In recent months, and in light of COVID-19, cybercriminals have been hard at work taking advantage of increased online traffic. Particularly, these online criminals have been focusing on invoice fraud, which they pursue through a variety of different illegitimate schemes.

Invoice fraud involves cybercriminals masquerading as legitimate suppliers by sending fake invoices to pre-existing clients/customers. These criminals often take control of the supplier’s email accounts and can access invoices and other confidential information in which they use to mislead clients/customers. Once cybercriminals have access to these items, they issue invoices to clients/customers with false bank account details and request payment directly into the personal bank account of the hacker (which is often overseas).

The differences between hacking, phishing and spoofing

Cybercriminals are always implementing new and deceitful ways to hack individuals and businesses alike. Whether it be hacking, phishing or spoofing, those who may be a target must always be vigilant in today’s society or potentially be liable to legal consequences.

To ensure you know what legal ramifications come from these attacks, you must first understand the difference between phishing, hacking and spoofing:

  1. Hacking is using exploits to gain access to something you do not normally have access to. This involves a hacker gaining access to a business email or IT system and using it as if they were an employee or officer of that business. Normally, the hacked business will have no idea that the hacker is actively using its email for a fraudulent purpose. The hacker will generally change the bank account details on the business’ standard-form invoice and email the invoice to a client/customer of the business. The fraudulent email is mostly indistinguishable from legitimate business emails.
  2. Phishing is where a cybercriminal impersonates a trustworthy source in an attempt to bait a user to surrender sensitive information such as a username, password, credit card number, etc. Once the criminal obtains this information, they can access many different online platforms and cause irreversible harm to the victim.
  3. Spoofing is similar to phishing, and is simply where a user tries to use the identity of a legitimate user or businesses to trick victims into sending them money.

What to do if you are targeted by cybercriminals

If you have fallen victim to a cybercrime, or suspect you may be a victim, you should do the following:

(a) if you have made a payment to a suspected cybercriminal, immediately contact your bank and check whether the payment can be reversed;

(b) if any of your email accounts have been compromised, notify your clients/customers;

(c) consider putting up a notice on your website;

(d) contact your IT team so they can alert the affected parties and secure the email account and your IT systems;

(e) notify your insurer to ascertain whether you have cyber insurance coverage;

(f) report scams to the ACCC’s Scamwatch; and

(g) if you have been a victim of cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).

Legal implications

Who is responsible when there is a hacking, phishing or spoofing incident? The person who has paid the money to the cybercriminal will understandably wish to know where they stand and if they can recover the money.

In the case of spoofing or phishing, the business who has been impersonated is not liable to the customer/client. The business’ IT systems were not compromised and therefore they are not at fault. The customer/client is still liable to make payment to the business.

In the case of hacking, the general position at law is that the hacked party is usually the one at fault, and ‘may’ need to compensate the client/customer. The level of their liability would depend on the circumstances. In Australia there is yet to be a case before the Courts that directly rules on who is to bear the loss in a hack situation. In other words, it is a legal grey area yet to be tested by the Courts.

Mitigate your legal risk

Your business should adopt a variety of measures to reduce the risk of being hacked. The more measures you have in place, the less liability you will have if you become a victim. These measures can include:

  1. Telling your clients/customers not to act on emails requesting payments without first calling your business to verify the bank account details with a staff member.
  2. Contacting your insurer to arrange cyber insurance.
  3. Ensuring your IT systems are regularly kept up to date with reputable antivirus software and adequate firewalls.

If you are a customer/client, you should always be vigilant when you receive a request for payment by email:

  1. Check that the sender’s email address matches the same email address that the business has previously used to send you invoices.
  2. Be wary of emails with noticeable spelling errors or emails/invoices which don’t look like the previous emails sent by the business.
  3. Always call the business to verify the bank account details over the phone before making payment.

Salerno Law are your experts in the field

Salerno Law are experts when it comes to the legal processes of dealing with cybercriminals and their affects on businesses and persons alike.

We provide assistance to those who are looking to mitigate their risk and instil measures to lessen their legal liability if they were to fall victim to an attack.

Get in touch with our friendly team for assistance.


By Tyrone Boucher and Luke McKavanagh  

Tyrone is a Law Graduate and currently completing his Practical Legal Training with Salerno Law.

Luke is part of Salerno Law’s commercial and business law team. His days involve providing advice on a wide variety of commercial issues that arise in operating small to medium businesses, where he assists clients who are growing their business or wanting to protect what they’ve established.



DISCLAIMER: This article is only meant to give you general information and should not be relied on as legal advice. Speak to one of our lawyers for more information.