Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
No crime is victimless.
It may seem like an obvious statement. However, when it came to the crime of Business Email Compromise (BEC), for a long time a question mark hung over which party bore ultimate responsibility for footing the bill.
Thanks to a recent court ruling in the ACT Civil and Administrative Tribunal, that question mark no longer exists.
An Australian court has ruled that the onus is on the payer to ensure they are paying funds to the correct recipient. And in the event a victim of BEC erroneously sends funds to a cyber-criminal, they are still responsible for ensuring the payee receives any funds owed to them.
In this blog we will explore this precedent-setting case and what it means for all Australian businesses.
On 24 March 2021, Canberra Hydraulics, a Canberra-based diesel-fitting business, contacted DRB Equipment about purchasing machinery valued at $5,499. The two parties agreed that DRB Equipment would send an invoice to Canberra Hydraulics. Once paid, the machine could be delivered.
The next day, 25 March 2021, Canberra Hydraulics received an email from ‘AccountRight@apps.myob.com’ containing the following message:
Dear Customer:
Our banking details have changed please ensure your records are now updated to reflect the information listed on your attached invoices
Please contact us immediately if you are unable to detach or download you Invoice. Thank you
Despite the message clearly containing grammatical errors, whilst conveying a sense of urgency – both indicators of a malicious email, Canberra Hydraulics failed to realise that this email was suspicious.
This dubious email also contained an attachment with banking details, ostensibly for DRB Equipment’s bank account.
Without any further investigation, such as calling DRB Equipment to verify the accuracy of the bank account details in the email, Canberra Hydraulics proceeded to transfer $5,499 to the bank account details contained in the attachment.
Over subsequent days, a representative of Canberra Hydraulics contacted DRB Equipment numerous times to check whether they had received the funds. It soon became apparent something was not right.
Realising that the email purporting to be from DRB Equipment was not authentic, Canberra Hydraulics contacted their bank, ANZ on 29 March 2021 seeking to stop payment and recover the funds.
Meanwhile, in an act of good faith, DRB Equipment provided the machine to Canberra Hydraulics.
DRB Equipment reported the incident to both the Australian Federal Police and the Australian Cyber Security Centre, thinking they could assist in retrieving the funds. Needless to say, that is not easily achieved once an EFT payment has been processed.
It took the ANZ Bank some seven months to conclude its investigation into the incident. Frustratingly, the bank advised the parties that it would not be possible to recover the funds. Furthermore, the bank could not divulge the name of the recipient of the funds due to privacy considerations!
There is an important lesson in this for any Australian business that finds itself a victim of BEC: All too often the banks and law enforcement agencies remain powerless to help you recover stolen funds.
Both parties conducted detailed forensic investigations in an attempt to uncover precisely how the BEC attack had been executed.
DRB Equipment had MYOB, the manufacturer of its accounting software, investigate whether its systems had been compromised in this incident. MYOB found that DRB Equipment had used the software to generate an accurate invoice on 24 March 2021, the same day the initial conversation occurred between the parties.
Canberra Hydraulics claims not to have received this email.
MYOB concluded there was no evidence of any breach in its systems. It argued the initial accurate email had been intercepted by cyber-criminals due to a breach of Canberra Hydraulic’s email system, who altered its contents, before on-sending it to Canberra Hydraulics the next day.
Either way, the court argued it did not matter in whose systems the breach took place.
Irrespective of whether the breach occurred in DRB Equipment’s accounting system, or Canberra Hydraulic’s email system, the court ruled the former’s debt recovery actions were legitimate.
As a debt recovery action, the onus was on Canberra Hydraulics to prove they had paid DRB Equipment. The fact they had processed a payment to cyber-criminals did not obviate their responsibility to pay the debt owed to DRB Equipment.
As such, Canberra Hydraulic remained liable for paying $5,499 to DRB Equipment for the machine.
According to the judgement:
“Responsibility for correct payment rests with the respondent (Canberra Hydraulics) and it was incumbent upon the respondent to exercise care in ensuring payment was made.”
When it comes to paying invoices, there’s no excuse – you need to exercise extreme caution that you’re paying the intended recipient.
Even if you’re the victim of BEC, you still remain liable for paying the debts you owe others.
You also should not assume that banks or law enforcement agencies have the ability to track down and recover your funds.
That’s why prevention is the only answer!
Eftsure’s unique fraudtech solution sits on top of your accounting processes, allowing you to verify in real-time whether you’re paying the intended recipient. So, next time cyber-criminals manipulate banking data in supplier invoices, you can ensure you don’t become a victim of BEC.
Contact Eftsure today for a full demonstration of how we can protect your payment.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.