Payment redirection fraud – who does (and who should) bear the loss in fraudulent banking transactions, and is Australia’s electronic banking system fit for purpose?
This article was presented at the IEEE International Symposium on Technology and Society 2022 held in November 2022. The article has published in IEEE Xplore and is © The Institute of Electrical and Electronics Engineers, Incorporated (the "IEEE"). The article is reproduced with permission from IEEE.
Simone Herbert-Lowe[1]
Law & Cyber
Sydney, Australia
Contact
Abstract
The banking system is part of Australia’s critical infrastructure, and integrity and trust in transactions is essential to our financial system. This paper describes the losses incurred by victims of payment redirection fraud that occurs in real transactions, due to cyber events and email scams, and the difficulties victims face in recovering what are often very substantial losses. It argues that present levels of cybercrime in conjunction with the adoption of electronic banking in its present form has effectively transferred the risk of fraud in banking transactions from banks to the community. The article explores whether it is realistic to expect that Australian individuals and businesses have sufficient cybersecurity resources or knowledge to protect themselves from cyber risk and email fraud at a time when cybercrime is prevalent and often perpetrated by organised crime, but education is neither widespread nor comprehensive.
The article analyses victims’ legal rights in cases involving business email compromise and other scams impacting genuine transactions, and concludes that customers and others caught up in fraudulent transactions have little practical legal recourse against the criminals responsible or banks who could do significantly more to prevent scams from succeeding. While Australian banks are best placed to introduce greater protections for customers, they have not implemented measures used by banks elsewhere, and they also resist legal responsibility for their customers’ losses of this nature. The paper argues that technological changes in financial transactions has resulted in a transfer of legal rights and power away from the consumers of banking services to banks, that it is not realistic to expect that individual customers bear the burden of either knowledge of or investment in this area and that present electronic banking arrangements leave the community, and particularly vulnerable consumers of banking services, exposed to serious financial loss.
1. Cybercrime Globally
Globally, the cost of cybercrime is estimated to reach $US10.5 trillion by 2025.[2] According to Cybersecurity Ventures, if cybercrime were a country, it would be the third largest economy in the world, it will lead to the biggest transfer of wealth in human history, and will soon exceed the value of the international drugs trade for all major illicit drugs combined.[3]
In Australia, government reports indicate that cyber security incidents now cost businesses more than $33 billion annually, and that one in three individuals have been affected.[4] The Australian Cyber Security Centre (ACSC) received 22,000 calls to its cyber hotline in the 2020/21 financial year, an average of 60 per day and an increase of more than 310% over the previous year.[5]
2. The impact of technological change on the ability to commit fraud
Fraud involves the dishonest obtaining of (i) property belonging to another, (ii) any financial advantage or (iii) the causing of any financial disadvantage by deception.[6] Fraud is a serious offence that in New South Wales is punishable by imprisonment for up to 10 years. The element of deception is the key difference between fraud and crimes involving theft, such as larceny or stealing.
Recent years have seen a significant transformation in relation to payments processes which have increased the ability for criminals to commit fraud using electronic funds transfer processes. A serious type of cybercrime is payment redirection fraud, in which electronic banking transactions are used to facilitate fraud in genuine transactions.[7] In these cases a payment to the wrong bank account is approved by the victim (the transferor), who has been deceived by a fraudster into believing they are making a payment to the genuine vendor or service provider, when in fact the bank account they are transferring money to is in some way connected with or controlled by the cyber-criminal.[8]
In the past, large funds transfers were generally made using cheques, including bank cheques, which could take days to "clear". The lengthy period during which cheques were cleared allowed for a verification process to occur between financial institutions and provided an opportunity to identify payments which had not been genuinely authorised by the payer. Many if not most members of the Australian community experienced this arrangement, and many continue to expect that banks will carry out some form of account checking process before effecting large funds transfers. It is the bank that bears the burden of the loss in the case of forged cheques, and attempts by banks to expand the scope of customers’ duties, other than through contractual provisions, were largely unsuccessful before the courts.[9]
However, the transfer of money authorised by cheques and the verification process described above has been largely superseded by electronic funds transfers (EFTs) which can be almost instantaneous. While electronic transfers provide convenience for those wanting quick access to funds, they also mean that once funds are paid to a bank account, those funds can be withdrawn almost immediately, including in circumstances where they have been paid into an incorrect bank account. Where fraud is involved, the funds are often withdrawn from an account almost immediately and the funds transferred overseas or into a cryptocurrency exchange where they are unlikely to be capable of being traced.
