had no reason to call Mr Grabs after the telephone call and denied that his failure to do so caused the loss in this case; and
(bb)access to his email account was password protected. He did not engage any IT professional at that time to construct a more elaborate malware protection system.
In re-examination he confirmed that he had not seen the need to ask any follow-up questions after the telephone call because he thought the defendant was doing its due diligence because of the sum of money.
That then concluded his evidence.
I regarded Mr Harrington as an impressive witness who did his best to give truthful answers. He carefully considered the question before answering it, was precise in his use of language and did not elaborate unnecessarily on his answers.
An example of his care and precision came when it was put to him, with some force and persistence, that he had said in his evidence‑in‑chief that all that the defendant's employee said during the telephone call was to ask if his bank details had changed. He said that he did not say that and had said that he did not recall the entire conversation. He was correct. He had not said that those were the only words said to him during the telephone call. He had earlier been asked if he recalled anything else from the telephone call and he said he did not.
Mr Harrington was prepared to say when he could not recall things and took the time to think about his answers before responding. I formed the view of him as a witness who was prepared only to give evidence about events about which he had a clear recollection.
Counsel for the defendant said that Mr Harrington's credibility was negatively impacted by his inability to give a complete account of what was said during the telephone call. I do not accept that. I accept that he was able to recall the essential part of the conversation but that, given the passage of time, he was unable to recall the surrounding details. In my view his testimony as to his lack of recall as to the balance of the conversation demonstrated the care with which he gave his evidence. Given the relevance of the telephone call to the subject matter of this case, it is unsurprising that he remembered the crucial part of the conversation.
I also do not accept the defendant's submission that a reasonable person in the position of Mr Harrington would have contacted the defendant after the telephone call to enquire why it thought there had been a change to the plaintiff's bank account details. In my view Mr Harrington's answer that he thought the telephone call was part of the defendant's due diligence was a credible answer and I accept it. A large amount of money was to be paid by the defendant and it would not be unusual for checks to be made in those circumstances.
Contrary to the submission of the defendant, I do not think much turns on Mr Harrington's evidence that an email sent from his email address could not be relied upon as coming from him. I took that answer as one given with the benefit of hindsight, where the fraudulent email had been sent from his email account but, despite that, could not be relied upon as having come from him.
I accept Mr Harrington's evidence on the crucial issues in this case.
Evidence of Daniel Streefkerk
Mr Streefkerk, who was called by the defendant, is a principal technical advisor with an international information security and compliance consulting firm. He has worked for a number of years in areas relating to information technology, with a particular interest in cyber security and business improvement through technology. His expertise was not challenged and I accept him as an expert in the field of cyber security.
The correspondence from the defendant's solicitors to him which sought his opinion was tendered into evidence. His report was tendered by consent and he gave oral evidence expanding on his report.
Mr Streefkerk was asked for his opinion as to the following:
(a)who sent the [fraudulent email];
(b)who created the [fraudulent invoice];
(c)if it is assumed that the [fraudulent] e-mail and the [fraudulent] invoice were not sent by the person who apparently did so (Ryan Harrington), how could these e‑mails have been sent by a person other than Ryan Harrington without Ryan Harrington being aware of that fact;
(d)is it possible for a third party to monitor a person's email and to:
(i)without the person's knowledge, prevent the person receiving emails; and
(ii)without the person's knowledge, send e‑mails from a person's email account.
Mr Streefkerk was also asked, with respect to the Accounts Payable email:
(i)is it possible this e-mail was not received by Ryan Harrington and Ryan Harrington would not have been aware of the fact that the e-mail had been sent; and
(ii)if it was not received by Ryan Harrington how could this have occurred.
As to the second fraudulent email, Mr Streefkerk was asked:
(i)is it possible that this e-mail was not sent by Ryan Harrington and Ryan Harrington would not have been aware of the fact that the e‑mail had been sent;
(ii)if it was not sent by Ryan Harrington how could this have occurred; and
(iii)If the document that was attached to [the second fraudulent email] was not created by Ryan Harrington - how could this have occurred.
He was also asked:
If it [sic] assumed that a person (or persons) has fraudulently gained access to Mobius' computer system, what steps could Mobius reasonably have been expected to take to prevent such an event occurring.
