Who is responsible if emails are hacked?
While the Cybercrimes Act provides a legal framework for combatting cyber threats and fraud, the actual prevention of cybercrime rests on all parties to exercise due diligence when conducting financial transactions.
As we are all painfully aware, cybercrime (and especially phishing, where you receive an email from what seems to be a trusted source) is an everyday reality and is affecting more and more people worldwide. South Africa is not excluded, and, here, we look at a recent well-published case that has gripped the attention of law firms and their clients.
In Edward Nathan Sonnenberg Inc v Judith Mary Hawarden[1], the Supreme Court of Appeal (SCA) overturned an earlier High Court ruling which found that law firm Edward Nathan Sonnenberg (ENS) was liable to refund a client, Judith Hawarden, who paid R5.5 million into a bank account based on an email that she believed came from ENS but was actually sent by fraudsters who were able to access and manipulate emails sent from the firm.
Hawarden purchased a property from a client of ENS and, despite not being a client of ENS herself, she was communicating with ENS via email in relation to where and how she had to pay over the R5.5?million purchase price for the property she was buying. In the course of this process, she received an email from what she thought was ENS, containing bank account details into which she subsequently paid the R5.5?million. It turned out that the bank account in the email was not ENS's bank account, and moreover that the email did not actually come from anyone at ENS, but was sent by fraudsters that made it look as if it were coming from ENS.
The High Court looked at the facts and concluded that Hawarden was not negligent in acting on an email that she honestly believed came from ENS and which was such a good forgery that it looked as if it came from ENS. Attached to the email (in line with what a real ENS-email would have looked like) was also an investment agreement which contained provisions alerting recipients relating to this type of fraud and suggesting that they take caution in these exact circumstances.
The High Court found that even though Hawarden was not a client of ENS, the firm owed a duty of care to Hawarden in facilitating the property transaction and that it failed to safely communicate its bank account details to her. In short, the High Court found that ENS had to refund the R5.5 million to Hawarden. This clearly created uncertainty because, on the one hand, Hawarden was informed by ENS of the risks of cybercrime, and on the other hand, the court held that individuals are generally not as well-placed to respond to the ever-evolving threats of cybercrime, which is sophisticated and technical in nature.
ENS subsequently appealed to the SCA, which held that Hawarden had ample warning about potential fraudulent activity, and she must, in the circumstances, take responsibility for her failure to protect herself against a known risk. The SCA ruled that Hawarden was not a client of ?ENS and there was thus no contractual relationship between them. This of course meant that Hawarden suffered loss, not as a result of what ENS did or did not do, but because hackers had infiltrated her email account and fraudulently diverted her payment meant for ENS into their own account. Consequently, the SCA ruled that there was no reason to shift responsibility for Hawarden's loss to ENS.
领英推荐
A similar challenge arose in Gripper & Company (Pty) Limited v Ganedhi Trading Enterprises CC. Gripper sold valves to Ganedhi. Over their seven-year relationship, Ganedhi had always made payments to Gripper's Standard Bank account. However, for the last sale Ganedhi received an email that seemed to have been sent by Gripper (in fact, from the same person at Gripper that they had been dealing with) instructing a change in Gripper's banking details and, as such, Ganedhi made payment accordingly. Gripper never received the payment and made enquiries with Ganedhi. On closer inspection, it turned out that the email with the new bank account details did not emanate from Gripper at all and was fraudulent, even though it was such a good forgery that it fooled someone who has been working with Gripper for a long time. The High Court ruled that Ganedhi should have verified the new banking details before making payment, reinforcing that anyone who makes a payment must exercise caution before doing so and verify any changes in payment instructions. Failure to verify such details can result in a payment being made to the wrong account. If this occurs, the person who must make the payment will not have fulfilled their payment obligation and may be required to pay the amount again into the correct bank account.
To ensure protection against allegations that a legal duty of care rests on them as was alleged by Hawarden in the above case (and which the High Court found to be correct), organisations should consider informing clients and suppliers in every email that they will never advise of any changes to their bank account details by email, and where there may be uncertainty about the legitimacy of bank accounts, to verify the account details telephonically. Email addresses should always be carefully checked and verified, making sure that the return address is the same as the sender's address, and watching for subtle changes in an email address (such as “. co.za" becoming altered to ".com" and vice-versa), and being mindful of every hyphen, every letter and every number in an email address.
The courts’ decisions provide key lessons for parties in a transaction in that they have a role to play in preventing fraud. To mitigate the risks associated with electronic communication and payments, it is advisable that those who owe money always confirm any changes to banking details through direct communication channels, such as a phone call to a known contact person, rather than relying solely on email instructions. For example, before making payment to a supplier's bank account in terms of an emailed invoice, confirm with the supplier either in person or telephonically that the bank account details in the invoice are legitimate. Further, organisations and individuals should be mindful that in addition to bank account details, phone numbers and email addresses on invoices can also very easily be altered by scammers to deceptively confirm false bank account details.
While the Cybercrimes Act 19 of 2020 provides a legal framework to combat cyber threats like business email compromise (BEC), the onus remains on all parties to exercise due diligence. It is therefore safe to say that prevention depends on diligence by everyone involved in financial dealings. By working together, individuals, businesses, and banks can reduce the devastating impact of fraud. However, now the question remains, should there be legislative improvements that deal with severe penalties for cybercriminals and clarify obligations for organisations handling sensitive transactions?
?This article was prepared by Wildu du Plessis , Dalen Mmako and Kieran Goosen .
[1] (421/2023) [2024] ZASCA 90 (10 June 2024).