Menu Close

Disclaimer (IANAL). We are not lawyers and you should not take legal advice from your IT provider.

Recently there was a ‘Negligence’ court case in WA that centered around email security.

There are three main players, a Consultant, the Company and a Fraudster. Total value of the project was in excess of $400K.

  • The Consultant had invoiced the Company for services rendered, split over a number of invoices as certain goalposts were reached as agreed.
  • Initial invoice of $100 was paid
  • Second and Third Invoice totaling $240K were raised
  • A fraudster had taken control of the Consultant’s Microsoft 365 hosted email address without the consultant’s knowledge
  • The fraudster asked the Company to pay a different bank account, via the compromised email address
  • The Company checked the bank account change via email, to which the fraudster confirmed the change, again via the same compromised email address
  • The fraudster was paid the $240K into a bank account, and most of the funds were immediately transferred offshore
  • The judge ruled that as the services were rendered satisfactorily, that the Consultant should be paid
  • The judge agreed that the Consultant hadn’t been paid, and DIRECTED the Company to pay to the Consultant the remaining $192K that was owed

The Judge also noted that the Australian Cyber Security Centre (ACSC) has some recommendations that were not met by both parties.

ACSC recommends that…

All businesses, regardless of size, should do the following to prevent falling victim to business email compromise:
(i) enable and require MFA for email, banking and all business‑critical online services;
(ii) not permit the reuse of passwords across different websites or services, especially email and online banking;
(iii) implement policies and procedures to handle change of banking or payment details, including communication and confirmation via a known-good out-of-band medium.  For example, in the case of an email conversation, confirm via phone call to a known-good phone number for the party in question;
(iv) train staff to recognise fraudulent requests.  Test regularly, and refresh training periodically; and
(v) configure email authentication measures such as Sender Policy Framework (SPF), DKIM, and DMARC to protect email domains from impersonation.

At Health IT, we expect all clients should meet at least maturity level 1 of the Essential Eight as defined by the Australian Signals Directorate. This is supported by our Security Stack.

The mitigation strategies that constitute the Essential Eight are:

  • patch applications
  • patch operating systems
  • multi-factor authentication
  • restrict administrative privileges
  • application control
  • restrict Microsoft Office macros
  • user application hardening
  • regular backups.

Our Security Stack also supports SMB1001, an Australian Standard for Small Business to obtain Cyber Security Certification. SMB1001 requires that you implement a policy with procedures to prevent Invoice Fraud.

At Health IT we do everything we can to protect you, your reputation, your technology infrastructure, and your patient’s privacy from day one.
As Cyber Security gets more complex, the protection we offer evolves. Contact us to discuss a security uplift for your practice.