In examination-in-chief Mr Streefkerk testified that:
(a)he extracted a copy of the emails on which he was to opine and then inspected the metadata in the emails as well as the body of the emails. Based on that metadata he then started building a picture of what the sequence of the emails was and then used the metadata within the emails to determine differences between the documents. He saw his task as determining who sent each of the emails, not just the alleged fraudulent emails, and whether it was possible to impersonate Mr Harrington's email address based on the metadata and the information at hand;
(b)he was able to identify down to the email address, but not as to who sent the emails based on the evidence;
(c)all of the emails which purported to come from Mr Harrington's email account were sent from that account;
(d)an Australian company which was a 365 tenant would most likely be hosted by Microsoft within Australia but was on Microsoft servers all around the world;
(e)all the emails appeared to originate from the same tenant and contained the same metadata and digital signatures;
(f)he ruled out a case of email impersonation, which was where a malicious sender sends an email purporting to be from the email address, but an examination of the metadata would reveal that the email did not originate from the servers that were permitted to send emails for that domain;
(g)in considering the fraudulent email he looked at the metadata behind the email and identified that the fraudulent email was sent from a Microsoft Exchange online server with Mr Harrington's email address. There was an authentication results original, which he described as a small piece of information indicating the email authenticated and was not fraudulent when it was received by the recipient;
(h)both the fraudulent email and the second fraudulent email passed inbound DomainKeys Identified Mail (DKIM) checks. DKIM was a similar concept to digital signatures on PDFs, but 'It's just in the email world'. When DKIM is actually configured an email leaving the organisation is digitally signed. The recipient's server will then perform checks to determine whether that email was altered in transit or whether it was even falsified and came from the domain that it said it came from. He said that there was a cryptographic signature and described it as a public private key pair, with the server having the private portion of the algorithm and the receiving server validating it based on standard cryptography;
(i)his conclusion, based not just on the DKIM checks passing but also based on the presence of the same metadata was that the fraudulent email and the second fraudulent email originated from the same Microsoft 365 tenant as other, legitimate emails from Mr Harrington's account, not via some sort of external 'spoofing', which he described in his report as email impersonation;
(j)it was not possible to identify how that happened given the evidence. In order to determine that issue the detailed audit logs from the Microsoft 365 tenant in question would be required to determine who accessed the mailbox at the time, who was connected to it and from where it came. Without that information he was able to see that it came from that tenant but not specifically what user account or who would have accessed it;
(k)based on the evidence the fraudulent email and the second fraudulent email did originate from the Ryan Harrington mailbox. Any lack of awareness of Mr Harrington as to whether the email was sent or not may have occurred through the account being compromised or another user having access to the Mobius Group 365 tenant account;
(l)somebody could have gained remote or physical access to a device on which the Ryan Harrington mailbox was already configured;
(m)it was impossible to conclude, based on the evidence of an outbound email, whether the Accounts Payable email was received by Mr Harrington or whether Mr Harrington would have been aware of its being sent. What Mr Streefkerk had was an outbound version of the email from the sender. Without the logs on the Mobius Group site, it was not possible to determine whether or not that email was delivered. It was a common pattern or method of attackers to redirect emails so that if an email was delivered, it might not be seen by the owner of the mailbox because attackers would generally redirect those elsewhere to subfolders or other mailboxes; and
(n)he stood by the conclusions set out at page 25 of his report.
In summary, the conclusions from Mr Streefkerk's report at page 25 and onwards are as follows:
(a)the fraudulent email was sent from within the legitimate Mobius Group Microsoft 365 tenant. He could not speculate as to the author of the email, however, the patterns observed in the emails follow well known business email compromise tactics and techniques where an attacker:
(i)compromises an email account;
(ii)uses that account to facilitate further phishing, attacks against partner organisations, or to facilitate financial fraud; and
(iii)covers their tracks by manually or automatically deleting emails.
(b)if the email was not sent by somebody within the plaintiff then the only reasonable conclusion was that Mr Harrington's email account was compromised;
(c)he was unable to speculate as to who created the fraudulent invoice. It was likely the original invoice was modified with a PDF editor and subsequently resent;
(d)if it was assumed that the fraudulent email and the fraudulent invoice were not sent by Mr Harrington and without him being aware of that fact then it appeared likely that they were sent by somebody with physical or remote access to Mr Harrington's email account. The email header and body text evidence do not support an email spoofing or external impersonation scenario;
(e)it seemed unlikely that the Accounts Payable email was not delivered to Mr Harrington without some sort of non‑delivery report coming back to the defendant, however this was not confirmable given the evidence at hand. If the email was not received by Mr Harrington this could have occurred because his email account was compromised and the attacker implemented automated rules to redirect or hide inbound emails. There was not sufficient evidence to confirm what happened once the email reached the Mobius Group M 365 tenant;
(f)it was quite possible that Mr Harrington was not aware that the second fraudulent email had been sent; and
(g)it was likely that Mr Harrington's Microsoft 365 email account was compromised in some manner, and subsequently used to send out the fraudulent email and the second fraudulent email. The attachment to the second fraudulent email named 'Mobius Group Pty Ltd Change of Bank Details.pdf' was likely created by an attacker external to the plaintiff. The file contained several hallmarks of a fraudulent document including non‑standard corporate stationery, numerous grammatical errors and PDF metadata that indicates it was created using a free online PDF editor, rather than by the expected Microsoft Word, like an apparent legitimate file found on the Mobius Group website.
He was asked what steps the plaintiff could reasonably have been expected to take to prevent a person or persons fraudulently gaining access to its computer system. His response in his report was that:
(a)there was not sufficient evidence to determine the exact current state of the plaintiff's computer systems' security, however there were indications of a lack of email security hardening for the Mobiusgroup.com.au domain, which was not uncommon across the Australian business landscape with 77% of ASX 200 companies purportedly failing to properly implement Domain Based Message Authentication, Reporting and Conformance (DMARC) to prevent email impersonation in 2023;
(b)business email compromise is a common form of cyber attack;
(c)the Australian Cyber Security Centre (ACSC) states that 'The best defence against email scams is training and awareness for your employees, including how to identify scams or phishing attempts';
(d)the ACSC also recommends that all organisations take the following steps:
(i)turn on multifactor authentication (MFA);
(ii)protect their domain name;
(iii)register additional domain names;
(iv)set up email authentication measures;
(v)protect their privacy (posting on social media);
(vi)implement policies and procedures (to address security risks);
(vii)implement training/awareness programmes; and
(viii)remain vigilant and informed on contemporary cyber threats;
(e)recently there has been a rise in adversary‑in‑the‑middle attacks, where an attacker intercepts the victim's login session regardless of whether MFA is implemented. This illustrates that not even MFA will prevent a determined attacker;
(f)training and awareness is crucial in maintaining cyber security, followed by more technical measures if available to the given organisation. Those additional technical measures often depend on the technical skill set available to an organisation, as well as the available budget;
(g)the ACSC's example recommendations around developing policies and procedures are relevant to this case:
•Consider introducing an approvals process for requests that ask to change payment details or make a large transfer.
