Dealerships, News, Regulations ,

THE Victorian County Court is being asked to decide who is liable for making good on a total of $139,000 in payments for a car purchase that were redirected to scammers when cyber criminals doctored an invoice from Mercedes-Benz A/P with the wrong bank account details for the German car maker.

Instead the money was transferred into the account of a hacker.

It is claimed that hackers intercepted emails from Mercedes head office and doctored the OEM’s bank details on the invoice for the car, a Mercedes-Benz GLE400, which was sold by the agent, Mercedes-Benz of Geelong.

The money, $40,000 in three transfers plus a further transfer of $19,000 went to an account set up by hackers and not the correct Mercedes-Benz A/P account.

The issue is now before the Victorian County Court which will have to decide who has to take the loss on the chin – the buyers who sent their money to the wrong account or will MBAP be held accountable for the wrong bank transfer details on its invoice which was changed after it was hacked in the couple’s Bigpond email account.

The story raises alarm bells for all dealers.

Brian Hay, executive director of Cultural Cyber Security, who has been retained by the Australian Automotive Dealer Association to run special programs for AADA members on preventing breaches of IT security told GoAutoNews Premium that the ACCC reported in 2020  business-email-compromised scams cost Australians $132 million and that is could be much more than that because there is not one central repository that is accurately capturing the data.

Brian Hay

“The challenge we have is that we believe we have a secure system. It’s not. It’s a flawed system. And every element and actor within that system needs to understand the vulnerabilities of it and build in multi-factor authentication to validate the payment processes, so the crooks don’t win.”

Mr Hay said that before buyers transfer funds to dealers’ bank accounts they should contact the dealership to verify the banking details on the invoice have not been doctored. 

“Now the secret to this, of course, is more complex. Do not use the phone number that may be printed on that potentially bogus email. So make sure you get a phone number that’s been sourced independently (from the dealer’s website for example) because, if the invoice is coming from the crook, you could be calling the criminal to validate the banking details. So you have to get independent verification of the bank details,” Mr Hay said.

“I think we are going to have to build in more anti-fraud measures because people are going to be victimized through no fault of their own because they trust the system. And the system for 99.99 per cent of the time works really well. 

“But we now have a very skilled, nefarious criminal enterprise that is global and in massive numbers using some skill and taking advantage of this blind trust that someone’s going to take care of the security. But it’s a wake up call,” he said.

“In many respects, we all have a role to play in validation. We just can’t accept that what we receive electronically in the inbox is true and we just have to validate everything,” Mr Hay said.

“Dealers and customers alike, need to get educated on this ever-growing threat environment.  Education can prevent this fraud.”

Meanwhile, according to a report in the Melbourne Age, the buyers who have lost their car payment, are taking legal action against MBAP. They say that they sent the money in good faith to the bank account details named on the invoice.

In a counterclaim, Mercedes says the couple are breaching their contract to buy the vehicle. It is seeking a court order that the couple pay MBAP the $139,000 that went to the hackers and, in addition, hand over the trade-in vehicle valued at more than $17,200. 

The couples lawyer, Bruce King, told The Age that there was no way that anyone could tell the PDF invoice had been doctored.

Mercedes said in its counterclaim that the couple contributed to the loss because, it claimed, they had weak IT and password security on their emails.

MBAP also said that they did not check if the bank account details were correct before making the transfers and that they did not take reasonable steps to confirm the money was received.

According to The Age, the court papers said an employee of the agent received four emails from the couple advising the company that they had sent separate car payments more than a week before the scam was discovered. 

A Mercedes-Benz spokesman told GoAutoNews Premium: “Mercedes-Benz Australia takes cyber security and data protection very seriously and is continually enhancing our processes to safeguard the secure exchange of information between our retailers and customers.

“We are aware of an unfortunate incident involving the compromise of a customer’s personal email account and following a thorough internal investigation we are satisfied that the email interception was completely independent of our invoicing and email systems, and those of our retailer.

“As the matter is now before the court, we are unable to comment further.”

Footnote: The reason the invoices were issued by Mercedes-Benz A/P, and that MBAP is the entity caught up in the dispute, is that the car was bought from the Mercedes-Benz agent in Geelong. Agents do not own the cars they sell, the OEM does, and therefore the factory is selling directly to the buyer. 

Under a conventional franchise agreement the issue would be between the buyer and the dealer, not the OEM.

By John Mellor