Under the current automated payments regime, banks no longer check to ensure that the name and number of a bank account into which funds are directed actually match. This means that where a customer authorises a transfer, but provides a bank account number that does not match the expected account name, the transfer occurs into the bank account regardless. Banks now routinely provide warnings before processing electronic funds transfers that they do not check that bank account details match the names of bank account holders. These warnings generally state that checking the accuracy of bank account details is the responsibility of the person authorising the funds transfer and not the responsibility of the bank. However, there is currently no independent means for consumers to check that bank account details they have received from a payee are accurate or legitimate. As most business communications now occur via email this means that payment directions are vulnerable to being falsified as described in more detail in Section III below.
During the same period as this transformation in business payment process has taken place, there has been a global increase in access to and use of the internet, meaning that fraudsters now have increased opportunities to commit frauds against persons with whom they may otherwise have little or no connection, by sending fake emails or other electronic communications containing malicious software designed to capture banking or other account information. The frequency of data breaches[10] impacting personal information relating to large numbers of individuals further amplifies the risk of identity fraud, which has been described as one of the world’s fastest growing crimes.
According to the Australian Government’s Department of Home Affairs, identity crime continues to be one of the most common crimes in Australia:
According to the Australian Institute of Criminology (AIC), the annual economic impact of identity crime exceeds $2 billion. A survey by the AIC found that … 1 in 4 Australians have been a victim of identity crime at some point in their lives … In addition to facilitating the commission of other offences, organised crime groups may also sell stolen identity information to other criminal networks. When a person has their identity stolen, they may experience repeated victimisation. In this way, organised crime groups can use fraudulent identities to cause considerable financial loss. The Australian Criminal Intelligence Commission rates identity crime as a key enabler of serious and organised crime, which costs Australia around $36 billion annually.[11]
Another feature of modern business life is the use of email which is extremely fast, cheap and convenient to use. Email is the preferred way of delivering communications for many if not most types of businesses today. Email was originally designed as an almost instant way for sharing messages between individual programmers and researchers rather than simply from one computer to another,[12] and it was never designed for the purpose of exchanging confidential financial information.
Key risk factors in using email for important communications include the potential for hackers to obtain unauthorised access to email mailboxes using a variety of methods, such as exploiting weak login credentials or compromised passwords or by using malicious software, and for emails to be sent by criminals who can readily impersonate others using fake display names or email addresses that closely mimic the legitimate email addresses of other persons. Cybercriminals who are able to access another person’s email mailbox can search for pending transactions and create fake documents containing fraudulent payment directions, or amend bank account details by manipulating genuine documents.
3. Fraud impacting the community via business email compromise
Business email compromise (BEC) describes the use of email to facilitate funds transfer fraud or payment redirection scams. There are typically two ways this occurs.
The first type of BEC involves actual infiltration of another person’s email account by a fraudster, often via phishing techniques or compromised login credentials. The second form of BEC can occur without any access to an individual’s email mailbox, and relies on pure impersonation fraud using social engineering techniques.
Business email compromise has become increasingly prevalent in Australia and internationally. In a Public Service Announcement entitled "Business Email Compromise: The $26 Billion Scam" dated 10 September 2019[13], the Federal Bureau of Investigation stated that United States and international losses had totalled $26,201,775,589. According to a report published by the ACCC in June 2020, BEC scams are the most financially harmful scam affecting Australian businesses, with combined losses of over $132 million in 2019.[14] It is generally accepted that business email compromise scams are under-reported[15] because of their personal nature which can cause embarrassment, and because the prospect of recovering lost funds is often low. In August 2021 the ACSC issued an alert[16] about an increase in BEC scams impacting property transactions, and in which the targets were lawyers, conveyancers, mortgage brokers and their clients.