•Verify any such requests by calling the sender. Call them on a known and verified phone number (not a phone number from the email, as this could be operated by a cybercriminal). Speak with the sender over the phone to verbally confirm the request for a change.
•Ensure workers have clear guidance to verify account details and to think critically before actioning unusual requests.
•Have a reporting process to report threatening demands for immediate action, pressure for secrecy or requests to circumvent protective business processes.
(h)all businesses, regardless of size, should do the following to prevent falling victim to business email compromise:
(i)enable and require MFA for email, banking and all business‑critical online services;
(ii)not permit the reuse of passwords across different websites or services, especially email and online banking;
(iii)implement policies and procedures to handle change of banking or payment details, including communication and confirmation via a known-good out-of-band medium. For example, in the case of an email conversation, confirm via phone call to a known-good phone number for the party in question;
(iv)train staff to recognise fraudulent requests. Test regularly, and refresh training periodically; and
(v)configure email authentication measures such as Sender Policy Framework (SPF), DKIM, and DMARC to protect email domains from impersonation.
In cross‑examination Mr Streefkerk said:
(a)that to conduct a proper security review it would be necessary to discuss matters with the client. He was asked whether he accepted that to conduct a proper security review he would need to discuss matters with the client, look at their systems and conduct an onsite inspection. He answered that he would not necessarily do it onsite, but he would based on evidence and interviews;
(b)he did not visit the plaintiff's premises and nor did he speak with Mr Harrington or any of the plaintiff's staff;
(c)the assumptions contained in his report at page 6 were a comprehensive list of the assumptions made;
(d)at the server level MFA could be imposed, depending on the server;
(e)MFA was not the default setting for every program or for Microsoft Office at the time, required a number of steps to set up and a company might need external technical expertise to set it up, depending on its level of IT expertise;
(f)at the cloud level there were other security measures, including adjusting the security default settings;
(g)there were different types of second level authentication including authentication requiring an app or a text message. There were other forms of second level authentication including security tokens. A security token could be used to prevent phishing, although it was not very common. He was asked whether a phishing attack was when someone was tricked into giving up their password and he responded by saying 'not necessarily, but password or clicking on a link';
(h)a security token would be a separate expense to a business to setting up MFA;
(i)another level of security would be looking at security at the workstation computer or a physical network. There were different security measures that could be implemented at a local level. Some of those included installing antivirus, firewalls and restricting administrator rights to prevent programs from being installed;
(j)the purpose of restricting administrator access was to prevent malicious programs potentially from executing or users from changing configuration settings;
(k)if someone used a program to download a movie that could be used as a channel for a hacker to gain remote access to a computer;
(l)there were security assessments that could be done which would involve looking at policies and procedures to be put in place in the work environment;
(m)MFA would not prevent a malicious insider attacker, but a business could implement a potential to safeguard against malicious insider attacks. Some of those controls might be role‑based access to limited controls, or in time access;
(n)any security measures would require training, that training would be ongoing and his firm provided that sort of training;
(o)in the past he had trained staff to recognise fraudulent requests. An indicator of a fraudulent request might be if the document did not contain a salutation identifying a known person in the business. Other potential indicators of a fraudulent request were if there were grammatical or formatting errors in the request, but with artificial intelligence and those kinds of tools, the absence of grammatical faults could no longer be relied on; and
(p)he trained staff never to respond to a suspicious email and that normally staff would be trained to send it somewhere for further investigation before replying.
He then confirmed the passage in his report which indicated that he only had limited information available to him regarding the measures that the plaintiff had taken to protect its computer system. He said that the brief in his report was that he was not asked to do an assessment of the plaintiff, but instead he was asked to examine the origin of several emails.
He confirmed his brief did not contain any information about:
(a)the size of the plaintiff;
(b)the size of transactions processed through its business;
(c)the technical skill set available in the IT department of the plaintiff; and
(d)nor did it contain the available budget for security measures at the plaintiff.
Mr Streefkerk further confirmed that:
(a)the size of the business, the size of the transaction and the technical skill set available in the IT department were not assessed as part of the security assessment;
(b)his company assessed technical controls and whether they were implemented or not was a matter for the business. The size of the business was essentially irrelevant although it was taken into account. The controls needed to be implemented regardless of the size of the business; and
(c)his company proposed best practice and whether or not a business implemented his recommendations was not his decision.
He also confirmed that:
(a)his report said that he had not been able to form a complete picture of the plaintiff's security posture;
(b)the conclusions in his report at pars 11.7.1 ‑ 11.7.3, were directed to email impersonation and did not apply to the current situation where someone was either hacked to gain access or there was existing access from a malicious insider;
(c)the current situation could be explained by an adversary‑in‑the‑middle attack; and
(d)his recommendations set out at par 12.7 of his report (which I have set out at [48(d)]) insofar as security was concerned were general recommendations that apply to all businesses and not specific to Mobius.
