Business email compromise (“BEC”) is a frequent occurrence in the modern digital world. BEC is a type of cybercrime which typically involves criminals unlawfully accessing an e-mail account to deceive someone into sending money to the wrong person, or divulging some confidential information.[1] The perpetrator usually pretends to be a trusted figure (such as a lawyer or investment advisor or service provider), and then asks for payment or sensitive information. This scam usually involves the culprit sending what appears to be a legitimate e-mail; the e-mail will contain a request for payment with new payment details, or will request some sensitive urgent information. Once payment is made, or the information is divulged, the hacker will disappear – the inevitable outcome is a dispute between the victims with the real perpetrator getting away.
According to a recent study, 66% of small businesses across the globe have experienced a cyber-attack in the past year. In the United States, 20 000 BEC complaints were filed in 2021, and this number we expect has increased in 2022. Businesses and individuals should take significant precautions when making payments or responding to requests which involve the dissemination of confidential information.
In South Africa, there are several recent cases dealing with what has been called a “scourge”. When a BEC occurs, who carries the loss? The answer will depend on the facts in each case, but the jurisprudence developing suggests that where a corporate entity or law firm is making the payment, it must exercise “vigilance”, and ensure the payment is made to the correct party.
For example, recently in Gerber v PSG Wealth Financial Planning (Pty) Ltd (36447/2021) [2023] ZAGPJHC 270 (23 March 2023), the court found that even though the hacking took place on the plaintiff’s system (Gerber), PSG was found liable because the cause of the loss “was not the hacking, it was the failure [of PSG] to employ the necessary and contractually prescribed vigilance”. In summary, the perpetrator hacked Gerber’s e-mail and contacted PSG (pretending to be Gerber) with a request to liquidate a share portfolio and make payment into a newly opened FNB account. Payments were made by PSG to the fraudster, and once the parties become aware of the fraud, it was too late.
This case was decided on the basis of a breach of contract, where PSG was contractually obliged to “effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate” cyber-crime and BEC. Ultimately, PSG was ordered to carry the loss.
Similarly, in Hartog v Daly and Others (A5012/2022) [2023] ZAGPJHC 40 (24 January 2023), in a case involving an attorney paying R1,4 million Rand into the wrong account, a fraudster intercepted e-mail communication between the parties, and sent an e-mail to the attorney with instructions to pay the proceeds of a sale of property into – unbeknown to the attorney – the fraudster’s account. As with Gerber, the cause of action was founded on contract: a breach of mandate. Ultimately, the court found that the attorney failed to discharge his mandate by paying monies into an account different from which was actually nominated.
In contrast, in Hawarden v Edward Nathan Sonnenbergs Inc [2023] 1 All SA 675 (GJ) (see a short note on that case here), the defendant was held liable in delict for negligently causing the plaintiff loss. In Hawarden, the plaintiff’s e-mail was hacked; the cybercriminal intercepted certain e-mails and manipulated PDF bank details to reflect the fraudster’s account – payment was made by the victim to the wrong account, but it was found that this loss was caused by the defendant.
What steps should businesses and individuals take to prevent BEC? The sophistication of the tools, and extent of the steps one uses will depend on the nature of the person or entity. Employ the resources, procedures and technological systems that are reasonable in the circumstances – and to state the obvious: take the precautions and steps required in terms of the contract between the parties.
Some basic tips:
- Be aware of BEC and offer training to staff – for example, be aware of common BEC attacks, and train staff to recognise the typical red flags.
- Have appropriate technological solutions in place such as multifactor authentication and secure e-mail.
- All commercial banks offer a service whereby bank account details can be verified. Use this and other appropriate tools such as secure portals.
- When a vendor or client provides new bank details, confirm this with the bank and with the client via telephone or in person.
- Review IT security and internal processes regularly.
- Pay careful attention to payment procedures.
[1] https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec
Originally published by Livingston Leandy Inc.
Law Blog 