BEC can range from relatively obvious scams sent in email blasts to thousands of recipients, in the expectation that only a few victims will actually make a payment, to highly sophisticated schemes in which a particular person or business is targeted. These latter types of scams sometimes include a lengthy period of "grooming" the victim. Examples of sophisticated BEC scams include the defrauding of aircraft parts manufacturer Fischer Advanced Composite Components AG, which lost €42 million in a BEC fraud,[17] and a fraud against Italian company Technimont SpA which was defrauded of US$18.6 million when employees in an Indian subsidiary paid out funds after receiving fake emails from an email account that was deceptively similar to that belonging to the group CEO who was based in Italy. In this case fraudsters used fake emails in combination with a series of conference calls which impersonated the Italian CEO, senior executives and a lawyer based in Switzerland.[18]
In August 2019 the Law Society of NSW[19] reported that more than $6,360,000 had been defrauded from lawyers’ trust accounts in 37 successful instances of cybercrime and that there were many other frauds that were narrowly averted. More recent annual figures are not publicly available but there is no doubt the total losses are now much greater. The writer is personally aware of many frauds impacting Australian property and legal professionals and their clients. It is important to note that while many of these scams do not involve any cybersecurity breach, they nevertheless rely on the use of a combination of email, the internet and electronic banking for the fraud to succeed.
4. Offenders and victims
It is unusual for victims of electronic payment redirection fraud to be able to identify the criminals involved. Although banks require stringent identification processes for opening accounts under “Know Your Customer” requirements,[20] the holders of the accounts into which the defrauded amounts are deposited are deposited are often themselves the victims of scammers, or otherwise vulnerable individuals who provide their bank account details after being duped into doing so, and for this reason they are known as "money mules". Such individuals generally are not prosecuted and any theoretical rights of recovery against them are generally worthless as they are usually tricked into transferring the funds from their bank account immediately. In other cases, the bank has outsourced the verification process to an external entity and does not itself keep a record of the identity documents used by the account holder at the time the account was opened online, making it impossible for the victim to know whether the nominal owner of the account was indeed the fraudster or whether they were also impersonated as part of the fraud.
Once a victim’s funds have been paid into the wrong bank account following a fraudulent communication, they are generally then moved into other bank accounts, often in multiple transactions so as to avoid triggering bank "red flags", and these other bank accounts are frequently held overseas. For example, in one case involving a fraudulent withdrawal from a Victorian legal practitioner’s trust account following compromise of the practitioner’s email service, $110,000 was transferred from the firm’s trust account in a series of transactions. Money was transferred to digital bank accounts set up by the criminal and BPAY payments were also made to a bitcoin market website.[21]
In some scams the amounts defrauded are relatively small, but this is not always the case, particularly where the transactions impacted involve the sale and purchase of real property and property transfers are now effected electronically via an electronic lodgement network.[22] In Australia, residential real estate is now worth 28.2% more than the estimated value of superannuation, the ASX and commercial real estate combined,[23] making real estate transactions a prime target for BEC scams. The amounts involved mean some victims face financial ruin,[24] and many victims will seek to bring a claim for damages against someone who is present in the jurisdiction and ideally insured, such as a lawyer, or other professional advisor who they believe failed to take sufficient steps to protect them from the fraud. However, these professionals are generally also innocent of any intentional wrongdoing meaning that these legal fights essentially pit victim against victim while the perpetrator escapes unscathed with the funds.
Despite efforts by many sources to educate the community, including government agencies and banks, scammers employ increasingly sophisticated techniques to manipulate people, and even the most effective education campaigns cannot hope to prevent all scams from succeeding. It is important to note that while scamming may once have been the domain of a lone offender, cybercrime is now the province of international organised crime gangs that provide resources, including detailed scripts for deceiving victims using social engineering techniques.[25] "The criminals involved in this are definitely masters of manipulation. This is their job and they're very good at it, and they're very proud of being good at it." [26]
With such a sophisticated criminal business model in place to exploit individuals, it is arguably highly unrealistic for banks to expect detection by individual customers to be the key defence against scams occurring. Members of the community impacted may range from "digital natives" to older citizens who are relatively unfamiliar with technology and the various ways they may be defrauded. Even commercially savvy individuals and businesses are liable to be scammed, as both government statistics and examples cited above demonstrate - victims include highly intelligent individuals who have not been trained to recognise the signs of scams, who have been misled by someone they trust or who in a moment’s inadvertence have been deceived into believing the contents of a fraudulent email, with many businesses not even knowing their email service has been compromised until after a funds transfer fraud is discovered.
