After business email compromise, tribunal forces ACT company to pay debt, again

Falling victim to cybercrime doesn’t exempt companies from their normal financial obligations, an ACT tribunal has held in a ruling that serves as a “cautionary tale” to company directors about the degree to which cybercrime’s financial impact can extend far beyond the initial compromise.

The recently-published ruling, by the ACT Civil & Administrative Tribunal, related to a March 2021 incident in which Canberra Hydraulic Engineering Services (CHES) director Nathan Jess ordered a $5,499 piece of equipment from cleaning supplies firm RapidClean DRB, with the equipment to be collected upon payment of the invoice.

The next morning, CHES received an emailed MYOB invoice along with a note advising that the company’s bank details had changed.

CHES paid the invoice — but when RapidClean had not received the payment after several days, investigations revealed the account detail switch and confirmed that the emailed invoice was not the one sent by RapidClean’s MYOB system.

Jess initiated a bank investigation — which would ultimately take six months and prove fruitless when the bank refused to provide details of the actual account recipient — and called in the Australian Federal Police and Australian Cyber Security Centre (ACSC), neither of which, the ruling noted, “were particularly helpful”.

An investigation by MYOB concluded that that CHES’s email account “had likely been breached”, with the emailed invoice intercepted and then modified before being delivered the next morning.

The case hinged on the question of whether Canberra Hydraulics had discharged its debt by paying the invoice, or whether RapidCleanDB, which sent the correct invoice and had no subsequent responsibility for its content, was still owed the amount of the equipment purchase.

Ultimately, the Tribunal ruled that although the invoice was modified by “a third-party intercepting the email that was sent from the applicant… Responsibility for correct payment rests with [CHES] and it was incumbent up [them] to exercise case in ensuring payment was made.”

CHES was ordered to pay the amount of the invoice, plus fees — effectively meaning that it had to purchase the new equipment twice, with total losses of $11,328.

Because it was ruled to have been a “victim of third-party fraud”, the decision noted, CHES may be able to claim the costs on its business insurance policy.

Email compromise BEComing worse every year

The case is just one drop in the flood of business email compromise (BEC) being recorded annually, with a new analysis by Abnormal Security noting that the number of BEC attacks per 1,000 mailboxes surged by 84% in the second half of 2021 – driving a 22.6% increase in the percentage of global BEC attacks as a proportion of all security attacks.

“Because the threats contain few indicators of compromise they evade secure email gateways and other traditional systems, landing in employee inboxes where they can cause significant damage,” says the report.

Significantly, the analysis found that BEC scammers were backing away from the once-popular tactic in which they pretended to be company executives ordering their subordinates to change account details or pay fraudulent invoices on short notice.

The incidence of such executive-targeted invoice fraud tactics declined by 32.7% globally during the second half of last year – yet at the same time, Abnormal noted, the number of attacks targeting executives increased by 24% during the same period.

For all the attention focused on surging ransomware attacks, BEC attacks have continued to grow by leaps and bounds, with a recent US FBI advisory noting that losses to BEC scams increased by 65% between July 2019 and December 2021.

And while law-enforcement authorities are working worldwide to track down BEC operators and cybercriminal gangs – the takedown of Russia’s REvil ransomware group was one notable win this year – INTERPOL Cybercrime Threat Response officer Doug Witschi told a recent webinar from Fortinet that “we’re not going to arrest our way out of this”. Witschi is a former Australian Federal Police detective and counter-terrorism specialist who engages with INTERPOL’s global partners from his base in Singapore.

“We need all people working together collegiately and collaboratively and that’s not easy. It takes trust, confidence, and a whole range of issues in relation to this type of threat, but we need to start to work through those issues and challenges. Whether espionage, cyber terrorism, or cybercrime, the tactics and techniques used across these activities are almost identical. It’s just the motivation of people that are generally changing,” Witschi said.

And while the Canberra Hydraulic incident is notable for its ruling that the company was still liable for the debt despite having already paid in good faith, ACT-based legal firm MV Law noted in an overview of the case that “more complex arguments may become relevant” in cases where larger losses are involved and parties “obtain comprehensive expert evidence as to the precise source of the security breach”.

The contractual arrangement between the parties may also be relevant, the analysis found, as it may in fact deal with the allocation of the risk of fraud. “This decision serves as a timely reminder for businesses and consumers in the era of frequent cyber fraud to take steps to reduce the risk of an email scam causing the loss of money,” said the report.