If you pay a debt to the wrong account because of a fraud you could well be required to pay twice.

In the past three years losses due to business email compromise have risen from $3.8 million1 to $132 million2.

Typically such frauds take the form of a "man in the middle" attack where fraudsters insert themselves between a business making a payment (payer) and the intended recipient (payee). Access to email credentials can be gained in a number of ways, including by an email phishing attack. The fraudsters then send an email changing the account details of the intended payment to an account they control. Once the payment is made the funds are immediately forwarded on in ways that elude tracing. The two innocent businesses are then left to deal with the loss.

Increased awareness of the risk of such scams has resulted in:

  • better email credential protection using unique complex passwords that are regularly changed;
  • greater awareness of email phishing attacks;
  • verification of payee account information and changes by telephone;
  • offering of specialised "cyber" insurance policies or increased cover to manage such risks.

Litigation generally occurs when the payer refuses to make what they regard as further payment and the payee sues on the basis that the fraudulent payment has not discharged the original obligation.

In Australia a number of instances of such fraud are working their way through the Courts, but none have yet resulted in superior court judgments.

In a case in the United Kingdom last year, the High Court refused leave to appeal from a GAFTA Board of Appeal, effectively upholding the contractual analysis of risk carried out by the Board. A JLex note of the case3 referred to the possibility that a future case might address the issue of whether fault could displace contractual allocation of risk. In the UK case the evidence did not establish that compromise of the emails was the fault of either party.

In Australia, however, the starting point for analysis is set out in Federal and State legislation which effectively provides:

.... unless otherwise agreed between the purported originator and the addressee of an electronic communication, the purported originator of the electronic communication is bound by that communication only if the communication was sent by the purported originator or with the authority of the purported originator4.

In this context, the term "purported originator" means the person from whom an electronic communication, such as an email, appears to have been sent.

The effect of this provision is that a person from whom an electronic communication appears to have been sent will be bound by that communication only if the communication was actually sent by that person or with his or her authority.

So, for example, if a purchaser of goods receives an email advising of an account number to which the purchaser should transfer funds in payment, and the email has in fact been sent by a fraudster who has provided a false account number, a payment made by the purchaser to that false account will not discharge the purchaser's payment obligation. That is, the vendor won't be bound by that payment, because the email was not actually sent by the vendor or with his or her authority.

In short therefore, unless the parties agree otherwise, the risk is with the purchaser and he or she may have to pay a second time if the validity of the first payment is challenged by the vendor.

Pointon Partners can assist in drafting contractual terms that alter the above position and shift the risk of business email compromise. This may be appropriate where:

  • a specialised form of communication which reduces such risk has been agreed between the parties and they wish to enable each other to rely upon communications through such channel; or
  • Insurers require that contractual documents alter the allocation of risk under the legislation.



2 https://www.scamwatch.gov.au/news-alerts/business-email-compromise-scams-cost-australians-132-million

3 https://jlex.com.sg/2019/11/19/notes-from-the-bar-who-bears-the-loss-of-cyber-fraud/

4 Electronic Transactions Act 1999 (Cth), s.15; Electronic Transactions (Victoria) Act 2000, s.14(1); Electronic Transactions Act 2000 (NSW), s.14(1); Electronic Transactions (Queensland) Act 2001, s.26; Electronic Communications Act 2000 (SA), s.14; Electronic Transactions Act 2000 (Tas), s.12; Electronic Transactions Act 2011 (WA), s.16 and Part 3.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.