The dangers of business e-mail compromise

July 1st, 2023
x
Bookmark

By Karabo Sekailwe Orekeng

There has been a global challenge of cybercrime, hence the importance of cyber security, which guards against hackers and online criminality. ‘South Africa has the third highest number of cybercrime victims in the world’ (see Nathan Craig ‘Cybercrimes on the up, with SA annually losing about R 2,2 billion’ (www.iol.co.za, accessed 1-6-2023)). Annually, cybercrime costs the country
R 2,2 billion. In addition to this, South Africa (SA) had the highest incidents of targeted ransomware and business e-mail compromise (BEC) attacks of any African country (see Craig (op cit)).

What is BEC?

E-mail account compromise is one of the most financially damaging online crimes. This cybercrime exposes the fact that people rely on e-mails to conduct business. This occurs when electronic communications are accessed and replaced with e-mails that are similar to e-mails that may be expected by the recipient.

How it takes place

Criminals implement a BEC scam in the following ways:

  • ‘Spoof an e-mail account or website.’ This is done by the scammer slightly varying the legitimate e-mail address and tricking victims into thinking fake accounts are authentic.
  • ‘Send spearphishing e-mails. These messages look like they are from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts … and data that gives them the details they need to carry out a BEC schemes.’
  • ‘Use malware. Malicious software can infiltrate company networks and gain access to legitimate e-mail threads about billing and invoices. That information is used to time requests or send messages, so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information’ (see FBI ‘Business e-mail compromise’ (www.fbi.gov, accessed 1-6-2023)).
Recent BEC in SA

In Hawarden v Edward Nathan Sonnenbergs Incorporated [2023] 1 All SA 675 (GJ), the Gauteng Local Division High Court ordered the defendant, ENS Africa (ENS), to pay R 5,5 million plus punitive costs to Judith Hawarden (the plaintiff) after she fell victim to a scammer spoofing an e-mail account.

Facts and legal issue

The plaintiff purchased an immovable property from a third-party seller who subsequently appointed ENS as the conveyancer in the sale transaction. The plaintiff proceeded to pay the deposit due, and thereafter, paid the balance by way of electronic transfer directly to the defendant’s trust account. The plaintiff was under the impression that she was paying the balance into what she had believed was an ENS account. Unbeknown to the plaintiff, her e-mail account was hacked and the e-mail containing the ENS account details was intercepted and changed to reflect the fraudster’s bank account details. This ultimately resulted in the money electronically transferred by the plaintiff being deposited in the fraudsters bank account.

The question the court dealt with was ‘whether or not to impose liability for pure economic loss sustained by the plaintiff who fell victim to cybercrime through [BEC] as a result of the defendant’s negligent omission to forewarn the plaintiff of the known risks of BEC and to take the necessary safety precautions that are designed to safeguard against the risk of harm occasioned by BEC from eventuating’.

The plaintiff argued that the law firm owed her the duty to exercise reasonable care. In addition to this argument, she stated that ENS had the legal duty to warn her of the danger of BEC, because this was already on the rise and had become prevalent.

The plaintiff argued that the firm should have warned her, before making any payment, that there should have been a verification process wherein she would have been asked to verify her account details, and the defendant should have loaded its trust account details on online banking systems so that the account number would not have to be sent out on unprotected and unsafe emails (see Tania Broughton ‘Leading law firm ordered to pay victim of cybercrime’ (www.groundup.org.za, accessed 1-6-2023)).

The judge stated that the defendant should have used secure means when communicating with her to ensure that she was protected. The defendant argued that if the court held the firm liable, ‘it would expose all conveyancers … to claims of the same kind by third parties, with whom they have no relationship, for losses they suffered at the hands of fraudsters who hacked their own e-mail accounts’ (para 112). The defendant also made the argument ‘that it is the responsibility of the debtor, who chooses to make an electronic payment, to ensure that it is paid into the right account’ (para 113).

Ultimately the court found that the firm’s ‘banking details were financially sensitive information … and needed to be treated as such. … [C]oncluding that the risk of BEC was foreseen by ENS’ (para 126). Moreover, that ‘sending bank details by e-mail is inherently dangerous’ (para 127). ‘The risk of loss to Hawarden was highly foreseeable by ENS’ (see Broughton (op cit)).