In answer to a question from me, he said that MFA systems in Microsoft have a 30‑day duration. If somebody logged onto an account, then MFA would not prompt them again until they logged on to a different device or the duration of 30 days had expired.
He also answered another question from me as to whether it was the case that, regardless of adopting all of the best practice measures which he had set out, a determined and skilful hacker could still get through. He ultimately responded by saying such a hacker could still get through.
I formed the view that Mr Streefkerk was also an impressive witness. He readily admitted that he did not have all the information which he would have preferred in making an assessment, and accepted the limitations to his conclusions which flowed from the assumptions upon which his report was based. Further, I accept that he is an expert in this field. His evidence was not challenged and I accept his evidence, generally and specifically as to best practice measures to protect email security and that both the fraudulent and second fraudulent email were sent from Mr Harrington's email account.
Findings of fact
Apart from the findings of fact I have already made, I also make the following findings of fact consequent on the evidence of Mr Harrington and Mr Streefkerk.
The fraudulent and second fraudulent email were sent from Mr Harrington's email account.
Mr Harrington did not send the fraudulent email, the fraudulent invoice and the second fraudulent email and nor were those emails sent on his instructions.
The telephone call occurred after the fraudulent email was sent. During the telephone call Mr Harrington was asked whether the plaintiff's details had changed. He replied by saying that they had not.
Mr Harrington and the plaintiff did not receive the Accounts Payable email.
The plaintiff's security measures in respect to accessing emails were to protect them by the use of a password.
The plaintiff's servers were hosted online.
Mr Harrington's username and password for his QuickBooks account and his Microsoft Office 365 account, both of which were used by the plaintiff, were different.
Mr Harrington did not send Invoice 1107 from his QuickBooks account, which was his usual way of sending emails, because QuickBooks was blocked access to the defendant's email address.
Mr Harrington thought that the telephone call was part of the defendant's due diligence before paying a significant amount of money.
The plaintiff did not use the 'best practice' procedure recommended by Mr Streefkerk in order to protect the integrity of its email account, such as by using MFA.
The issues in the case
The defendant raises several bases as to why it is not liable to pay the outstanding amount of $191,859.16 to the plaintiff.
Issue 1 - the indemnity clause
The defendant relies upon cl 10.1 of the New Supplier Information.
Clause 10.1 relevantly provides as follows:
[The plaintiff] indemnify [the defendant] against all damage, claims, expense (including reasonable lawyers' fees and expenses), loss or liability of any nature suffered or incurred directly or indirectly by [the defendant] arising out of the performance or non-performance of the Services including:
…
(c)damage, expense, loss or liability in respect of loss of or damage to any other property (including the Principal's such property);
(d)financial loss or expense;
…
Clause 1.1 of the New Supplier Information provides:
These Terms and the Purchase order contain all the terms and conditions on which you agree to provide the Services described in our Purchase order …
The Purchase Order then describes the services (the Services) to be provided as:
Materials & Transport
Onboarding Medicals/PPE
Project Manager/Lead Engineer
Project Engineer
Electrical Supervisor
Electrician site
Trades Assistant site
Electrician Perth
Trades Assistant Perth
The plaintiff submits that the Services are the services contained in the Purchase Order. The defendant says that this interpretation should be rejected as too narrow to give the contract any meaning. The defendant says the commercial reality meant that the Services went beyond purely those specified in the Purchase Order and included the work which the defendant did on the Rio Tinto water aquifer project, such as the supervision of the project by Mr Harrington, which is not something contained in the Purchase Order.
The defendant submits that a reasonable person would interpret cl 10.1 to provide an indemnity to the defendant in this situation, because it paid money to an incorrect account with respect to invoices issued by the plaintiff, as a result of the plaintiff's email account (which was designated for the purposes of contact between the plaintiff and the defendant) being compromised. The defendant submits that the loss arising to the defendant had a causal/consequential relationship with the performance of the Services.
The defendant says that invoicing is an activity arising out of the performance of the Services. It further says that the provision of an invoice and a document on the plaintiff's letterhead (plus covering statements made in the emails to which the documents were attached) from the email account nominated in the New Supply Information had a causal/consequential relationship with the performance of the Services, because these emails/documents concerned how payment was to be made with respect to the performance of the Services.
During the course of the oral submissions I asked counsel for the defendant whether the indemnity would extend to a situation where the defendant, in the absence of a fraudulent email, had simply paid money to a wrong entity by mistake and was not able to get it back. Counsel for the defendant conceded that the interpretation contended by him would extend to that scenario.
The plaintiff contends that the indemnity does not cover loss arising from the fraudulent acts of the fraudster. The plaintiff says that the phrase 'arising out of' bears its natural meaning, which is 'originating from'. The plaintiff says that loss arising from the fraudulent acts of the fraudster do not originate from the performance or non‑performance of services as defined.
Additionally, the plaintiff says that the phrase 'arising out of' is confined to subject matter, which in this case is the defined term 'Services'.
The plaintiff says that the parties have confined the indemnity to the word 'Services'. The plaintiff says that 'Services' is different to the performance of a contract. The plaintiff says that it is noteworthy that the agreement does not use the words 'arising out of the terms of this instrument' or 'arising out of the performance of the contract'. The plaintiff says that Services should therefore be confined to the services contained in the Purchase Order. The plaintiff says that the provision of the invoice arises out of the performance of the contract but not out of the performance of the Services.