5. Actions for compensatory damages
Because perpetrators generally cannot be traced, victims of BEC frauds are usually unable to recover their funds unless they can find another identifiable party whom it is possible to sue for compensatory damages. Depending on the individual facts, such a party could be another participant in a transaction, a professional advisor or someone else.
For example, where a building products supplier contracts with a customer, and a hacker infiltrates the supplier’s email account, the hacker might reissue and amend the payment details of a legitimate invoice, and then send it on to the unsuspecting customer. After the customer pays the invoice as directed by the details on the fraudulent invoice, and the parties discover that a fraud has occurred, there will likely be a dispute as to which party is required to bear the loss. The supplier will no doubt argue that as they have not received payment, the account remains outstanding and liable to be paid, particularly if the invoice contained inaccuracies that arguably should have alerted the customer that it was fraudulent. The client, on the other hand, will argue the supplier should not be able to pursue payment as the fake email was in fact sent from the supplier’s business email account upon which the client is entitled to rely as a legitimate business communication. Disputes such as these occur across all areas of commerce and the legal position remains uncertain due to a lack of precedents, so for this reason many cases are abandoned or settled.
In the case of a property transaction, where money has been paid to the wrong account in error by a professional such as a lawyer, conveyancer or real estate agent, the victim of the loss might seek to bring a claim for breach of the contract to provide professional services or for negligence.
However, even in cases where such plaintiffs are able to establish liability on the part of another person or entity, they may not be able to recover all their losses. Legal actions for damages are usually based on allegations of breach of contract or negligence, but apportionment of liability legislation operates to require the courts to apportion liability in actions for breach of duty to all wrongdoers who are found to have contributed to the loss, even where one of person responsible, such as the cybercriminal, is not a party to the proceedings.[27] This means that if, for example, a court decides that an unidentified cybercriminal was 90% responsible for a plaintiff’s loss, and the victim’s lawyer or conveyancer was 10% liable for failing to take reasonable care, either by taking adequate steps to protect their email service or by warning their client of the risk of transferring money based on payment directions received by email, the plaintiff’s actual recovery of damages might only be 10% of their total loss. It should be noted, however, that there is very little judicial guidance in this area as claims rarely proceed to judgment.
For professional trustees, such as superannuation funds and law firms who pay money out of a trust account in error as a result of fraudulent payment directions, the risks are particularly significant because of the onerous nature of legal duties placed on trustees. Where a trustee pays money to the wrong person there is a breach of trust, even where the trustee is also the victim of fraud. Two of the most important duties of a trustee are to protect the trust property and to only pay money out of trust when it has been appropriately authorised. The fact that a trustee was deceived into paying money out of trust does not prevent a finding of breach of trust – one of the very duties of a trustee is to protect the beneficiary from fraud.
Actions for breach of trust in these circumstances are more difficult to defend than actions for breach of contract or negligence. While a defence of contributory negligence or apportionment of liability can apply to an action based on a breach of duty, where the trustee's liability is not predicated on a failure to take reasonable care, but on other breaches, such as a failure to account or payment from a trust account without authority, a statutory apportionment defence is unlikely to be available.[28] Further, while trustee legislation may include provisions enabling a trustee to be excused for the breach of trust where they have acted honestly and reasonably, this relief is rarely granted in the case of professional trustees, and the defence is unlikely to assist a trustee who has failed to take reasonable steps to prevent the fraud occurring, given the number of warnings that have now been issued by professional bodies, insurers and governments.
Lastly, actions for breach of trust are not protected under limited liability schemes that are operated by many professional associations.[29]
Banks are rarely, if ever, party to the types of proceedings described above.
6. Banks versus customers – the legal position
As outlined above, until the widespread acceptance of EFTs, large transactions were usually paid for by way of cheque. Generally it is the bank that bears the burden of the loss in the case of forged cheques, and attempts by banks to expand the scope of customers’ duties, other than through contractual provisions, were largely unsuccessful before the Courts.[30]
When looking at liability issues in the context of electronic funds transfers today, the key factor for the court to consider will be the contractual arrangements between the parties. The warning that is routinely provided by banks during the transaction to the effect that it is the customer’s responsibility to ensure the bank account number is correct, will form part of these arrangements. The reality is, however, that banks issue terms and conditions in relation to bank accounts that customers cannot negotiate or vary. As a result banks are able to incorporate the most favourable terms that operate in order to limit their liability for customer losses including in the context of fraudulent transactions.
