Articles, News

Business Email Compromise

Posted on by Tanielle van der Schyff and Ren Dunster

In January 2023, the Johannesburg High Court held Edward Nathan Sonnenbergs (ENS) liable for the plaintiff’s R5,5 million cyber-fraud loss, for failing to warn her of the dangers of cyber-fraud and “business email compromise” (“BEC”). A legitimate email from ENS was intercepted by a hacker who then manipulated the email and requested payment by the plaintiff to a different set of banking details. The court ordered that ENS was liable for the loss. This was based on its failing to take sufficient measures in protecting the plaintiff against cyber-fraud.

The transfer of funds arose from a sale of immovable property, where ENS was the conveyancer and the plaintiff was the purchaser. ENS emailed the plaintiff and attached ENS’ trust account details in anticipation of the R5.5 million purchase price being received into the account. The email was intercepted, and the attachment was manipulated to reflect the banking details of the hacker. This type of fraud is known as business email compromise, commonly used to trick victims into paying money or divulging confidential information to the scammer.

As a result of this interception, the plaintiff made payment into the hacker’s account. The plaintiff contended that ENS should be liable to pay the R5.5 million, due to insufficient measures having been taken by ENS to prevent the incident. The court agreed, finding that ENS was at fault for in its negligent conduct relating to managing the risk of BEC and warning the plaintiff of this risk.

The court held that ENS negligently failed to warn the plaintiff about the dangers of cyber-fraud and to advise her that, on receipt of bank account details via email, she should phone and verify ENS’ banking details before paying the large sum of money. Additionally, the court found that ENS negligently omitted to use safe and secure methods to send banking details in the first place, by failing to use protected pdfs or an otherwise secure payment portal.

Ordinarily, fault in the form of a negligent omission is not considered wrongful and usually does not lead to delictual liability. That is, unless a legal duty is owed to a plaintiff by a defendant. It was found that ENS (as the conveyancer) owed the plaintiff (as the purchaser) a legal duty. The court commented that the plaintiff was not a commercially sophisticated or well-advised individual. As such, she never considered BEC as a risk and relied on ENS, a large and well-reputed firm which should know the risk of BEC and be equipped to mitigate the same risk. The court found that ENS’ omission was a proximate cause of the loss of the R5.5 million. That is, the omission was sufficiently closely linked to the loss suffered by the plaintiff.

The imposition of fault on ENS and the determination of its conduct as wrongful are two necessary elements of delict required to hold a defendant liable. While it may be conceded that it was ENS’ conduct which caused harm to the plaintiff, the court’s judgment regarding the wrongfulness and subsequent fault of ENS requires closer inspection.

The court’s comment that ENS, as a large law firm, should have used more secure measures to send its banking details over email may well be a fair one (especially as BEC is not a new cyber-crime by any stretch). However, as pointed out in ENS’ argument, this is an almost universal practice amongst law firms and usually, the responsibility rests with the payor to ensure details are correct.

The court’s reasoning for finding that ENS owed a duty of care to the plaintiff is contentious. Much of the reasoning seems to be based on the plaintiff having put her trust in ENS and that, being professional conveyancers, they should have exercised more caution when handling a transaction. The plaintiff’s submissions referred to cases which acknowledged that conveyances owe a duty of care to third party purchasers and to the public when handling trust monies. The judgment in this case seems to agree with this principle but does not thoroughly unpack the reasons for its agreement, stating:

‘The legal duty of care owed to the purchaser, arises from the moment the defendant accepted the brief to act as conveyancer in the transaction. There is no reason in principle for only recognizing the duty from the date of payment. It is from the (earlier) moment, when the defendant is appointed as the conveyancer, that the plaintiff depended on the defendant to act professionally. Even if the plaintiff was not at that point a client of the defendant, she was in the care of the defendant. Its duties in this regard included its duty to warn defendant of the known risk of BEC and to take the necessary precautions against it to protect itself.’

It is not explained why a conveyancer bears a higher burden in these circumstances than other professionals, such as accountants or financial services providers, simply that they do because they are conveyancers. As a result of this judgment, conveyancers are subjected to more onerous standards than other industries.

The court attributed liability to ENS for its negligent omission, i.e. but for the omission, the plaintiff would not have paid the money into the fraudulent account. However, the case mostly relies on negligence for an omission of a warning to take precaution, resultant action on which can only be considered hypothetically. That is, it cannot be known as a certainty that, had ENS advised the plaintiff of the risks of BEC, she would have avoided the harm suffered. This might show weakness in the causal link between the omission and the loss of the funds.

The judgment draws attention to the responsibility of law firms to take active steps in warning and protecting their clients against cyber-fraud to avoid such cases. Commercial entities should do this by implementing multiple safeguards, such as secure payment portals and multiple verification methods. This judgment will also likely result in commercial entities implementing stricter waivers when doing business, to avoid liability of this nature. Individuals should also ensure that they are taking sufficient measures to protect themselves from cyber-crimes, so that they do not suffer the harm in the first place.

While this judgment may yet be challenged on the grounds of the wrongfulness of ENS’ conduct and whether that conduct actually caused the harm suffered by the plaintiff, it is practically useful in bringing awareness to cyber-crime, directing us to pay closer attention to the risks thereof and to our responsibilities as both individuals and commercial entities.

Contact us today for more information on business email compromise.