The plaintiff also referred to cl 1.1 ‑ cl 1.3 of the New Supplier Information, which provide as follows:
1.1These Terms and the Purchase order contain all the terms and conditions on which you agree to provide the Services described in our Purchase order ('Services') and any ancillary materials ('Materials') to us. If there is any inconsistency between these Terms and our purchase order, our purchase order takes precedence. Unless we specifically agree in a signed document, no other terms and conditions, including those contained in any quotation or other document that You issue to Us, will have the effect of amending these Terms. Nor will they amount to an offer or a counter-offer.
1.2You will provide the Services and materials in accordance with these terms and the purchase order, and any written directions we give You.
1.3You must not sub-contract any part of the Services without our prior written approval. We may give or withhold our approval without giving reasons. Approval by us to any sub-contract does not in any way relieve you of any of your obligations under this agreement.
The plaintiff says its interpretation is consistent with the architecture of the agreement, which includes the requirement not to subcontract any part of the Services without prior written approval. It says that this is consistent with the indemnity not covering any loss arising from acts of the fraudster.
Finally, the plaintiff says that a reasonable businessperson would not construe the indemnity so widely, because the construction contended for by the defendant would mean that the indemnity would extend even to loss arising purely from the negligence of the defendant, such as money mistakenly paid by it to a third party in satisfaction of the invoice. The plaintiff says that this makes no commercial sense.
Determination of the indemnity clause
In Davis v The Commissioner for Main Roads (1968) 117 CLR 529, 532 the High Court considered an indemnity clause containing the words 'arising out of'.
In that case the indemnity clause under consideration read as follows:
The Contractor shall undertake the whole risk of carrying out the contract, and without limiting the generality thereof, shall -
(a)hold the Commissioner indemnified against all claims arising out of -
(i)damage to the property of the Contractor or any third party;
(ii)death of or bodily injury to the Contractor or his employees, or employees of the Commissioner, or any third party including persons transported in vehicles engaged by the Contractor;
whether such damage, death or bodily injury is caused by the use of a motor vehicle or by goods falling or projecting therefrom or otherwise howsoever,
(b)reimburse the Commissioner for damage sustained by the loss of or damage to the whole or any part of the materials, plant or equipment entrusted by the Commissioner to the Contractor pursuant to this contract.
The Contractor shall insure any motor vehicle used on the contract in the joint names of himself and the Commissioner under a policy unlimited in amount covering liability for damage to the property of third parties, and evidence of such insurance and of the registration of the vehicle shall be furnished to the Officer-in-Charge, if required.
The majority (Barwick CJ, McTiernan and Menzies JJ) held that the indemnity clause extended to a claim for damage to the property of a third person caused by a collision with the contractor's motor vehicle where the negligence of the commissioner was the cause of the damage.
In CSR Ltd v Adecco (Australia) Pty Ltd [2017] NSWCA 121 (CSR) the indemnity clause under consideration included that Adecco Australia agreed to indemnify CSR against 'any claim by Temporary Staff for personal injury … arising out of or in connection with the performance of Assignment duties' and 'any liability to any person … in respect of or in connection with such personal injury'. 'Temporary staff' was defined as 'an individual employed by [Adecco Australia] to work in an Assignment for CSR'. 'Assignment' meant the tasks 'to be undertaken … by Temporary Staff … as specified in the Order'.
Ultimately it was held that the clause operated so as to indicate an objective intention to cover all claims, whether contributed to or caused by CSR's own fault (at [205], [211] - [214]).
In CSR the court said [206]:
The words 'arising out of' are well recognised as being of broad import. They require some causal or consequential relationship between the subject and the object, but do not require the direct or proximate relationship which would be necessary if the expression was 'caused by'.
(footnotes omitted)
In Samways v Workcover Queensland [2010] QSC 127 [72] Applegarth J said:
The words 'arising out of' are wide. The relevant relationship should not be remote, but one of substance albeit less than required by words such as 'caused by' or 'as a result of'. The phrase connotes a weak causal relationship. However, more is required than the mere existence of connecting links. The words require the existence of a causal or consequential relationship between, in this case, the use of the plant and the injury.
(footnotes omitted)
Clause 10.1 of the New Supplier Information, as an indemnity clause, falls to be construed strictly, and any doubt as to the construction should be resolved in favour of the indemnifier - Andar Transport Pty Ltd v Brambles Ltd (2004) 217 CLR 424:
17The proper construction of cll 8.2.2 and 8.2.3 cannot be undertaken without reference to the principles of construction applicable to contractual indemnities. The starting-point is the decision of this Court in Ankar Pty Ltd v National Westminster Finance (Australia) Ltd. In that case, the Court considered whether two clauses of a guarantee operated as conditions the breach of which would discharge the surety from liability. In answering that question in the affirmative, Mason ACJ, Wilson, Brennan and Dawson JJ said:
At law, as in equity, the traditional view is that the liability of the surety is strictissimi juris and that ambiguous contractual provisions should be construed in favour of the surety. The doctrine of strictissimi juris provides a counterpoise to the law's preference for a construction that reads a provision otherwise than as a condition. A doubt as to the status of a provision in a guarantee should therefore be resolved in favour of the surety.
In Chan v Cresdon Pty Ltd, Mason CJ, Brennan, Deane and McHugh JJ described the statement in Ankar set out above as evidencing a 'settled principle governing the interpretation of contracts of guarantee'.