Whether this outcome is appropriate and consistent with community expectations is, however, another matter. In the same way that banks would previously engage with each other to verify payments instructions received by cheque, banks continue to be best placed to compare bank account names and numbers and indeed there is currently no way that customers can perform this task other than by requesting copies of confirmatory documentation which in any case can potentially be altered or fabricated.
7. Can (and should) Australian banks do more to protect their customers?
Victims of fraud are often shocked to discover that Australian banks do not block transactions where the name listed by the sender does not match the account details of the recipient. In a report in the Sydney Morning Herald in October 2021, the Chairman of the Australian Competition and Consumer Commission, Rod Sims, said Australians were losing $2 billion a year to scams, a figure he described as "rapidly rising".[31] Mr Sims called for banks to name-check transactions to stop rapidly rising scams. "We do think this is an important issue confirming who the payee is", he was reported as saying. "Some banks say there are other things coming along which will fix the problem. I’d be asking the banks, if you have an alternative, how far away is it?".
Banks in other countries have been able to implement more secure processes. For example, in the Netherlands banks have integrated a solution whereby consumers can ensure they send the money to the correct beneficiary by checking whether the name matches their international bank account number (IBAN) account. This solution is implemented as IBAN-Name Check in the Netherlands and Confirmation of Payee in the UK. If there is a match, the consumer receives approval for the transaction to proceed; in the case of a non-match, the customer is notified accordingly. In the case of a close match, this is also made notified with a suggestion close to the correct name in line with the GDPR[32] which regulates privacy and personal information in the European Union. There is apparently no transfer of liability to the bank involved in the Netherlands and it remains the customer's responsibility to proceed or stop the payment. Interestingly, the main goal of the IBAN-Name Check was not initially fraud prevention, but to ensure that a bank account number had not been used by a previous customer. However, this solution is now an effective fraud prevention tool in the Netherlands, the UK, and more countries across Europe. [33]
In 2020 the UK payments regulator introduced new rules forcing banks to name-check transactions and issue notifications if there is a mismatch, but this is yet to be introduced in Australia. According to the October 2021 Sydney Morning Herald report, the Australian Banking Association said it was studying the UK model closely, but noted the UK had seen a "significant increase" in scams despite the new systems. "Australia’s banks are looking to implement better and more effective solutions", a spokesman said.
The article quoted Mr Sims as saying Australian banks’ ageing technology systems created delays in implementing new systems, rather than an effort to reduce liability. "The banks have a lot of legacy systems in their IT", he said. "We’re finding this with consumer data right, any changes take a lot of time and effort." [34]
Customer matching applications are also used in other contexts, such as in airports, and it is apparent that the relevant technology exists, so why are Australian banks reluctant to adopt it? It may be that the issues are more practical and/or commercial in nature, particularly if adopting these measures means that banks wear the operational costs of introducing such a scheme when they currently do not face any significant liability exposure. The types of practical issues that could be presented would include dealing with false negative matches that then need to be resolved, or costs or difficulties involved in integrating the relevant application with existing platforms. Until such time as the banks believe there are benefits, in terms of financial, reputational, or legal compliance that outweigh implementation costs, they may not be motivated to make the necessary investment or even to prioritise this investment.
Notwithstanding that banks resist compensating customers who lose money in scams, a recent survey reported that online banking generally has high levels of consumer trust because of the level of education provided by banks in teaching their customers about scams.[35] There is no question that banks are acutely aware of the issues involved and responsible for identifying many suspicious transactions and preventing scams through other measures that identify potentially fraudulent transactions. It is surprising therefore that more is not done to verify account names and numbers on behalf of customers, and if the issue is indeed with legacy IT systems, that could presumably be addressed with a more appropriate allocation of resources in this area. Victims, particularly those who have been impacted by frauds that are financially devastating, might legitimately ask whether it is reasonable for individual customers to bear the loss associated with fraudulent payment directions if it is the case that banks have failed to adequately invest in appropriate resources in this area in the past.[36]
8. Can the law keep up?
Legal systems are organised according to jurisdictions based on geography. In less technologically-advanced eras a wrongdoer was almost certainly physically located in the same country as their victim, and in the case of crimes involving fraud, there was usually some connection, and often a close one, between fraudster and victim. However, widespread use of the internet amongst even the poorest countries means that it is now possible for someone to commit financial crime against another person anywhere in the world. When that occurs there may be enormous practical difficulties in identifying the perpetrator let alone holding them legally accountable or recovering funds that have been misappropriated.
