Payment redirection fraud – who does (and who should) bear the loss in fraudulent banking transactions, and is Australia’s electronic banking system fit for purpose?

The banking system is part of Australia’s critical infrastructure, and integrity and trust in transactions is essential to our financial system. This paper describes the losses incurred by victims of payment redirection fraud that occurs in real transactions, due to cyber events and email scams, and the difficulties victims face in recovering what are often very substantial losses. It argues that present levels of cybercrime, in conjunction with the adoption of electronic banking in its present form, has effectively transferred the risk of fraud in these types of banking transactions from banks to the community. The article explores whether it is realistic to expect that Australian individuals and businesses have sufficient cybersecurity resources or knowledge to protect themselves from cyber risk and email fraud at a time when cybercrime is prevalent and often perpetrated by organised crime, but education is neither widespread nor comprehensive. The article analyses victims’ legal rights in cases involving business email compromise and other scams impacting genuine transactions, and concludes that customers and others caught up in fraudulent transactions have little practical legal recourse against the criminals responsible or banks who could do significantly more to prevent scams from succeeding. While Australian banks are best placed to introduce greater protections for customers, they have not implemented measures used by banks elsewhere, and they also resist legal responsibility for their customers’ losses of this nature. The paper argues that technological changes in financial transactions has resulted in a transfer of legal rights and power away from the consumers of banking services to banks, that it is not realistic to expect that individual customers bear the burden of either knowledge of or investment in this area and that present electronic banking arrangements leave the community, and particularly vulnerable consumers of banking services, exposed to serious financial loss.1Copyright © Simone Herbert-Lowe (Law & Cyber Pty Ltd) 2022. Simone Herbert-Lowe is the Legal Practitioner Director and Founder of Law & Cyber, specialising in cyber risk management and education, professional liability, insurance and privacy law. Simone provides legal advice for businesses impacted by email fraud and cyber events, and is the author and presenter of online courses, webinars and face to face presentations providing practical guidance about this growing area of business and legal risk. Through her legal practice she has authored and produced online courses that have been completed by more than 4,000 business professionals. Simone is a thought leader in the area of legal liability and cyber risk having written numerous articles, including for the Law Society of NSW Journal and the Law Management Hub, and she has provided written expert opinion in legal proceedings involving allegations of email-enabled fraud.