<?xml version="1.0" encoding="ISO-8859-1"?>  
<docID>336781</docID>
<postdate>2025-01-30 04:00:34</postdate>
<headline>Double check to avoid the trap of paying twice </headline>
<body><p><img class="size-full wp-image-336782" src="https://citynews.com.au/wp-content/uploads/2025/01/pexels-mikhail-nilov-6963098-resized.jpg" alt="" width="900" height="600" /></p>
<caption>Criminal skills now include intercepting any email between seller and buyer and changing the details that are in the email and any attachment. Photo: Mikhail Nilov</caption>
<p><span class="kicker-line"><span style="font-weight: 400;">Legal columnist </span><b>HUGH SELBY</b><span style="font-weight: 400;"> looks at the dangers of being scammed while paying bills by email without first double-checking the banking details. Get it wrong and you could be paying twice!</span></span></p>
<p><b>If you send your bills by email, or if you have been paying bills received by email, then be warned.</b></p>
<p><img class=" wp-image-271673" src="https://citynews.com.au/wp-content/uploads/2022/11/hugh-selby.jpg" alt="" width="423" height="347" /></p>
<caption>Hugh Selby.</caption>
<p><span style="font-weight: 400;">Here are a few examples of pending sorrow. </span></p>
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Following an inspection at the seller’s home or dealership, you decide to buy a second-hand car. The seller emails you their banking details. You pay by EFT.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">You seek legal advice. You sign a hard-copy costs agreement. That agreement includes the law firm’s banking details. Following receipt of the legal advice, you receive an emailed tax invoice that includes banking details. You pay by EFT to the invoice banking details.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">You and your partner plan an overseas trip with a reputable travel agency. By email you receive the booking details for travel, accommodation and pre-paid tours. Another attachment is their tax invoice, which includes banking details. You pay by EFT.</span></li>
</ul>
<p><span style="font-weight: 400;">Sadly, criminal skills now include intercepting any email between seller and buyer and changing the details that are in the email and any attachment. The banking details, the phone contact for the seller, even the contact emails can all be changed before the (now fraudulent) email hits the buyer’s email inbox.</span></p>
<p><span style="font-weight: 400;">Neither seller nor buyer knows about the interception. The buyer pays in good faith – but to a bank account that has no connection with the seller.</span></p>
<p><span style="font-weight: 400;">The principle that will apply in most such cases is: the buyer has been scammed, but the seller is still entitled to be paid for their goods, advice or services, so the buyer will be paying twice.</span></p>
<p><span style="font-weight: 400;">However, “most cases” does not mean “all cases”. Sellers must take steps to ensure that they cannot be found to have induced a buyer to rely on some representation from the seller that will shift the loss to the seller. </span></p>
<p><span style="font-weight: 400;">The convenience and trust that most of us may have had in emails and their attachments has gone. Instead, the prudent buyer, and seller, must assume that their emails and attachments can be hacked and altered.</span></p>
<h3><span style="color: #800000;"><b>Check before EFT</b></span></h3>
<p><span style="font-weight: 400;">Do as follows: </span></p>
<ol>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;"> If there is a written contract signed by the parties then it should include the banking and contact details to be used by the parties. In the legal advice example above the hard-copy costs agreement should include such details. It is those details, not any details in a later invoice, which govern the relationship between the parties.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Because there is often no written agreement, just a spoken agreement as to what is to be done, by when, at what price, a buyer should not pay a seller’s invoice until they have verified the banking details with the seller (or the seller’s accounts person). This means either checking face to face at the seller’s business or checking by phone when the buyer is confident that they have the seller’s phone number. Having to go back and check like this is a hassle; however, better to be safe than very, very, sorry.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Sellers who are using invoicing software should carefully check the software supplier’s terms and conditions. What, if anything, is said about the risk of the invoices being hacked and/or payments being made to scammer accounts? If anything is said it is likely to shift any risk away from the software supplier and on to you. Because you do not want to spend a lot of money in a court case chasing a scammed buyer who paid a hacked invoice on such a system (relying upon its apparent defences against scammers) be sure to require the buyer – in writing – to contact you (face to face, or by pre-agreed phone number) before they pay the invoice.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">If your invoicing – sending and paying – practices are anything other than very straightforward and infrequent, then seek accounting/legal/ cybersecurity advice about what practices you and your staff should be following. </span></li>
</ol>
<p><span style="font-weight: 400;">Let’s be clear again – having to do this is a pain and a hassle. However, the plight of West Australian company, Inoteq, which has had to pay $191,000  twice, is such a dismal tale that the hassle seems necessary.</span></p>
<p><span style="font-weight: 400;">The case of </span><i><span style="font-weight: 400;">Mobius Group Pty Ltd v Inoteq Pty Ltd</span></i><span style="font-weight: 400;"> was decided in Perth just before Christmas. Mobius had done work for Inoteq and invoiced them. A fraudster hacked Mobius’ email account and then sent Inoteq an email from the same email address telling Inoteq that the Mobius’ bank details had changed. Payment was to be made to the scammer’s "new" account. </span></p>
<p><span style="font-weight: 400;">Inoteq called an expert who explained how the scam was performed. Everyone else should note:</span></p>
<ol>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">the PDF original invoice was likely modified with a PDF editor and then resent;</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">it is possible to implement a system to prevent email impersonation, but the uptake to date in Australia is low; and,</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Multi-factor authentication (MFA) should be required for email, banking, and all business-critical online services. However, it can be breached.</span></li>
</ol>
<p><span style="font-weight: 400;">To “buyer beware” add, “…and sellers, too”.</span></p>
<p><i><span style="font-weight: 400;">Hugh Selby, a former barrister, is the CityNews legal affairs commentator. His free podcasts on “Witness Essentials” and “Advocacy in court: preparation and performance” can be heard on the best known podcast sites.</span></i></p>
</body>