Cyber criminals present an active and evolving threat to Australian businesses and individuals, with cyber attacks becoming increasingly organised and sophisticated.
Costs of cybercrime
The cost of cybercrime in Australia is significant, with the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) reporting that in the 2025 financial year:
- the ACSC received over 84,700 cybercrime reports through ReportCyber — an average of one report every minute;1
- the average self-reported cost per report and business size was:
- small business: $56,000 (up 14%);
- medium business: $97,200 (up 55%); and
- large business: $202,700 (up 219%).2
Cybercrime also gives rise to appreciable indirect costs for Australian businesses including, but not limited to, higher insurance premiums, business disruption and recovery costs.
The legal landscape — allocation of risk in cyber incidents
It is often assumed that a party who innocently falls victim to cybercrime will be protected by the law as a matter of principle, for they have done nothing wrong.
Recent Australian authority highlights, firstly, that this is not a given, and secondly, that having robust cybersecurity measures in place is essential.
Mobius Group Pty Ltd v Inoteq Pty Ltd [2024] WADC 114 (Mobius v Inoteq)
In Mobius v Inoteq, the District Court of Western Australia held that a party who has innocently suffered loss due to cybercrime may be required to wear that in circumstances where it had the opportunity, but failed, to take reasonable steps to protect itself from harm.
Mobius Group Pty Ltd (the plaintiff) issued invoices for services by Inoteq Pty Ltd (the defendant). Prior to payment being made by the defendant, an unknown third party gained access to the plaintiff’s email account and instructed the defendant to make payment to a bank account nominated by the unknown third party. The defendant relied on those instructions and transferred funds to the fraudulent bank account. The funds were never received by the plaintiff, who subsequently commenced legal proceedings against the defendant seeking payment of its outstanding invoices.
The court held that the plaintiff was entitled to payment for the work performed and that the defendant was liable to it for the full amount claimed of $191,859.16, even though the defendant had innocently paid that money to a fraudster. The court found that the defendant was in a better position to protect itself from the fraud than the plaintiff and had the opportunity to verify the change in bank account details by a telephone call but failed to do so.
Protecting yourself from harm
It remains to be seen how the reasoning in Mobius v Inoteq will be applied in similar cases and how it will develop in this dynamic realm of digital technology.
Australian businesses and individuals would be prudent to bolster their cybersecurity protections going forward. Where a party is induced to make payment to a fraudster instead of to the relevant counterparty and does so without making any reasonable enquiries, it generally cannot then argue that it is not liable to make payment to the counterparty because it has already made payment to the fraudulent bank account.
A further complicating factor is that claims of this nature can involve complex technical evidence and it is often difficult to establish how loss was caused. For example, whether the primary cause of loss was inadequate security systems or a failure to verify the legitimacy of the fraudster’s requests for payment.
Accordingly, it is essential that one maintains adequate and up to date security systems to protect their data and that reasonable inquiries are made to verify the legitimacy of payment requests before payment is made.
Recommendations
Further, the ACSC recommends that Australian businesses and individuals:
- use phishing-resistant multifactor authentication wherever possible, preferably passkeys;
- make passwords or passphrases strong and unique, and consider using a reputable password manager;
- protect their domain name;
- regularly back up important files and device configuration settings; and
- keep software updated and only use a trusted device when accessing sensitive online accounts.3
However, even the most stringent precautions may fail to prevent a determined and sophisticated cybercriminal from committing a cyber fraud. Therefore, it is critical that businesses implement appropriate training and awareness programs to ensure that personnel are alert to contemporary cyber threats as a matter of priority. Also, when making any payment, one should verify (preferably by a one-to-one telephone call and not by electronic means) the identity of the intended payee and their correct bank account details.
Of course, it is impossible to eliminate all risk, but by cultivating a heightened level of awareness as to the growing threat of cybercrime, Australian businesses and individuals will be better placed to respond to cyber incidents swiftly and reduce the risk of adverse consequences arising from the same.
Contact us
If you have been impacted by a cyber incident, or seek advice on how your contractual agreements stand up against cyber threats, please contact a member of our Litigation & Dispute Resolution team.
References
1. Australian Signals Directorate’s Australian Cyber Security Centre (ASD ACSC), Annual Cyber Threat Report 2024-2025 (Report, October 2025), 18.
2. Ibid.
3. Ibid 49.
| Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.
Liability limited by a scheme approved under Professional Standards Legislation. © 2026 Rigby Cooke Lawyers |