When e-legal turns illegal: Business Email Compromise posing cyber security threats to Conveyancers
9 February 2023
AUTHOR: CELINE BAKKER
Recent case law in our South African High Courts has given conveyancers a new and pressing threat to take into consideration when transferring client’s money. While white collar crime may be nothing new to attorneys, in terms of cyber security and preventing Business Email Compromise (BEC), according to the courts, they just can’t seem to hack it.
This has become evident from two judgments handed down in January 2023, Hawarden v Edward Nathan Sonnenberg Inc. and Hartog v Daly and Others, holding conveyancers accountable for falling victim to BEC and paying out trust monies into fraudulent bank accounts intended for their clients.
Both cases concerned a dispute between the purchasers of a property and a conveyancing firm appointed to facilitate the transfer due to the conveyancer depositing the proceeds of the purchase price into the banking account he believed to be the purchaser’s but turned out to be a fraudster’s account. This occurred as a result of business emails being intercepted by a fraudster pretending to be the client advising the conveyancer of a change in the banking details and the conveyancer failing to impose sufficient cyber security mechanisms to prevent such cybercrime from being committed. The courts held in both cases that a duty of care rested on the conveyancer to impose sufficient risk management mechanisms to avoid the BEC and the conveyancing firms were therefore held delictually liable for payment to the purchaser.
Find out what courts are warning conveyancers, if an email from a (supposed) client appears a little phishy.
Delictual liability on the conveyancers vs the bank
The court in the ENS case highlighted that a conveyancing firm operating within such an environment where BEC is rife ought to warn its clients of the dangers and risks thereof as well as take precautionary measures to prevent such phishing and cyber fraud attempts. It was held irresponsible for a conveyancing firm to share banking details purely via email and not to impose any further methods to ascertain the changed banking details with its client. The court also dismissed the floodgates argument brought by ENS and countered that ignorance is no excuse and that such amounted to negligence particularly since conveyancers deal with sensitive transactions.
In Hartog v Daly and others the respondent attempted to hold Standard Bank (SB) delictually accountable for not imposing appropriate FICA methods to prevent fraudsters from opening accounts and withdrawing suspicious amounts immediately after these have been deposited into their accounts. However, the court found that the first respondent did not successfully discharge its onus of proving SB’s liability in terms of negligence, wrongfulness, causation or damages. Nevertheless, the respondent raised a number of arguments which the court said were not unsound but that they failed on lack of evidence.
First, the appellant put to the court that SB failed to impose proper risk management when checking their clients in terms of FICA requirements. The bank counterargued that it had verified the identity of the fraudster when opening his bank account and that there was no reason to categorise the fraudster as suspicious at the time.
Second, the appellant stated that SB should have cross checked whether the EFT instruction matched the name of the account holder into which the funds were paid. SB however defended that it is normal banking practice in SA for EFTs to be done by way of an account number only without reference to the name of the account holder. There being no duty on SB to match the name with the account number when it comes to EFTs.
Lastly, it was argued by the defendant that a duty existed on SB to monitor the account after receiving payment to prevent the immediate withdrawal of funds from the account. The appellant however was unable to prove such duty and produced no evidence as to how such could have been prevented by SB.
Ultimately the courts are warning conveyancers that if an email from a (supposed) client appears a little phishy one ought to drop someone a line as well as have permanent cyber security mechanisms to prevent BEC. It was held that conveyancers were responsible for implementing proper protective mechanisms against fraud and that such duty of care could be interpreted as being part of their profession. The courts were thus adamant to not let conveyancers who are in a position of trust and have fallen victim to cybercrime off the hook.
By engaging with us via email, you agree to this method of communication. Please note that we will never notify you of a change in our bank account details via e-mail.
Because internet or email communications cannot be guaranteed to be secure or error-free, before transferring payments to any of our businesses, first confirm the bank details directly with your business contact, either telephonically or in person. Payments into an incorrect bank account may not be recoverable and neither SL LAW INC, their holding companies and all of their subsidiaries and associated companies and their directors, officers, employees and agents thereof accept liability or responsibility for any payments made into the incorrect bank account.
Celine Bakker, Author.
BA Law, LLB
Candidate Attorney
Find out more about Celine Bakker,
a Candidate Attorney at SL Law.
She graduated from Stellenbosch University with a BA (law) majoring in German and completed her LLB degree at the Vrije Universiteit of Amsterdam, focussing on Tech and Artificial Intelligence Law.
SUNTERA GLOBAL & SL LAW INC.
WITHHOLDING TAXES: NON RESIDENT SELLERS
/ Previous Post
Next Post /
SUNTERA GLOBAL & SL LAW
/ Previous Post
WITHHOLDING TAXES: NON RESIDENT SELLERS
Next Post /