Changes in the law are generally made by parliaments, usually as a result of community pressures or recommendations for law reform. They can also occur when judges apply or adapt existing legal principles to new factual scenarios in a way that meets contemporary needs. Intrinsically both these processes take time to occur and indeed a judicial decision in a matter may not occur until several years after the events that are the subject of the proceedings. Legal change also requires courage, conviction, dedication and potentially great expense on the part of those who wish to challenge an existing law, or bring into existence a new one.
9. Summary
The banking services industry forms part of Australia’s critical infrastructure. Australia has transitioned from a country where large financial transactions occurred via cheques, which were carefully verified before payment was exchanged, to one where large sums are transferred electronically. This change has exposed some customers to significant losses due to payment redirection fraud which can occur as a result of either cyber security breaches or social engineering techniques. Human factors are key to both these types of events, yet it is possible that many of these fraudulent transactions could be averted if Australian banks implemented an automated verification process that requires banks to confirm that the name of the account holder matches the account details supplied. There is also no question that once hackers have identified a class of vulnerable targets who they have successfully defrauded, such as Australians in property transactions, they will continue to focus their attention on similar targets for “repeat” business.
The organisations best informed about the extent of these scams, and best placed to protect the integrity of these transactions, namely Australian banks, have to date resisted implementing such a verification scheme at the same time as they resist legal accountability for losses due to fraudulent payments. The National Secretary of the Chief Executive Officer of the Australian Institute of Conveyancers, Dion Dosualdo, has been quoted as saying the Australian banking sector’s refusal to implement a similar system as that which applies in the UK means it is “complicit” in this scenario. "The fact there is no dual verification there means the banks can wash their hands of the situation," Mr Dosualdo said. "This is what the scammers are cashing in on."[37] Consumers of banking services who are the victims of successful scams can find themselves devoid of consumer protection under the law to a degree not seen for decades.
The integrity of Australia’s financial system requires that electronic transactions be verified as genuine before they are completed. To be fit for purpose, the financial processes that support EFTs should be required to take on board the reality of cybercrime today, including both its incidence and the way it typically occurs. A system that passes on responsibility for detecting and defeating cybercriminals to individual customers in an era where cybercrime is prevalent and increasing is arguably not fit for purpose and may represent an unreasonable transfer of risk to those least able to anticipate and manage that risk.
Postscript
In February 2023 the Commonwealth Bank announced that in late March 2023 it would be the first Australian bank to introduce NameCheck technology to give customers an indication of whether the name and account details they entered look right. Internet banking was launched in Australia by the Commonwealth Bank in 1997.
In April 2023 the ACCC released its 14th annual Targeting Scams report which reported that the combined losses reported to Scamwatch; ReportCyber; the Australian Financial Crimes Exchange, IDCARE, ASIC and other government agencies was at least $3.1 billion in 2022. This is an 80% increase on total losses recorded in 2021. Of this amount, $224 million was lost in payment redirection/business email compromise scams. Bank transfers remained the most reported payment method for scam losses with 13,098 reports totalling $210.4 million, an increase of 62.9% on the previous year.
In November 2023 the Australian Banking Association (ABA) and Customer Owned Banking Association (COBA) declared the sector was unveiling a “new offensive in the war on scams” by announcing the roll-out of a "Scam Safe" accord, a $100 million investment in a new ‘confirmation of payee system’ to ensure senders can ascertain they are transferring money to the person they intend to.
[2] "Cybercrime To Cost The World $10.5 Trillion Annually By 2025". 2020. Cybercrime Magazine. https://cybersecurityventures.com/cybercrim e-damage-costs-10-trillion-by-2025.
[3] ibid.