About the author

Tanielle van der Schyff
Ren Dunster
We use cookies to analyse website usage and other technical information to improve the functionality of our website   View more
Cookies settings
Accept
Privacy & Cookie policy
Privacy & Cookies policy
Cookies list
Cookie name Active
This policy informs you how we will use your personal information, by using our services and/or website you consent to our use of your personal information for the purposes described herein.
  1. DEFINITIONS
  •  “PERSONAL INFORMATION”
    • Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to, name and surname; identification number; physical address; contact information such as an email address and telephone number.
  • “DATA SUBJECT”
    • Data Subject means the person to whom personal information relates.
  • “RESPONSIBLE PARTY”
    • Responsible Party means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
  • “IDENTIFICATION INFORMATION”
    • Identification Information means information that can be used to identify the data subject.
  • “COMPLIANCE INFORMATION”
    • Compliance Information means information that is needed by Dunsters Attorneys for us to be compliant with relevant laws including the Financial Intelligence Centre Act “FICA” and regulatory standards and government orders such as Anti-Money Laundering (AML), Know-Your-Client (KYC) and Counter-Terrorist Financing (CTF).
  •  “COMMUNICATION INFORMATION”
    • Communication Information includes all correspondence such as emails and messages.
  • “FINANCIAL INFORMATION”
    • Financial information means any information relating to payment of invoices, including but not limited to banking information and account details
  1. PERSONAL INFORMATION COLLECTED
  • We may collect website usage and other technical information such as details of your visits to our website through cookies and other tracking technologies. Cookies are small data files stored by your computer to help improve functionality or tailor information to provide visitors with more relevant pages.
  • The information we collect may include information provided to us through your initial correspondence, possibly including:
    • Name and Surname
    • Email address
    • Contact numbers; and/or
  • This may also include information that we may have requested, and you subsequently provided, including, but not limited to:
    • Compliance Information
    • Identification Information
    • Communication Information
    • Financial Information
    • Other Personal Information
  • Reasons for collection of your personal information will be explained to you when we collect/request the information. We may request certain personal information to comply with global industry regulatory standards, local regulatory standards or government orders.
  • You, the data subject, consent to our use of your information in line with this privacy policy and/or any terms of engagement you may sign with us. If you wish to revoke your consent, please email enquiries@dunster.co.za .
  1. ACQUISITION OF PERSONAL INFORMATION
  • We acquire information from you directly, save where accessible from publicly available sources.
  • Information may be collected through various platforms, including:
    • Our onboarding process with you
    • Email engagement
    • Telephonic engagement
    • In-person engagement
    • Cookies
  1. PURPOSE OF COLLECTION OF PERSONAL INFORMATION
    • Your personal information may be collected and saved on our system for the following purposes:
      • To enable us to provide legal services.
      • To send news, updates and marketing information.
      • To review job applications.
      • To comply with legal requirements
    • Your personal information will not be used for the following purposes:
      • We will never use your personal information for direct marketing purposes without your consent (you may opt-out of our newsletter at any time)
      • We will never disclose your personal information to another third party without permission from yourself, unless it is required for fulfilment of our legal services or as mandated by law.
  1. RIGHTS OF DATA SUBJECTS
  • Right of the data subject under the POPI Act include, but are not limited to:
    • Having access to their recorded personal information
    • Requesting correction or amendment to their personal information and to have information corrected or amended
    • Requesting deletion or destruction of personal information from the responsible party’s system
    • Objecting to the processing of personal information
    • Submitting a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or submitting a complaint to the Regulator (POPIAComplaints@inforegulator.org.za)
    • Instituting civil proceedings regarding the alleged interference with the protection of their personal information.
  1. RETENTION OF RECORDS
  • We will retain your information for the period required by law.
  • Where we retain your contact information for any period other than may be prescribed by law, we retain this information to keep you updated of our various offerings and news. By not unsubscribing from newsletter, you consent to us retaining your personal information on our records indefinitely, for the purposes explained above, including, to keep you informed about news and updates pertaining to Dunsters Attorneys Inc.
  1. SECURITY AND DATA PROTECTION
  • We take reasonable technical and organisational measures to secure the integrity of your personal information and use accepted technological standards to prevent unauthorised access to or disclosure of your personal information, and protect your personal information from misuse, loss, alteration and destruction.
  • The measures that are taken in order to protect your personal information include:
    • Physical measures: access to physical copies of your information is controlled using strict protocol.
    • Electronic measures: firewalls and password protection
  1. DISCLAIMER AND USER OBLIGATIONS
  • While we will take all reasonable steps to ensure the security of your data and personal information according to industry standards, it is not possible to guarantee the complete security of all information provided at all times.
  • We will notify you as soon as reasonably practicable of any breach of security, loss of or damage to your personal information.
  • Data subjects are responsible for taking reasonable precautions to safeguard their personal information.
  • Although we endeavour to ensure your information is as correct as possible, you are responsible for notifying us of any changes to your data or personal information in respect of the services provided and/or your account with us.
  • We will not be held liable for losses of any nature which are due to incorrect data or personal information provided by users in respect of the service provided.
  • We will not be held liable for any loss or damage arising from a security breach or disclosure of your personal information or data, to the maximum extent permitted by law.
  • We shall not be liable for any damage or interruptions caused by any computer viruses or other malicious code that may affect your computer or other equipment, or any phishing, spoofing or other attack.
  • If you suspect that your personal information has been compromised, or that there has been unauthorised use of your email address by any person, or any other violations to the security of the website, please contact us.
Save settings
Cookies settings