In this piece, Holding Redlich Partner Jessica Tsiakis and Senior Associate Gemma Hannah discuss how small-business owners can protect themselves from the rising threat of invoice substitution scams.
Small businesses are losing millions to invoice substitution scams, a type of fraud where criminals intercept invoices and change the banking details to their own.
Unfortunately, invoice scams are becoming more prevalent. New technologies, such as AI, are offering criminals increasingly sophisticated means to steal from business owners.
And, to top it all off, the law is putting much of the responsibility on small businesses to protect themselves and others from being stung.
A recent decision handed down by the Western Australian District Court, for instance, may have substantial ramifications for how fraud and invoice scams are treated.
Mobius Group Pty Ltd v Inoteq Pty Ltd
Mobius, an electrical contractor, was engaged by Inoteq on a Rio Tinto project. After completing the work, Mobius issued invoices totalling $235,400 in 2022.
Before payment was made, however, a hacker gained access to Mobius’ email account and sent fraudulent emails requesting Inoteq to update Mobius’ bank details. Inoteq, unable to reach Mobius by phone, sought confirmation via email. The hacker provided fraudulent proof, and Inoteq proceeded with payment. Discovering the fraud, Mobius contacted police and the bank, which recovered only part of the funds.
Mobius then sought repayment on the basis that Inoteq had not fulfilled its contractual obligation to pay the invoices.
The Court held that while Inoteq had taken some steps to verify the account change, relying on an email response rather than a follow-up phone call was inadequate, and the Court found in favour of Mobius for $191,859.16 plus interest.
On 20 December 2024, Judge Massey delivered judgement ordered Inoteq to pay over $190,000 to Mobius after making payment pursuant to a fraudulent invoice.
How can small businesses protect themselves?
Data from the Australian Competition and Consumer Commission (ACCC) shows a recent surge in false billing scams, with reported cases increasing from 13,120 in 2020 to 39,587 in 2023.
In 2023 alone, small and micro businesses reported losses of $17.3 million, with false billing accounting for $11.8 million. While losses fell to $7.9 million in 2024 – a decline attributed to efforts by the National Anti-Scam Centre – scams continue to impose serious financial strain, particularly on small enterprises that often lack the resources to implement advanced cyber protections.
Phishing and investment scams are also increasing in sophistication. In 2024, phishing was the second most commonly reported scam among small businesses, and investment scams, while fewer in number, caused the highest losses per incident.
With this increase in fraudulent scams, small businesses can protect themselves by:
- Using proper verification systems: Businesses are not automatically liable for losses caused by third-party fraud, particularly if the target could have done more to verify the instructions regarding payment. Therefore, businesses should implement multi-layered verification protocols, such as confirming payment changes by phone or in person
- Reviewing contractual terms: Businesses should establish clear contractual terms which stipulate the conditions under which payments can be made and review third-party agreements
- Providing additional staff training: Ensure all staff are trained in handling suspected fraud. Programs in the market and in-house sessions provided by financial institutions can be used to improve awareness and resilience.
How is Australia responding to the increase in scams?
With scams continuing to rise in scale, the Australian Government introduced the Scam Prevention Framework Act 2025 (Act), which commenced on 21 February 2025.
The Act establishes the Scam Prevention Framework (SPF), now incorporated into the Competition and Consumer Act 2010, and places clear obligations on businesses. Companies must ensure actionable scam intelligence is reported and shared with the ACCC to support broader scam prevention efforts.
The consequences for non-compliance with the Act are significant and two-tiered, reflecting that some contraventions are more serious. For a tier 1 contravention (for breaches relating to preventing, detecting, disrupting and responding to scams), body corporates face fines of up to $52.7 million and individuals up to $2.6 million. For a tier 2 contravention (for breaches relating to reporting and governance), body corporates face fines of up to $10.5 million and individuals up to $528,000.
These penalties underscore the growing regulatory focus on corporate responsibility in mitigating scams and financial fraud, and the importance of businesses to take proactive measures to protect themselves.
