Cybercrime remains rife, despite the efforts to combat it. In a recent court case, the court reaffirmed the legal position as to who bears responsibility for payment where a third-party accesses an email system, changes the banking details, and payment is made into an incorrect account.
In brief, the facts of the matter under discussion are as follows:
Dealer 1 bought a car from Dealer 2. These dealers are dealers of the same car brand. Dealer 2 sent confirmation of banking details to Dealer 1 via email. Unbeknown to Dealer 2, its email system had been accessed by a third-party, who changed the banking details. Dealer 1 proceeded to make payment without taking any steps to verify the account details. It later transpired that the payment was made into the incorrect bank account. Subsequently, Dealer 2 instituted action against Dealer 1 for non-payment of the purchase price.
In this case, it was important that, a few years before the incident, there was a notification to all the dealerships of this car brand warning them of the fraudulent activity of spoofing – whereby criminals access email systems and change banking account details. To guard against such activities, the dealers had a protocol in place which required them to take steps to verify the banking details before making a payment. A principal at each dealership had to approve the payment requests. Therefore, salespersons could not make a payment without getting the principals' approval. In this case, the salesperson of Dealer 1 did not verify the banking details. Additionally, the principal of Dealer 1, before approving the payment, had asked the salesperson whether she had verified the banking details, who responded affirmatively.
Dealer 1 raised the defence of estoppel at court and argued that it (Dealer 1) used the banking details received from Dealer 2. After considering a plethora of cases, the court dismissed the defence of estoppel and found in favour of Dealer 2. In arriving at its conclusion, the court considered that all dealerships of this car brand are aware of the ongoing fraudulent activities of this nature. The salesperson who had lied to her principal by saying that she had verified the banking details when she had, in fact, not done so. Dealer 1's argument that Dealer 2 should have implemented measures to prevent third parties from accessing its email system could not succeed because it (Dealer 1) did not tender any evidence that there were no measures to prevent such activities and/or evidence showing what Dealer 2 should have done to avoid such incidents.
It is apparent that cybercrime will always be part of our lives and our approach, to combat it, will always be reactive. Whilst there are insurance policies purported to cater for such incidents, there are no guarantees that the policy will pay out for the loss suffered. Different insurance policies provide different types of coverage. For example, some only assist with the investigation costs, some specifically exclude coverage for losses resulting from hacking incidents, whereas some only cover a certain percentage of the losses suffered. Potential policyholders need to assess their risks, with the assistance of an underwriter/broker, and take out appropriate cover.
From the above, it is evident that the debtor bears the ultimate responsibility of verifying banking details before making a payment. One pragmatic step of doing this is to make a telephone call to verify the banking details. Potential policyholders must implement and adhere to protocols intended to guard against cybercrime. Continuous awareness and training of staff members is necessary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.