This is not the first time a law firm has been a victim of cybercrime. In the case of Fourie v Van Der Spuy and De Jongh Inc and Others 2020 (1) SA 560 (GP) the main question asked by the court was who bore the responsibility for payments lost due to cybercrime?

In this matter the applicant claimed payment of R 1 744 599,45 from the respondents, jointly and severally, the one paying the other to be absolved. The case concerned a property transaction where the seller of the property was prejudiced due to the transfer attorney effecting payment of the proceeds of the purchase price of the property erroneously to an unknown third party, thereby falling victim to cybercrime.

‘The court held that the transfer attorney was negligent and failed to exercise the requisite skill, knowledge and diligence expected of an average practicing attorney and thus failed to discharge the fiduciary duty [owed] to [the] client by transacting via e-mail whilst being fully aware that fraud is prevalent in the attorneys profession and despite that being so, not employing any measures to ensure that neither do they nor the client fall victim to the plague of fraud and cybercrime’ (Ade Nyongo ‘What happens when your attorney pays your money to the wrong person?’ (www.golegal.co.za, accessed 1-6-2023)).

Tips to avoid cybercrime

In 2019, the Law Society of South Africa (LSSA) released an advisory note to attorneys concerning BECs. The advisory was aimed at ensuring that attorneys’ clients are made aware of the risk of potential fraud with the intention of preventing firms from falling victim to fraud and/or cybercrime while ensuring attorneys fulfil their duty of care to clients by making them aware of the cybercrime risk.

Due to the pervasiveness of cybercrime, the LSSA recommended that the below wording should appear on all communications to clients, where banking transactions of high value may be performed alerting the client to BECs:

‘Criminal syndicates may attempt to induce you to make payments due to [firm’s name] into bank accounts which do not belong to the firm and are controlled by criminals. These frauds are typically perpetrated using e-mails or letters that appear materially identical to letters or e-mails that may be sent to you by [firm’s name]. Please take proper care in checking that these e-mails do emanate from [firm’s name]. Before making any payment to [firm’s name] please ensure that you verify that the account into which payment will be made is a legitimate bank account of [firm’s name]. If you are not certain of the correctness of the bank account, you may contact [firm’s name] and request to speak to the person attending to your matter. They will assist you in confirming the correct bank details. [Firm’s name] will not advise of any change in bank details by way of an e-mail or other electronic communication. If you should receive any communication of this nature, please report it to the person attending to your matter’ (see LSSA advisory ‘Cybercrime: Business e-mail compromises’ (www.lssa.org.za)). This paragraph can also serve as a notice on the company’s website – preferably on the home page – as well any other avenues or mechanisms a company uses to communicate to clients.

In addition to this, in 2020 the Legal Practice Council (LPC) in the same breath advised legal practitioners to be careful when sending out correspondences with bank account details, and when making payments into bank accounts for which details are provided by e-mail. In the notice the LPC created an ethical duty, which placed on legal practitioners the duty to ensure that appropriate systems are put in place to ensure payments, particularly from trust accounts, are paid to correct accounts (see LPC notice ‘Fraud alert’ (www.derebus.org.za)).

Conclusion

It is paramount for firms to use dedicated verification process systems when transacting via e-mail. This can be done by phoning or sending another confirmation e-mail before paying money over. From the above cases, it is clear that the courts will not be in favour of a party that was deemed to be negligent.

What is further clear from the aforementioned cases is, firms or companies should be extra vigilant when conducting business via e-mail. There is no blueprint on the steps a firm should take in order to avoid liability. Surrounding circumstances will be of importance in determining whether a firm or company is responsible by looking at the steps taken to prevent the occurrence of loss through cybercrimes. It is suggested that if a firm implements the tips above to prevent the occurrence of falling victim to a cybercrime, such as having various notices alerting clients of the potential risk of fraud and following a strict verification process it would have taken reasonable steps on its side to uphold its duty to exercise reasonable care toward its clients.

Karabo Sekailwe Orekeng BA (Law) BA (Hons) (Economics) LLB (Rhodes) is a candidate legal practitioner at DMS Attorneys.

This article was first published in De Rebus in 2023 (July) DR 4.

X