In today's digital age, business email compromise ("BEC") has become a threat to businesses and individuals. BEC is defined as "a criminal act where criminals illegally access an email account and communicate as if they are the user". An example of BEC is where a fraudster impersonates a business or an individual ("the sender") to lure the recipient of the email to make payment into the fraudster's account.
Globally, courts have grappled with determining liability for the loss suffered in such instances. This article provides brief examples of how this issue has been dealt with in different jurisdictions.
South Africa
The leading authority on BEC cases in South Africa is the Supreme Court of Appeal's ("SCA") judgment in Edward Nathan Sonnenberg Inc v Hawarden 2024 (5) SA 9 (SCA). In this case, Ms Hawarden, who was not a client of the law firm, Edward Nathan Sonnenberg Inc ("ENS"), purchased a property from ENS' client. As per the purchase agreement, Ms Hawarden (who had been cautioned against the risk of cybercrimes) paid the commission into the estate agent's account and elected to pay the remaining balance into ENS' trust account.
ENS emailed a letter to Ms Hawarden which contained ENS' bank account details. However, unbeknown to the parties, Ms Hawarden's email account was hacked, and the fraudster replaced ENS' letter with a letter reflecting the fraudster's bank account details. Consequently, Ms Hawarden paid ZAR5.5 million into the fraudster's account.
After becoming aware of the fraud, Ms Hawarden proceeded to pay ENS' correct trust account to advance the purchase. She subsequently instituted a claim for damages against ENS in which she contended that ENS owed her a duty of care and ought to have warned her about the risks of BEC. Ms Hawarden was successful in the High Court, but the SCA overturned the High Court's findings.
The SCA inter alia found that (a) because there was no contract of mandate between ENS and Ms Hawarden, it would be an overreach to extend ENS's duty of care to include safeguarding risks against third parties, (b) Ms Hawarden was warned by the estate agent about the cybercrime risks and thus could have verified ENS's bank account details, and (c) she made the payments physically at the bank and could have asked her bank to confirm ENS's bank details. The SCA also accepted ENS's submission that if it is found to be liable, the finding would have profound implications not only for attorneys but for all creditors who send their bank details by email.
Ms Hawarden has applied to South Africa's Apex Court, the Constitutional Court, to overturn the SCA's findings. The Constitutional Court is still to determine her application. If it overturns the SCA's judgment, it would be creating a new category of liability for a delict (tort) in South African Law.
In Gerber v PSG Wealth Planning (Pty) Ltd, PSG Wealth Planning ("PSG") received an email from a cybercriminal, purporting to be Gerber (a PSG client). In this email, PSG was requested to liquidate a portion of Gerber's investments and to transfer those funds into a bank account, which was different from Gerber's account in PSG's file. PSG made the payment in accordance with the email that was sent by the cybercriminal.
Consequently, Gerber instituted a contractual claim for the payment that was made by PSG. The High Court held that PSG was contractually liable to compensate Gerber for the financial loss he suffered. The Court held that PSG's contractual obligation to its clients included 'effectively employing the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that the clients will suffer financial loss through theft or fraud'. Additionally, PSG had ignored their own security safeguards with regard to verifying bank accounts and therefore failed to discharge their contractual obligations.
Canada
In St. Lawrence Testing & Inspection Co. Ltd. v. Lanark Leeds Distribution Ltd, St Lawrence Testing & Inspection Co. Ltd ("St Lawrence") and Lanard Leeds Distributions LTD ("Lanard") concluded a settlement, which was subsequently made an order of Court. In terms of the settlement, Lanard undertook to pay St Lawrence a sum of $7000 ("settlement funds") for services rendered to it. Lanard received an email from a fraudster, purporting to be St Lawrence's paralegal, requesting Lanard to pay the settlement funds into a different account than the one previously sent by the paralegal. This resulted in Lanard making payment into a fraudster's account.
Lanard instituted an application seeking an order confirming that it complied with the settlement, despite St Lawrence not receiving the funds.
The court rejected the contention that St Lawrence should be liable for the loss because (a) the parties did not have a contract stipulating that Lanard can rely on fraudulent payment instructions to shift liability for loss to St Lawrence, (b) there is no evidence of wilful misconduct or dishonesty on the part of St Lawrence or its paralegal, and (c) St Lawrence's paralegal did not act negligently in respect of its computer/ email security system. The Court held that Lanard failed to follow the terms of the settlement, and it was ordered to pay the sum of CAD7000 to St Lawrence.
United Kingdom
In Sell Your Car With Us Ltd v Sareen [2019] EWHC 2332 (Ch), Sell Your Car With Us Limited ("the company") and Sareen entered into a contract in terms of which the company undertook to sell Sareen's vehicle and pay him GBP51 800. A third party, purporting to be Sareen, requested the company to send GBP30 000 of the sale price to an account presumably under the third party's control. The company proceeded to make payment to the third party.
In related injunction proceedings, the company instituted a counterclaim which was grounded on the contention that (a) Sareen breached an implied term in the contract which stipulated that Sareen would take reasonable care over the security of his email communications, and (b) when Sareen agreed to communicate by email, he represented that he would take care over the security of his email account.
The Court found that there was no need to imply a term into the contract to achieve business efficacy. While the contract may be improved by such a term, the Court held that the contract could function without it since the parties can combat the risk of fraud by the use of telephone calls or other verification procedures.
In addition, the Court held that when the parties consented to engage via email, the company did not refer Sareen to basic security requirements or warn him that he was impliedly representing that he would employ reasonable security measures over his email account. Instead, the court found that the company alone was responsible for making payment into an unauthorised account. This is because the company was alert to the risk of fraud, and it also overlooked the checks included in the company's procedures.
Accordingly, the company's claims were rejected, and the court held that the company was indebted to Sareen.
United States of America
In Studco Building System LLC V. 1st Advantage Federal Credit Union, 2023 WL 1926747 (E.D. Va. Jan. 12, 2023), Studco Building Systems US LLC("Studco") sought damages against 1st Advantage Federal Credit Union ("1st Advantage") as a result of the latter processing a payment order that was allegedly induced by fraudulent conduct on the beneficiary's part.
While Studco was waiting for its supplier to send its new banking details, Studco received an email from an unknown third party purporting to be the supplier providing new bank details. Studco proceeded to make payment to an account held with 1st Advantage which identified the supplier as the beneficiary but listed a different party's account number.
Consequently, Studco instituted a claim for damages against 1st Advantage, which was granted by the Court. The Court reasoned that 1st Advantage violated the Virginia Uniform Commercial Code ("UCC"). According to the UCC, where a beneficiary's bank knows that the number and the name identify different accounts (i.e. that there is a conflict between the beneficiary's name and account) and it still processes the payment, then the bank could be in violation of the UCC. Further, according to the Rules of the National Automated Clearing House Association applicable to 1st Advance and the Uniform Commercial Code, 1st Advance was required to act in a commercially reasonable manner or to exercise ordinary care when it makes transfers.
Conclusion
While the principles laid down in different cases have been valuable, Deputy Judge Kelford in St Lawrence correctly held that this area of law would benefit from having legislation to establish clear principles for the allocation of liability.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.