18It may be noted that the conclusions reached in Ankar and Chan as to the principles to be applied to the construction of contracts of guarantee are binding, …
(footnotes omitted)
I accept that the indemnity could, in certain circumstances, lead to the plaintiff indemnifying the defendant even for a negligent act of the defendant, but in my view the indemnity in this case cannot be construed in the way the defendant contends.
The New Supplier Information contemplated the Services being performed by the plaintiff, as evidenced by the provisions of cl 1.2 and cl 1.3 set out at [80].
The obligation to pay a fee for the Services is contained in cl 7 of the New Supplier Information, which relevantly provides:
7.1The Fee for Your Services will be the amount specified in Our Purchase order, less any amount that We are entitled to deduct under these Terms or any other agreement We have with You. Unless we otherwise specify in the Purchase order, all Fees, prices and other amounts payable under these Terms are fixed, and include the price of the Materials, and all taxes, duties or imposts levied in respect of the Services and Materials, other than GST.
7.2You will send us an invoice after satisfactorily completing the Services. Your invoices must comply with GST law, and must set out any additional information that we reasonably require. We will pay you the fee for Services under a properly rendered invoice, after deducting any amounts that you may owe us under these Terms or any other agreement. Our payment to you of any invoice or other amount does not amount to a waiver of any of our rights of Your obligations under these terms.
7.3Payments shall be made within 45 Days from the end of the month in which an invoice is provided to Us.
I accept that the act of generating and sending an invoice arises out of the performance of the Services. That is the result of the plaintiff completing its performance of the Services and it performing the task necessary for payment: the rendering of an invoice.
However, I do not accept that the indemnity extends to loss arising out of a legitimately generated invoice. Clause 7.2 and cl 7.3 mandate payment upon receipt of the invoice, subject to certain deductions. If the clause were interpreted in the way contended for by the defendant, then it would be arguable that economic loss flows to the defendant as a result of the rendering of an invoice, and cl 10.1 could then operate so as to provide an indemnity against such loss. Given that the invoice and the need for payment is the necessary basis upon which the plaintiff performed the works, that would clearly be an untenable result. It would also be a result which is inconsistent with the contractual requirement to pay in cl 7.
I have considered the plaintiff's argument that email communication was something which arose out of the performance of the Services. While email communication was not, of itself, part of the Services to be provided, I accept that it arose out of the performance of the Services. In my view email communication had a causal or consequential connection with the performance of the Services.
However, the security of the plaintiff's email account is a matter which relates to its own internal management and is unrelated to the performance of the Services.
While the act of sending an invoice does arise out of the performance of the Services, the same cannot be said for the security of the plaintiff's email account. The use by the fraudster of the plaintiff's email account had nothing to do with the performance of the Services by the plaintiff.
The plaintiff rendered an invoice after satisfactorily completing the Services. Whilst its email account was hacked and the fraudulent email was sent to the defendant, and while the defendant paid money to the fraudulent account, those events were caused by the fraudster and not by the plaintiff.
Consequently, any financial loss or expense or economic loss caused to the defendant does not arise out of the performance by the plaintiff of the Services. Instead, it arises out of an intervening event by an unknown third party, namely the fraudster, in hacking into the plaintiff's email account and sending the fraudulent email to the defendant.
It was the plaintiff who had to perform the Services. That is clear given the prohibition on the plaintiff from subcontracting the Services without the written approval of the defendant. The sending of the fraudulent email was not an act performed by the plaintiff. It was therefore unrelated to the performance or non‑performance of the Services. The indemnity does not therefore operate.
I accept the plaintiff's submission that the defendant was better placed to take precautions to protect itself from the fraud than the plaintiff. I note that the emails generated by QuickBooks sent by Mr Harrington to the defendant attaching the invoices or which sent reminders, constituting parts of Exhibits 19, 20, 23 and 26, amongst others, contained a notation at the bottom of the email saying:
If you receive an email that seems fraudulent, please check with the business owner before paying.
I have no evidence that the QuickBooks email allowed the fraudster to compromise the plaintiff's email account so as to send the fraudulent email. I have no evidence as to how the fraudster came by Mr Harrington's details or how the fraudster hacked into his email account. I am not able to make the finding that the defendant urges on me.
Mr Streefkerk said that there were no precautions which could be taken which would stop a hacker with sufficient skill and determination from breaking into a network. In those circumstances, even if a company such as the plaintiff takes all the recommended safety measures, its email account could still be hacked into. What that means is that ultimately only the defendant was in a position to be able to take measures to stop itself from being the victim of a fraud.
In this case those measures included the telephone call. Astonishingly, after making the telephone call and not being able to hear the answer to the crucial question it asked, no follow-up call was made before paying the money. The defendant clearly had Mr Harrington's telephone number, and it would have taken little effort to make another telephone call and receive a clear answer to the question posed. That telephone call could have meant that the loss was avoided, these proceedings never occurred, and the fraudsters left unfulfilled.
Instead, the Accounts Payable email, which replied to the very email which had prompted the telephone call, was sent. This was unwise. Mr Streefkerk said in his evidence that he trained his staff not to respond to a suspicious email, but instead to send those emails to someone for further analysis.
Having received the fraudulent invoice, the defendant made no further telephone call. Instead it simply paid a very large amount of money to the fraudulent bank account.
While it may have been vulnerable to loss if the plaintiff's email account was compromised, it had the ability to protect itself against that vulnerability. It failed to do so.
