Falling victim to cybercrime doesn\u2019t exempt companies from their normal financial obligations, an ACT tribunal has held in a ruling that serves as a \u201ccautionary tale\u201d to company directors about the degree to which cybercrime\u2019s financial impact can extend far beyond the initial compromise.The recently-published ruling, by the ACT Civil & Administrative Tribunal, related to a March 2021 incident in which Canberra Hydraulic Engineering Services (CHES) director Nathan Jess ordered a $5,499 piece of equipment from cleaning supplies firm RapidClean DRB, with the equipment to be collected upon payment of the invoice.The next morning, CHES received an emailed MYOB invoice along with a note advising that the company\u2019s bank details had changed.CHES paid the invoice \u2014 but when RapidClean had not received the payment after several days, investigations revealed the account detail switch and confirmed that the emailed invoice was not the one sent by RapidClean\u2019s MYOB system.Jess initiated a bank investigation \u2014 which would ultimately take six months and prove fruitless when the bank refused to provide details of the actual account recipient \u2014 and called in the Australian Federal Police and Australian Cyber Security Centre (ACSC), neither of which, the ruling noted, \u201cwere particularly helpful\u201d.An investigation by MYOB concluded that that CHES\u2019s email account \u201chad likely been breached\u201d, with the emailed invoice intercepted and then modified before being delivered the next morning.The case hinged on the question of whether Canberra Hydraulics had discharged its debt by paying the invoice, or whether RapidCleanDB, which sent the correct invoice and had no subsequent responsibility for its content, was still owed the amount of the equipment purchase.Ultimately, the Tribunal ruled that although the invoice was modified by \u201ca third-party intercepting the email that was sent from the applicant\u2026 Responsibility for correct payment rests with [CHES] and it was incumbent up [them] to exercise case in ensuring payment was made.\u201dCHES was ordered to pay the amount of the invoice, plus fees \u2014 effectively meaning that it had to purchase the new equipment twice, with total losses of $11,328.Because it was ruled to have been a \u201cvictim of third-party fraud\u201d, the decision noted, CHES may be able to claim the costs on its business insurance policy.Email compromise BEComing worse every yearThe case is just one drop in the flood of business email compromise (BEC) being recorded annually, with a new analysis by Abnormal Security noting that the number of BEC attacks per 1,000 mailboxes surged by 84% in the second half of 2021 \u2013 driving a 22.6% increase in the percentage of global BEC attacks as a proportion of all security attacks.\u201cBecause the threats contain few indicators of compromise they evade secure email gateways and other traditional systems, landing in employee inboxes where they can cause significant damage,\u201d says the report.Significantly, the analysis found that BEC scammers were backing away from the once-popular tactic in which they pretended to be company executives ordering their subordinates to change account details or pay fraudulent invoices on short notice.The incidence of such executive-targeted invoice fraud tactics declined by 32.7% globally during the second half of last year \u2013 yet at the same time, Abnormal noted, the number of attacks targeting executives increased by 24% during the same period.For all the attention focused on surging ransomware attacks, BEC attacks have continued to grow by leaps and bounds, with a recent US FBI advisory noting that losses to BEC scams increased by 65% between July 2019 and December 2021.And while law-enforcement authorities are working worldwide to track down BEC operators and cybercriminal gangs \u2013 the takedown of Russia\u2019s REvil ransomware group was one notable win this year \u2013 INTERPOL Cybercrime Threat Response officer Doug Witschi told a recent webinar from Fortinet that \u201cwe\u2019re not going to arrest our way out of this\u201d. Witschi is a former Australian Federal Police detective and counter-terrorism specialist who engages with INTERPOL\u2019s global partners from his base in Singapore.\u201cWe need all people working together collegiately and collaboratively and that\u2019s not easy. It takes trust, confidence, and a whole range of issues in relation to this type of threat, but we need to start to work through those issues and challenges. Whether espionage, cyber terrorism, or cybercrime, the tactics and techniques used across these activities are almost identical. It\u2019s just the motivation of people that are generally changing,\u201d Witschi said.And while the Canberra Hydraulic incident is notable for its ruling that the company was still liable for the debt despite having already paid in good faith, ACT-based legal firm MV Law noted in an overview of the case that \u201cmore complex arguments may become relevant\u201d in cases where larger losses are involved and parties \u201cobtain comprehensive expert evidence as to the precise source of the security breach\u201d.The contractual arrangement between the parties may also be relevant, the analysis found, as it may in fact deal with the allocation of the risk of fraud. \u201cThis decision serves as a timely reminder for businesses and consumers in the era of frequent cyber fraud to take steps to reduce the risk of an email scam causing the loss of money,\u201d said the report.