The November 2025 conveyancer misdirection scam and Mobius Group Pty Ltd v Inoteq Pty Ltd both highlighted a hard truth for business: when money is voluntarily transferred to a fraudster, the responsibility is on the payer to verify payment details.

The November 2025 Conveyancer Misdirection Scam

In the November 2025 case, a property purchaser was tricked into transferring settlement funds to a fraudster impersonating their conveyancer. A claim was brought against the conveyancer by the purchaser alleging that the conveyancer ought to be held liable. The NSW Civil and Administrative Tribunal (“NCAT”) ultimately did not shift liability to the conveyancer. Despite the scam occurring in a conveyancing context, the loss sat with the party who made the payment. NCAT effectively said:

• The purchaser made the payment;
• The purchaser received warnings about payment redirection scams;
• The purchaser did not independently verify the bank details.

Mobius v Inoteq

Mobius Group Pty Ltd (the Plaintiff), an electrical engineering contractor, entered into an agreement with Inoteq Pty Ltd (The Defendant) to perform electrical works on a Rio Tinto project. Mobius issued invoices for the work, but a fraudster gained access to Mobius’ e-mail account and sent a fraudulent e-mail to Inoteq, instructing them to change the bank account details for payment. Inoteq paid the invoice ($235,000) to the fraudulent account. Mobius sought payment of the outstanding amount ($192,000) from Inoteq, leading to the litigation.

The court held that Inoteq was liable for the outstanding amount of $192k.

The judgment leaned heavily on four ideas:

1. Control sits with the payer
Inoteq controlled the bank account and authorised the transfer.
2. E-mail is not a safe authority for changing bank details
A fraudulent email — even from a real, compromised address — is not valid notice.
3. Verification attempts were inadequate
Inoteq’s limited attempt to verify the change (a failed phone call) was not enough before releasing funds.
4. Risk of fraud in payments is foreseeable
The court treated invoice redirection fraud as a known commercial risk — not a freak event.

Cyber Insurance takeaway

The two cases above highlight that the law will not automatically rescue a payer just because fraud was involved and courts and tribunals expect positive verification, not passive reliance on e-mail.

Social Engineering Loss Cover within a cyber insurance policy is often the only place these losses land. Social Engineering Loss Cover (sometimes called Funds Transfer Fraud) is designed to cover direct financial loss suffered when an employee, director or officer is deceived or manipulated into transferring funds to a fraudulent bank account. Common triggers include Business Email Compromise (“BEC”), fake invoice scams and impersonation of trusted suppliers.

However, cyber insurers will provide Social Engineering Loss Cover based upon Insureds having payment controls implemented within the business and Insureds have a legal obligation to accurately disclose the extent of such controls.