I do not accept the defendant's submission that any ruling I make in favour of the plaintiff will lead to uncertainty in trade and commerce. This case is a salutary reminder for those paying money to ensure the veracity of any banking details provided.
Any loss by the defendant is pure economic loss. Therefore, reasonable foreseeability of its loss is not sufficient to create a duty.
I find that the duty of care claimed to exist by the defendant does not apply to the circumstances of this case.
Issue 3 - did the fraudulent email and the second fraudulent email constitute notice given to change the bank account details?
The defendant's position is that it acted on a direction from the plaintiff to pay the bank account on the invoice sent to it. It says that it has paid the value of the invoices to the bank account identified by the plaintiff and that the defendant has therefore complied with its obligations under the New Supplier Information.
It says that the plaintiff's submissions to the contrary rely upon a narrow and artificial interpretation of the New Supplier Information and says that the correct position is to the contrary.
The defendant says that the New Supplier Information must be viewed as creating a system that comprises the matters set out on each of its six pages.
The first page sets out information that the defendant requires the plaintiff provide.
The third page sets out specific directions as to how invoices would be submitted and paid, in particular, by requiring the plaintiff's:
Bank Account Details for EFT payments (if not previously provided).
The defendant relies on cl 1.7 of the New Supplier Information which requires:
All notice [sic] required by these Terms must be given in writing.
The term 'notice' is not defined. The defendant says that this means that notice is not a reference to a specific document which must be sent in a particular context. It says that this is a reference to a wider concept, being matters about which one party is required to notify the other and is not a reference to a specific document that must be sent in a particular context.
It says that the obligation to provide bank account details can only sensibly be interpreted as being a continuing obligation, so that when the plaintiff's bank account details changed it was required to provide written notice of that fact, pursuant to cl 1.7 of the New Supplier Information to the defendant.
It says that as a matter of fact the plaintiff did provide that notice, because the email saying that its bank account details had changed was sent from the email account specified at page 1 of the New Supplier Information as being the plaintiff's email contact.
The defendant's position is that, in paying the value of the invoices to the fraudulent bank account, the defendant acted as it was required to do and in good faith and without notice of the fraud. Having received written notice that the plaintiff's bank account details had changed, the defendant, in its submission, had no option other than to pay the funds at issue to the new bank account.
The defendant says that the plaintiff must be fixed with the consequences of its own failings, which in this case was an apparently valid notice which was sent from the email account nominated by the plaintiff. The defendant, in its submission, should not bear the loss associated with a notice that was sent from Mr Harrington's email account.
Insofar as the plaintiff's reliance on the doctrine of privity of contract is concerned, the plaintiff says that the fraudulent email was a notice for the purposes of the New Supplier Information. Furthermore, the privity of contract argument overlooks the fact that the notice came from the contracting party's email account, which was the account that was nominated as being a contact detail.
The defendant also made submissions about whether an email amounted to notice in writing. I was told by the plaintiff's counsel that this was not in issue, and I proceed on the basis that an email is a notice in writing.
The plaintiff submits that a change in bank account details is not a 'notice required by these Terms'. The notices required by these terms include the breach notice and termination notice in cl 9 of the New Supplier Information.
The plaintiff also relies on the doctrine of privity of contract and says that a person who is not a party to a contract can neither enforce that contract nor incur any obligations under that contract. In this case the fraudulent email was sent by the fraudster and not by a party to the contract.
Furthermore, on a proper construction, the plaintiff submits that cl 1.7 of the New Supplier Information prescribes the mode of communication for notices required under these terms. It is not a contractual power that can change the legal relationship between supplier and purchaser. It does not confer any rights on the defendant acting in reliance on such notices, or to specifically discharge any obligation or liability in relation to invoices.
The plaintiff also says that cl 1.7 of the New Supplier Information, on its face, does not deal with or address the consequences of relying on a notice.
Ruling on the written notice point
While the New Supplier Information contemplates the provision of its banking details by the plaintiff, there is no mention as to how those details are to be provided. The New Supplier Information does not define the term 'notice'.
There are express requirements for prior written approval by the defendant before the plaintiff could subcontract (cl 1.3) or vary the Services (cl 6.2). Written notice had to be given for cancellation of purchase orders or breaches (cl 9.1 and cl 9.2 respectively).
What appears to have been contemplated by the agreement is that notices affecting the rights of the parties under the agreement needed to be in writing. The provision of banking details is not a notice of that type. I am not satisfied that the requirement for the plaintiff to provide its banking details had to be in writing.
However, the resolution of that question does not significantly affect the defendant's argument. It maintains that it was required to pay the invoice after an apparently valid change of banking details was sent from the email account nominated by the plaintiff. The defendant, in its submission, should not bear the loss associated with a notice that was sent from Mr Harrington's email account.
In part, that argument relies on the defendant's contention that the change in banking details should be treated as having come from the plaintiff. However, that submission is weakened somewhat by the steps the defendant took itself after receipt of the fraudulent email in making the telephone call and sending the Accounts Payable email. It clearly had a measure of concern as to whether the fraudulent email came from the plaintiff.
Furthermore, while the fraudulent email and the fraudulent invoice came from the email address nominated by the plaintiff, neither of those emails were in reality sent by the plaintiff. They were sent by the fraudster. In my view the position which the defendant asks me to accept does not reflect the reality of the situation.