[4] 2020. Homeaffairs.gov.au. https://www.homeaffairs.gov.au/cyber- security-subsite/files/cyber-security- strategy-2020.pdf.
[5] 2021. https://www.cyber.gov.au/acsc/view- all-content/reports-and-statistics/acsc- annual-cyber-threat-report-2020-21.
[6] For example, section 192E(1) of the Crimes Act 1900 NSW describes the offence of fraud as follows: “(1) A person who, by any deception, dishonestly: (a) obtains property belonging to another, or (b) obtains any financial advantage or(c) causes any financial disadvantage, is guilty of the offence of fraud.”
[7] While cybercrime can include a range of electronically communicated scams such as false invoice fraud or romance scams, the focus of this paper is on fraud impacting payments for real services or transactions, such as the sale of land or services performed under say a building contract due to payment redirection fraud which are carried out by interbank transfers. The paper does not seek to address other types of electronic payments, such as global card schemes which require that banks refund a fraudulent transaction.
[8] For example, a bank account might be opened by a cyber-criminal who has been able to steal the identity of an innocent person or who has persuaded another individual (known as a “money mule”) to either knowingly or unknowingly permit their account to be used to transit the funds defrauded from the victim.
[9] For a summary of the legal position regarding cheques see “Banking and Finance Disputes Monthly, HWL Ebsworth: https://hwlebsworth.com.au/banking-and-finance-disputes-monthly/.
[10] For example, a cyber-attack on one of Australia’s largest telecommunications providers Optus in September 2022 has reportedly resulted in the breach of important identity information for up to 9.8 million customers, and the publication of this information belonging to 10,800 customers on the dark web: https://www.abc.net.au/news/2022-10- 01/optus-data-hack-australians-waiting/101486874
[11] https://www.homeaffairs.gov.au/about-us/our-portfolios/criminal- justice/cybercrime-identity-security/identity-crime
[12] See “1971 First ever email” by Rachel Swatman, Guiness World Records, https://www.guinnessworldrecords.com/news/60at60/2015/8/1971-first- ever-email-392973.
[13] "Business Email Compromise | Federal Bureau Of Investigation". 2022. Federal Bureau Of Investigation. https://www.fbi.gov/scams-and- safety/common-scams-and-crimes/business-email-compromise.
[14] Targeting Scams 2019. 2019. Ebook. https://www.accc.gov.au/system/files/1657RPT_Targeting%20scams%202 019_FA.pdf.
[15] Scamwatch reports that around a third of people who have been scammed never tell anyone, so the true numbers are likely to be much higher: https://www.scamwatch.gov.au/news-alerts/scams-awareness- week-2021
[16] "Property-Related Business Email Compromise Scams Rising In Australia". 2022. https://www.cyber.gov.au/acsc/view-all- content/alerts/property-related-business-email-compromise-scams-rising- australia.
[17] 2016. https://www.trendmicro.com/vinfo/fr/security/news/cybercrime- and-digital-threats/austrian-aeronautics-company-loses-42m-to-bec-scam.
[18] Team, SecureWorld. 2019. "$18.6 Million In A Week: Business Email Compromise At A Whole New Level". secureworldexpo.com. https://www.secureworldexpo.com/industry-news/business-email- compromise-bec-case.
[19] "Cybercrime Alert – 5 August". 2019. go.lawsociety.com.au. https://go.lawsociety.com.au/l/533512/2019-08-01/35j2r8.
[20] See “Customer identification: know your customer”, www. Austrac.gov.au, https://www.austrac.gov.au/business/how-comply-and- report-guidance-and-resources/customer-identification-and- verification/customer-identification-know-your-customer-kyc
[21] "A Cautionary Tale Of Cybercrime, Identity Theft And Stolen Trust Money". 2021. Legal Practitioners' Liability Committee. https://lplc.com.au/resources/lplc-article/a-cautionary-tale-of-cyber-crime.
[22] An e-conveyance mirrors the former paper-based conveyancing procedures in respect of the processes leading up to settlement, with the settlement, or completion of the transaction, taking place in a digital workspace. After some early issues the platform itself has many security safeguards but frauds in these transactions can still occur when parties exchange bank account details for bank transfers outside the electronic lodgement network, usually via emails shared between clients and professionals, such as lawyers, conveyancers and real estate agents, who have been engaged in the property transaction.
