In January 2023, the Johannesburg High Court held Edward Nathan Sonnenbergs (ENS) liable for the plaintiff’s R5,5 million cyber-fraud loss, for failing to warn her of the dangers of cyber-fraud and “business email compromise” (“BEC”). A legitimate email from ENS was intercepted by a hacker who then manipulated the email and requested payment by the plaintiff to a different set of banking details. The court ordered that ENS was liable for the loss. This was based on its failing to take sufficient measures in protecting the plaintiff against cyber-fraud.
The transfer of funds arose from a sale of immovable property, where ENS was the conveyancer and the plaintiff was the purchaser. ENS emailed the plaintiff and attached ENS’ trust account details in anticipation of the R5.5 million purchase price being received into the account. The email was intercepted, and the attachment was manipulated to reflect the banking details of the hacker. This type of fraud is known as business email compromise, commonly used to trick victims into paying money or divulging confidential information to the scammer.
As a result of this interception, the plaintiff made payment into the hacker’s account. The plaintiff contended that ENS should be liable to pay the R5.5 million, due to insufficient measures having been taken by ENS to prevent the incident. The court agreed, finding that ENS was at fault for in its negligent conduct relating to managing the risk of BEC and warning the plaintiff of this risk.
The court held that ENS negligently failed to warn the plaintiff about the dangers of cyber-fraud and to advise her that, on receipt of bank account details via email, she should phone and verify ENS’ banking details before paying the large sum of money. Additionally, the court found that ENS negligently omitted to use safe and secure methods to send banking details in the first place, by failing to use protected pdfs or an otherwise secure payment portal.
Ordinarily, fault in the form of a negligent omission is not considered wrongful and usually does not lead to delictual liability. That is, unless a legal duty is owed to a plaintiff by a defendant. It was found that ENS (as the conveyancer) owed the plaintiff (as the purchaser) a legal duty. The court commented that the plaintiff was not a commercially sophisticated or well-advised individual. As such, she never considered BEC as a risk and relied on ENS, a large and well-reputed firm which should know the risk of BEC and be equipped to mitigate the same risk. The court found that ENS’ omission was a proximate cause of the loss of the R5.5 million. That is, the omission was sufficiently closely linked to the loss suffered by the plaintiff.
The imposition of fault on ENS and the determination of its conduct as wrongful are two necessary elements of delict required to hold a defendant liable. While it may be conceded that it was ENS’ conduct which caused harm to the plaintiff, the court’s judgment regarding the wrongfulness and subsequent fault of ENS requires closer inspection.
The court’s comment that ENS, as a large law firm, should have used more secure measures to send its banking details over email may well be a fair one (especially as BEC is not a new cyber-crime by any stretch). However, as pointed out in ENS’ argument, this is an almost universal practice amongst law firms and usually, the responsibility rests with the payor to ensure details are correct.
The court’s reasoning for finding that ENS owed a duty of care to the plaintiff is contentious. Much of the reasoning seems to be based on the plaintiff having put her trust in ENS and that, being professional conveyancers, they should have exercised more caution when handling a transaction. The plaintiff’s submissions referred to cases which acknowledged that conveyances owe a duty of care to third party purchasers and to the public when handling trust monies. The judgment in this case seems to agree with this principle but does not thoroughly unpack the reasons for its agreement, stating:
‘The legal duty of care owed to the purchaser, arises from the moment the defendant accepted the brief to act as conveyancer in the transaction. There is no reason in principle for only recognizing the duty from the date of payment. It is from the (earlier) moment, when the defendant is appointed as the conveyancer, that the plaintiff depended on the defendant to act professionally. Even if the plaintiff was not at that point a client of the defendant, she was in the care of the defendant. Its duties in this regard included its duty to warn defendant of the known risk of BEC and to take the necessary precautions against it to protect itself.’
It is not explained why a conveyancer bears a higher burden in these circumstances than other professionals, such as accountants or financial services providers, simply that they do because they are conveyancers. As a result of this judgment, conveyancers are subjected to more onerous standards than other industries.
The court attributed liability to ENS for its negligent omission, i.e. but for the omission, the plaintiff would not have paid the money into the fraudulent account. However, the case mostly relies on negligence for an omission of a warning to take precaution, resultant action on which can only be considered hypothetically. That is, it cannot be known as a certainty that, had ENS advised the plaintiff of the risks of BEC, she would have avoided the harm suffered. This might show weakness in the causal link between the omission and the loss of the funds.
The judgment draws attention to the responsibility of law firms to take active steps in warning and protecting their clients against cyber-fraud to avoid such cases. Commercial entities should do this by implementing multiple safeguards, such as secure payment portals and multiple verification methods. This judgment will also likely result in commercial entities implementing stricter waivers when doing business, to avoid liability of this nature. Individuals should also ensure that they are taking sufficient measures to protect themselves from cyber-crimes, so that they do not suffer the harm in the first place.
While this judgment may yet be challenged on the grounds of the wrongfulness of ENS’ conduct and whether that conduct actually caused the harm suffered by the plaintiff, it is practically useful in bringing awareness to cyber-crime, directing us to pay closer attention to the risks thereof and to our responsibilities as both individuals and commercial entities.
Contact us today for more information on business email compromise.