Business email compromise ("BEC") is a type of scam in terms of which a party's email is compromised and used to send fraudulent messages with the aim to have recipients act on false information, typically leading to the payment of funds into the bank account of the fraudster.
In our previous blog post1, we examined the question of who carries the risk where an electronic payment has been intercepted by a cybercriminal through BEC. Recently, three cases have been reported dealing with payment fraud and this blog post examines their impact on the current legal principles applicable to electronic payment fraud.
Background
As discussed before, we found that in the absence of special circumstances, the onus is on the creditor to establish that the correct banking details were sent, whereafter the debtor must establish that the money was indeed transferred to the bank account provided by the creditor. This means that where an email is intercepted by a fraudster with the result that the debtor transfers funds into the fraudster's account, the debtor's obligation to the creditor is not extinguished.
We further found that there is a higher duty of care required of professionals owing a fiduciary duty, such as attorneys, before making payments with money held in trust. The court in Fourie v Van der Spuy and De Jongh Inc [2019] ZAGPPHC, a case which concerned BEC in the context of a mandate between an attorney and client, held that the attorney, by paying monies out of trust into a fraudster's account, had simply failed to discharge her obligations in terms of the mandate. The court found that it is a term of the mandate between an attorney and client that the attorney will exercise the degree of skill, knowledge, and diligence expected of an "average practicing attorney".
Hartog v Daly and another [2023] ZAGPJHC
The appellant is an attorney and conveyancer acting in terms of an oral mandate to transfer the property of the respondents. After the property was sold, the attorney successfully made the first payment to one of the respondents as agreed, but unfortunately it was at this point that a fraudster sent an email to the attorney as if from one of the clients to whom payment was due, with instructions to pay the monies into an account controlled by the fraudster. The unsuspecting attorney duly paid the remainder of the purchase price to the fraudster's account.
The respondents subsequently sought to hold the attorney liable for payment of the R1,4 million still owed to them. The attorney argued that the loss should lie with the respondents on the basis that it was a tacit term of the mandate that the respondents would exercise the utmost care in instructing the appellant to make payment and do all that is reasonably possible to ensure the integrity and confidentiality of any emails addressed to the appellant.
The court found that the probabilities did not support the existence of the tacit term averred by the attorney. The court therefore upheld the ruling of the court of first instance and found that the attorney had failed to discharge his mandate by paying the monies into an account different from the account which was nominated by the third respondent.
This outcome confirmed the position as stated in the Fourie case, namely that attorneys remain responsible to perform in terms of a mandate with a client notwithstanding the occurrence of BEC.
Hawarden v Edward Nathan Sonnenbergs Inc [2023] ZAGPJHC
The plaintiff purchased a property from a third-party seller who appointed the defendant as the conveyancer in the sale transaction. After successfully paying the deposit, the plaintiff opted to settle the remainder of the purchase price of R5.5 million through a direct electronic fund transfer into the defendant's trust account for the benefit of the seller pending registration of transfer.
The plaintiff duly transferred the funds into what she believed was the defendant's trust account, the details of which were emailed to her as an attachment by a conveyancing secretary in the defendant's employ. Unfortunately, the plaintiff's email account had been compromised, and the email containing the defendant's banking details had been intercepted to reflect the bank details of a fraudster instead, with the result that payment was made into the fraudster's account. After the fraud had been discovered, the defendant requested payment of the outstanding balance of the purchase price from the plaintiff.
The plaintiff sought relief in the law of delict and asked the court to impose liability on the defendant for the pure economic loss she was caused through BEC as a result of the defendant's negligent omission to forewarn her of the risks of BEC and to take the necessary precautions when communicating payment information.
The court found that it is in the interests of society to recognise a legal duty on the part of the defendant to implement measures to prevent BEC when engaging with clients. In coming to its decision, the court considered the fact that there was little risk of indeterminate liability, as the loss was quantifiable and determinate, and that, generally, where one of two innocent parties is better placed than the other to prevent loss caused by a third party, the loss should lie with the party who could more easily prevent it.
Gerber v PSG Wealth Planning (Pty) Ltd [2023] ZAGPJHC
Mr Gerber had a share portfolio with PSG. In 2019, in an email purportedly emanating from Mr Gerber's account, he made an unusual request to liquidate a substantial portion of his share portfolio and additionally informed his fund manager of a change in his banking details.
The fund manager, in accordance with PSG fraud-prevention protocols, ran Mr Gerber's new banking details through PSG's central client services bank account verification checks. The results of the check revealed that the identity attached to the account provided did not match Mr Gerber's details, the account was not more than three years old (although the bank letter sent by the fraudsters indicated it was opened in 2002), and neither the phone number nor the email address attached to the account were valid.
Notwithstanding the above red flags, the fund manager proceeded to authorise the payment to be made to the account provided by the fraudsters, and complied with a subsequent request to liquidate the remainder of Mr Gerber's portfolio. Suspicions were eventually raised when the fraudsters, in an email requesting the liquidation of Mrs Gerber's wife's portfolio, used "grammatically incorrect Afrikaans".
In the subsequent proceedings, Mr Gerber relied on the express terms of the contracts entered into between himself and PSG, which provided that PSG had a duty to protect Mr Gerber from fraud and gross negligence. PSG conceded that it had a duty to protect Mr Gerber from fraud, but argued that it was a tacit term of the contract that it would not be liable in circumstances where the Mr Gerber's computer system was hacked due to his own negligence.
The court disposed of the matter fairly easily. The express terms of the contracts between the parties clearly created a duty on the part of PSG to protect Mr Gerber against cybercrime, and importing the tacit term contended for by PSG to the effect that Mr Gerber should have taken steps to prevent his email being compromised would undermine the purpose and meaning of the express terms.
The pertinent question in this matter was therefore simply whether PSG breached the express terms of the contract. The court answered this question in the affirmative after considering the myriad ways in which the fund manager breached PSG's own fraud-prevention protocol.
Conclusion
The Hawarden case is distinguishable from the Hartog, Fourie and Gerber cases in that in the latter three cases, a contractual relationship existed between the parties (whether that be in the form of a written contract or oral mandate) and the matters could be disposed of within the bounds of the respective contracts.
In the Hawarden case, however, there was no direct contractual relationship between the parties at the time that the payment was made, and the case illustrates that even in the absence of a contractual relationship courts are willing to recognise the legal duty of those entrusted with the money of others to implement measures to prevent BEC. The Hawarden case evidences the fact that our courts are alive to the vulnerability of members of the public to cyber-fraud and are willing to offer redress beyond what the law of contract can provide in circumstances where there is no contractual relationship between the parties.
In our view, there is a coherent line of judgements coming from our courts on where the risk for payment fraud arising from BEC lies. It will accordingly be prudent for businesses to determine where a court may find against them and to institute policies and procedures to mitigate this risk.
Footnotes
1 https://www.swart.law/post.aspx?id=66
Originally published 31 July 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.