[23] "Aussie House Market Would Be World’s Third Richest Country". 2021. News. https://www.news.com.au/finance/real-estate/sydney- nsw/australian-housing-worth-over-9-trillion-after-fastest-annual-growth- in-property-prices-since-1989/news- story/dbad51b05e14608739cc5587af7d04e1.
[24] "Sydney Family Conned Out Of $1 Million After Falling Victim To Email Scam". 2022. 9news.com.au. https://www.9news.com.au/national/online-scams-australia-sydney-family- conned-out-of-1-million-dollars-after-falling-victim-to-email- scam/aafa065a-4a64-4031-8d09-1e6f544a9def.
[25] See e.g. “Meet the Scammers”, Four Corners, ABC Television, 11 February 2019, https://www.abc.net.au/4corners/meet-the- scammers/10801250
[26] Ibid. For more on both the level of BEC scams impacting property transactions in Australia and the level of organised crime involved see “Australia's overheated property market has become a target for hackers - and they're scamming millions”, abc.net.au, 24 April 2022, https://www.abc.net.au/news/science/2022-04-24/scammers-hackers-real- estate-deposit-property-settlement/101000288
[27] Whilst all jurisdictions within Australia have legislated to introduce proportionate liability, the regimes are not uniform. In New South Wales the regime is set out in Part 4 of the Civil Liability Act 2002.
[28] See George v Webb & Ors [2011] NSWSC 1608.
[29] The Professional Standards legislation under which limited liability schemes operate specifically exclude breaches of fiduciary duty and breach of trust from protection under those schemes. See, for example, section 5, Professional Standards Act 1994 (NSW).
[30] See “Banking and Finance Disputes Monthly, HWL Ebsworth: Ibid.
[31] "ACCC Calls For Banks To Name-Check Transactions To Stop ‘Rapidly Rising’ Scams". 2021. smh.com.au. https://www.smh.com.au/business/banking-and-finance/accc-calls-for- banks-to-name-check-transactions-to-stop-rapidly-rising-scams-20211007- p58y2f.html.
[32] The General Data Protection Regulation (GDPR) may be the toughest privacy legislation in the world. Although it was drafted and passed by the European Union (EU), it imposes obligations on organisations anywhere, where they target or collect data related to people in the EU.
[33] See “IBAN-Name Check Lessons learned from the UK and Netherlands”, the Banking Scene, https://thebankingscene.com/opinions/iban-name-check-lessons-learned- from-the-uk-and-the-netherlands
[34] For more on legacy systems see “Threat hunters and Red Teams, Inside the Big Banks Cyber Defences,” smh.com.au. https://www.smh.com.au/business/banking-and-finance/threat-hunters-and- red-teams-inside-the-big-banks-cyber-defences-20211029-p5947m.html
[35] 2021. mimecast.com. https://www.mimecast.com/globalassets/documents/reports/brand-trust- report.pdf.
[36] Australian banks have invested in a solution known as PayID as an alternative to banking transfers that are effected by way of BSB (Bank State Branch) and account numbers only. However, as at the writing of this paper, transfers using PayID are used in less than 20% of banking transactions. This method of authorisation is also problematic, as one of the key verification factors is the use of a customer’s mobile phone number. When entering a PayID mobile phone number to make a payment, the full name of the account holder is displayed, so the person making the payment can ensure they are sending it to the right PayID account. However, this means it is possible to simply enter random phone numbers and, if that number has been linked to a PayID account, the account holder's name will show up, which has been described as essentially a “phone book in reverse” which can be used to identify account holders and their account numbers. In June 2019, the private details of 98,000 Australian bank customers were exposed in a cyber-attack on the PayID platform. This data could then potentially be used as part of a more complex phishing scam designed to steal further information from account holders: https://www.abc.net.au/news/2019-09-18/payid-data-breaches-show- australian-banks-must-stop-hackers/11523590
[37] "ACCC Calls For Banks To Name-Check Transactions To Stop ‘Rapidly Rising’ Scams". 2021. smh.com.au. https://www.smh.com.au/business/banking-and-finance/accc-calls-for- banks-to-name-check-transactions-to-stop-rapidly-rising-scams-20211007- p58y2f.html.