The Johannesburg High Court handed down judgment on 16 January 2023 in a cyber-crime matter involving hacked e-mails and fraudulently altered bank details where R5.5 million Rand was stolen by fraudsters. This begs the question:- Who should carry the loss? The person who was responsible for the payment? The person hacked? In addition, what further steps should attorneys take where transmitting banking details? The court provides some answers – and these answers mean most attorneys (especially conveyancers) should urgently review their current processes. The full judgment is attached.
In this case, involving a prominent firm of attorneys – Edward Nathan Sonnenbergs Inc (“ENS”) – the court found that ENS was responsible for the accurate and safe transmission of bank details, and that the loss was due to the “negligent transmission” by ENS of its bank account details including a “failure to inform” the plaintiff about the dangers of cyber-crime and e-mail compromise.
The Plaintiff, Ms. Hawarden, purchased an immoveable property from a third party who appointed ENS as the conveyancer. To complete the transaction, the Plaintiff made payment of R5.5 million Rand into what she thought was the ENS bank account. However, it turned out that the plaintiff’s e-mail had been hacked, and the unknown cybercriminal had intercepted certain e-mails, and manipulated the PDF bank details to reflect the fraudster’s account – by the time the forgery was discovered, the fraudster had withdrawn the funds and as is usually the case with cybercrime matters in South Africa, the victims are left to fight each other while the true criminal escapes undetected. As a result of the fraud, the plaintiff instituted action in June 2020 for the recovery of the R5.5 million.
In finding for the plaintiff, the court found that:
- Sending banking details by e-mail is “inherently dangerous” and must be avoided in favour of other methods – such as a secure portal. Or, where e-mail is used, it must be accompanied by other precautionary measures such as telephonic confirmation or appropriate warnings which are securely communicated.
- It is a near “universal practice” of law firms (and some businesses) to send banking details via e-mail – but this behaviour is “unsafe”, and attorneys ought to take precautions, especially given that experienced conveyancing attorneys ought reasonably to be aware of the risks “inherent in conveyancing transactions”.
- Sharing bank details via e-mail without any other steps or precautions is not sufficient. Secure portals, password protection, and other measures and effective technologies are available and must be used.
- ENS’ argument that the plaintiff must take responsibility for her failure to protect herself against the known risk of relying on receiving bank details via e-mail was rejected. Similarly, ENS’ argument that a finding for the plaintiff would “expose all conveyancers, big and small alike, to claims of the same kind by third parties, with whom they have no relationship, for losses they suffered at the hands of fraudsters who hacked their own email accounts” was rejected.
- A loss of this type was “highly foreseeable” and there is no risk of boundless liability as feared by ENS.
Some may view these findings as controversial. The judgment will certainly cause attorneys to sit up and take notice.
Law Blog 