Legal liability when your business email has been hacked – Criminal Law


Legal liability when your business email has been hacked

To print this article, all you need is to be registered or login on

In recent weeks, cybercriminals have been pivoting their methods
to take advantage of the COVID-19 pandemic. Here we shed light on
the legal position of businesses that fall victim to online scams
and in particular to invoice fraud, which has become an
increasingly popular type of online scam.

Invoice Fraud

An invoice fraud scheme usually involves a cybercriminal
masquerading as a trusted supplier, and sending a fake invoice to
that supplier’s customers. In these scams, the cybercriminal
often has control of the supplier’s email account and can
access legitimate invoices. The cybercriminal changes these
invoices to include new bank account details and then sends the
invoices to customers from the supplier’s email account. The
customer pays the invoice into the cybercriminal’s bank
account, and the actual supplier’s invoice for services
provided or goods delivered remains outstanding.

The legal position of a businesses whose email was hacked or
identity imitated

The general position at law is that the hacked party is usually
the one at fault. There is, however, a distinction between
cybercrime carried out through:

  • an actual hack of a business’s server (and sending an email
    from that server); or

  • spoofing a business’s email address.

The distinction between ‘spoofing’ v

  • Spoofing is all about making it
    appear that the email is coming from a trusted sender, while in
    reality the email originates from an external source that could be
    on the other side of the world. Unfortunately, spoofing an email
    account today is an easy task for someone with the right skills -
    any email server can be configured to send mail from any given
    domain. Even in the absence of equipment or know-how, there are
    websites that can send one-off emails using the email address of

  • On the other
    hand, hacking involves a hacker
    gaining access to a business’ email or IT system and
    impersonating a member of staff. The company will have no idea that
    the hacker is actively using its email for a fraudulent purpose,
    and the fraudulent email sent by the hacker is almost
    indistinguishable from legitimate business emails.

From a legal point of view, if it is simply a case of spoofing,
there should be no liability or responsibility on part of the
supplier whose email address and invoices were spoofed. The
customer is still liable to pay the outstanding amounts to the
supplier. If it is a case of an actual hack, the level of liability
would depend on the circumstances. There is yet to be a case in
Australia that directly deals with who bears the loss in a hack

Urgent actions to be taken by victims of cybercrime

The Australian Cyber Security Centre provides the following
advice to businesses who have fallen victim to an online scam:

  • If any of your email accounts have been compromised, notify
    your clients

    (or, at a minimum, your affected clients)

  • Consider putting up a notice on your website

  • Contact your IT team so they can alert the affected parties and
    secure the email account

  • Report scams to the ACCC’s Scamwatch

  • If you have been a victim of a cybercrime such as fraud, report
    it to the Australian Cybercrime Online Reporting Network

Measures by all businesses

To mitigate your legal risk, your business should put in place a
number of measures to reduce the chance of being hacked. Whether a
business has done all that is reasonably expected to protect itself
from being exploited by a cyber hacker in an invoice fraud
situation would impact the assessment of the levels of liability of
and the potential distribution of liability between the affected

ACSC advises businesses to employ the following techniques to
minimise the risk and loss of falling for cyber scams:

  • Purchase appropriate insurance: as the responsibility
    remains at all times with the business to protect their systems and
    mitigate losses, you want to ensure that your business has the
    broadest insurance covering all cyber scams.

  • Educate your staff:

  • Teach your staff to be on the lookout for the warning signs,
    for instance:

    • Emails that are unexpected, come from a different contact or
      someone who wouldn’t usually send payment requests;

    • Emails that ask for instant payment or threatens severe

    • Emails with a different email address (e.g. “”
      vs “.com”);

    • A supplier has provided new bank details or is requesting a
      different payment amount.
  • Safeguard your internal information:  avoid
    sharing internal company knowledge that could be exploited by
    scammers, such as the individual contact details of employees most
    likely to be targeted, particularly those working in accounts or

  • Strengthen your IT security:  protect your
    networks, develop and maintain proper security controls, block
    spoofed emails, configure your email server to reject emails that
    do not originate from the email servers approved by the
    sender’s organisation, use strong multi-factor authentication
    to prevent scammers from using your email login details.

  • Consider including the following wording to the email
    signatures of staff sending invoices:

  • FRAUD ALERT: There has been an increasing occurrence
    of fraudsters intercepting emails and inserting their bank account
    details in place of the intended account details. We will never
    send changes to bank account details or request sensitive
    information by email. If you receive any email of this nature,
    phone (do not email) our office immediately


Key to preventing cybercrime is to ensure that both ends of a
transaction implement sufficient checks and balances. Businesses
that fail to have precautionary measures in place are more likely
to be liable for any losses that incur in the event of being

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Criminal Law from Australia