In my view, in the circumstances of this case, it is no answer to the plaintiff's claim to contend that the defendant was entitled to rely on the fraudulent email and fraudulent invoice as having come from the plaintiff. Notwithstanding the use by the fraudster of the plaintiff's email account to send those emails, those emails did not come from the plaintiff.
In my view the inference to be drawn is that the telephone call was instigated by the defendant because it had some doubt as to whether the fraudulent email had actually been sent by the plaintiff or because it was doing its due diligence. There would be no need otherwise to telephone to check whether the plaintiff's bank details had changed. Given the possibility of fraud associated with notifications of that type and given the large sum involved, the change of bank details nominated should have caused the defendant to make further enquiries. It did make those enquiries, but those enquiries were inadequate.
Ultimately the plaintiff did not provide the defendant with any notice that its bank account had changed. Notice of that change, which was not true, was given by someone else. If I were to uphold the defendant's submission it would permit the defendant to remain wilfully blind to the realities of the situation. In my view such an interpretation would not reflect commercial reality. It would also have the potential to encourage other fraudsters who could operate on the basis that no checks needed to be made by payers in these circumstances.
I therefore do not accept the submission of the defendant on this point.
Civil Liability Act issues
Section 5AK (1) of the the Act provides:
(1)In any proceedings involving an apportionable claim -
(a)the liability of a defendant who is a concurrent wrongdoer in relation to that claim is limited to an amount reflecting that proportion of the damage or loss claimed that the court considers just having regard to the extent of the defendant's responsibility for the damage or loss; and
(b)the court may give judgment against the defendant for not more than that amount.
Section 5AI of the Act defines apportionable claim relevantly as follows:
In this Part -
apportionable claim means -
(a)a claim for economic loss or damage to property in an action for damages (whether in contract, tort or otherwise) arising from a failure to take reasonable care (but not including any claim arising out of personal injury); or
(b)a claim for economic loss or damage to property in an action for damages under the Fair Trading Act 2010 based on misleading or deceptive conduct;
Concurrent wrongdoer is defined as:
concurrent wrongdoer, in relation to a claim, means a person who is one of 2 or more persons whose act or omission caused, independently of each other or jointly, the damage or loss that is the subject of the claim.
The plaintiff (par 8 of the defence to counterclaim) says that if the payment of $235,400.29 by the defendant to the fraudster's bank account was caused or contributed to by the plaintiff's breach of duty then the defendant's claim is an apportionable claim as defined in s 5AI of the Act. It says that the defendant is a concurrent wrongdoer within the meaning of the Act. The plaintiff also says that the fraudster is a concurrent wrongdoer and that the liability of the plaintiff, if any, to the defendant is limited to an amount reflecting that proportion of the damage or loss claimed that the court considers just in regard to the extent of the plaintiff's responsibility for the damage or loss.
The defendant says that if it is a concurrent wrongdoer then its liability should be reduced because it acted reasonably to pay the bank account having received instructions to do so from the plaintiff's email account and it should be reduced because it paid the monies intended for the plaintiff to the fraudster's bank account through no fault of its own. The defendant says that its responsibility for the loss was limited, compared to the plaintiff's responsibility.
The plaintiff says that the fraudster should be held primarily responsible for the real and effective loss and damage. The plaintiff also says that the defendant should bear significant responsibility because of its failure to verify the change in bank details by telephone. The plaintiff says that the defendant's acts and omissions carry a strong causal potency in blameworthiness in acting without verifying the legitimacy of suspicious communication. The plaintiff, in making that submission, relies on the formatting and grammatical errors about which I have already spoken. The plaintiff says that the defendant should have taken basic precautionary steps such as not replying to the fraudulent email, calling the plaintiff from a telephone number and asking for confirmation in writing and over the telephone. The plaintiff says that it is not to blame for the loss and damage.
The defendant says that the fraudster and the plaintiff are concurrent wrongdoers for the purpose of the Act and that the apportionment should be 50% to the fraudster and 50% to the plaintiff, and the plaintiff's damages reduced by that share. Andrews SC DCJ said in Factory Direct [145]:
In determining the relative responsibility of concurrent wrongdoers for a loss, it is necessary to compare the blameworthiness and causative potency of the conduct of each of them. Relevant factors include, but are not limited to, which of the wrongdoers was more actively engaged in the activity causing loss, and which was more effectively able to prevent the loss.
(footnotes omitted)
I have already found there was no duty. Even if there was a duty, given my earlier findings, I am not in a position to find that the plaintiff caused or contributed to the defendant's loss.
I do not have sufficient evidence to determine whether the steps it took to secure its email account were insufficient. I heard evidence that more stringent security would not stop a skilful and determined hacker.
The question of the relative responsibility of concurrent wrongdoers is therefore not for me to decide.
Conclusion
The plaintiff did the work required under the agreement and rendered an invoice. There has been no contention that the work was not satisfactory. The plaintiff is entitled to be paid for its work and has not been paid. Whilst the actions of the fraudster are reprehensible, ultimately the defendant was in the best position to protect itself against the fraud. Whilst the position the defendant finds itself in must engender sympathy, for the reasons which I have given I would make orders that there be judgment for the plaintiff in the sum of $191,859.16.
I will order that the defendant pay interest on that amount at the rate of 6% per annum but will hear submissions from the parties as to from when that interest should accrue. I will also hear the parties as to costs.
I certify that the preceding paragraph(s) comprise the reasons for decision of the District Court of Western Australia.
SK
Associate to Judge Massey
20 DECEMBER 2024
0
4
1