Business e-mail compromise: Attorneys’ liability

September 1st, 2018

By the Law Society of South Africa’s Cybersecurity helpdesk – Anthony Pillay

This is the first in a series of articles addressing the legal obligation to establish and maintain proper information security aimed at avoiding unauthorised access to and protecting the confidentiality of client information. The Law Society of South Africa has consulted with experts relating to business e-mail compromise (BEC) and will also be engaging with the Attorneys Fidelity Fund, the South African Banking Risk Information Centre, major vendors of attorneys’ software and information and communication technology service providers to provide more comprehensive information addressing information security and avoiding or mitigating losses occasioned by BEC.

Among the scams that have increased exponentially in recent years, is what is termed as BEC. It is estimated that in 2018 global losses attributable to BEC will exceed US$ 9 billion (approximately R 121 billion).

South Africa (SA), partly due to its failure to properly introduce and enforce legislation governing the protection of personal information and the failure of entities and/or persons processing personal information to implement appropriate security measures, are easy targets for cyber criminals. South Africans are contributing significantly to BEC losses and one of the attack vectors is against attorneys and their clients. This article examines the nature of this cybercrime and the liability and potential liability of attorneys.

In S Allen ‘Business Email compromise: The Secret Billion Dollar Threat’ (, accessed 31-7-2018) it states that:

‘Often in the shadow of more extravagant, media-friendly super-hacks or ransomware compromises, BEC is leading the line on both the number of attack victims and the direct losses encountered by businesses.’

The attack is not a sophisticated technology attack. It is a simple fraud that leverages social engineering tactic to deceive a recipient into typically making a payment to a bank account controlled by criminals.

The scope of this article does not allow us to deal with all of the modus operandi that may be applied, nor the different nuances of this type of attack. Suffice it to say that a number of attorneys have been duped into paying money (very often money held in trust for clients) to criminals; while clients have been duped into paying money (in some cases large sums of money typically due by the client in conveyancing transactions) into accounts controlled by criminals.

As with any social engineering attack, the success of the attack largely depends on being able to credibly masquerade as the party to whom the payment is due. The attacks are exceptionally well thought through and structured. They are not a shotgun approach hoping that a victim will be recklessly negligent or stupid, but rather adopt an analytical consideration of communication passing between the parties, enabling the criminals to insert an appropriate communication that is in context with the expected communications, and would probably deceive the most reasonable recipient into believing the communication is legitimate. The communications replicate the letterheads, logos and information identical in almost every aspect to what a client may expect from the attorney, save for the bank account details, which are bank accounts controlled by the criminals. The e-mail addresses are carefully constructed and it can be extremely difficult to detect a variation from the e-mail address normally used by the addressor. For example, the character ‘I’ may be replaced by the numeral ‘1’. A very similar name may be used to that of an attorney’s staff member communicating with the client with minor variations in spelling. A punctuation mark may be added or omitted in the e-mail address. Even to careful recipients of the communication the e-mail’s credibility is typically strengthened by the context and timing of the communication.

The reaction of attorneys where a client has made a payment into an incorrect banking account is often that the client was negligent. On closer examination, however, it may reveal that the attorney may have been negligent if the attorney had not properly safeguarded the information processed by the attorney or the information and communications technologies used in processing the information. Failure to implement appropriate information security may render the attorney guilty of contributory negligence. Indeed, the failure in security may be the primary or proximate cause of the loss suffered by the client.

Although the requirement for cyber competence and security has been in place in many jurisdictions and is mandated and enforced by Bar Associations and law societies around the world, there is no similar requirement placed on South African attorneys. With a few shining exceptions, South African attorneys do not pay much attention to information security. The result is often that information processed and communicated by attorneys is insecure and is easily accessed by criminals. There are several contributory factors:

  • The technology used by the attorneys is in itself insecure, alternatively is configured for convenience rather than security.
  • There are no documented policies or processes governing the use of the technology or that define information management and security.
  • Attorneys and their staff using the technology are not educated or aware of their information security responsibilities.

As a result of these failures, the attorney may not discharge the corporate responsibility to establish and maintain information security as required in terms of the Companies Act 71 of 2008 read with King IV Report on Corporate Governance or to establish the technical and organisational measures to prevent unauthorised access, loss or destruction of information. This obligation is an express stipulation of the Protection of Personal Information Act 4 of 2013, requiring that processors of personal information establish and maintain appropriate technical and organisational measures to protect the confidentiality and integrity of personal information. These failures I submit, are also a failure to comply with the professional duty of attorneys to ensure that their clients’ information remains secure and confidential.

Against this background, it is critical that attorneys fulfil their duty of care to clients by advising them of the potential for BEC. The communications must ensure that the client understands their responsibility to diligently ensure that payments are made to the correct bank account. In addition, attorneys must also understand that in order to avoid potential civil and criminal liability they too must fulfil their responsibility to establish and maintain a proper information security management system to protect their own information and that of their clients.

The Law Society of South Africa’s Cybersecurity helpdesk is headed by Anthony Pillay. Mr Pillay is currently the Acting Chief Executive Officer of the Law Society of South Africa.

This article was first published in De Rebus in 2018 (Sept) DR 35.