Cybercrime judgment has implications for FSPs that email bank details to clients

Financial services providers should take note of a High Court judgment in which top law firm ENSafrica was ordered to pay R5.5 million, plus costs at a punitive scale, to a property purchaser who was a victim of cybercrime.

The circumstances that led up to the judgment are similar to those that can occur when an FSP emails its banking details to clients so they can make investments.

Moonstone Compliance is aware of at least three instances where FSPs have experienced similar fraud.

Unless the judgment is overturned on appeal, the case sets a legal precedent in relation to liability for “business email compromise” (BEC).

The implications of this judgment will be discussed at Moonstone Compliance’s upcoming Regulatory Update Workshop. Details will be announced in our newsletters.

Emailed pdf was altered

In 2019, Judith Hawarden made an offer for a property in Johannesburg for R6m. She paid a deposit of R500 000 directly to the estate agency.

The seller appointed ENS as the conveyancing attorney.

Hawarden subsequently made an electronic payment of R5.5m into what she believed was an ENS trust account. The account details were in a pdf attachment that was emailed to Hawarden by one of the firm’s conveyancing secretaries.

Unbeknown to Harwarden, her email account had been hacked and the email containing ENS’s account details was intercepted by a fraudster who changed the pdf to reflect the fraudster’s bank account details, resulting in the funds being deposited into the fraudster’s account.

The fraud was discovered a few days later. Despite this, ENS insisted that Hawarden pay the balance of the purchase price. The parties were unable to resolve the impasse, which resulted in Hawarden instituting action against ENS for the loss of R5.5m.

Hawarden blamed ENS for her loss because, she said, the firm should have done more to protect her and used more secure means to communicate with her.

She contended that ENS was well aware of this type of fraud before the incident took place, which was apparent from the warnings contained in ENS’s investment mandate sent to her after she had made the payment but before the fraud had been discovered.

ENS submitted that Hawarden could have avoided her loss by asking the employees who dealt with her deposit to confirm ENS’s bank details when she spoke to them while she was at her bank, or she should have sought the help of her bank.

A digital forensic expert who testified for Hawarden presented evidence about BEC and the measures that were available in 2019 to communicate safely. Other witnesses provided testimony about the level of awareness of BEC among conveyancers at the time and the measures they could take to prevent it.

Ripple effect on all businesses

ENS contended that if the court held it liable, it would expose all conveyancers to claims of the same kind by third parties, with whom they have no relationship, for losses they suffered at the hands of fraudsters who hacked their own email accounts.

It said the ripple effect thereof would not only extend to all firms of attorneys but to all businesses that send their invoices, with their banking details, to their clients by email, which is a near-universal practice.

ENS submitted it is “the near-universal practice” in the market for the debtor, who chooses to make an electronic payment, to be responsible for ensuring that money is paid into the correct account.

The court should decline to extend liability for pure economic loss in this case because it will, in the words of the Constitutional Court, create “liability in an indeterminate amount for an indeterminate time to an indeterminate class”, ENS said.

Near-universal practice is not a defence

In his judgment, Judge Phanuel Mudau said the evidence showed that “BEC attacks are rife, especially in the conveyancing industry. The parties’ experts agreed that BEC has been around for many years, particularly in the context of the conveyancing industry and that the risk of BEC was well known before 2019.”

The evidence also showed it was a near-universal practice for conveyancers, and other businesses, to send their banking details to others by email.

“It does not absolve the defendant of its unsafe behaviour, which it knew at the time was unsafe and knew to take precautions against. It is not as if the defendant didn’t know better,” Judge Mudau said.

ENS ‘understood the risks’

Judge Mudau said Hawarden gave credible and consistent evidence that the possibility of BEC did not occur to her and that she trusted the defendant. “Under such circumstances, a duty clearly exists between a purchaser in a conveyancing transaction and the conveyancing attorney handling the transaction,” he said.

The judge had “no difficulty” in finding that Hawarden’s banking details were financially sensitive information and needed to be treated as such.

“ENS is undoubtedly an experienced conveyancer, which understood the risks inherent in conveyancing transactions. The implications of its own investment mandate confirm its knowledge at the relevant time of the dangers of BEC. This is clear from the warnings contained in its investment mandate and its Acceptable Use Policy, and the numerous concessions to this effect made by its witnesses.”

Emailing bank details is ‘inherently dangerous’

Judge Mudau said Hawarden’s case clearly established that “sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated”.

That large firms, including ENS, chose not to use effective technologies and measures that were available in 2019 and were used by smaller conveyancers did not avail them in making a “common practice” argument, the judge said.

“The defendant’s own expert agreed that there was much more the defendant could have done to avoid the fraud. The precautions that the defendant should have and could have implemented but failed to implement would have prevented the fraud regardless how or why the plaintiff’s email was hacked. Although the plaintiff was not a client of the defendant, she was, as stated, still in the care of the defendant and vulnerable to risk.”

Punitive costs award

The judge ordered ENS to pay Hawarden R5.5m, plus interest of 10.25% a year calculated from 19 August 2020.

He also awarded punitive costs, at the attorney-client scale, in favour of Hawarden. Her costs include the fees and expenses of three expert witnesses.

Hawarden made her hard drive available to ENS to conduct a forensic investigation to determine where the hacking occurred. Judge Mudau said ENS breached an undertaking not to copy what he called “patently irrelevant” but highly personal and sensitive documents on her hard drive and include them in the trial bundle.

Click here to download the judgment.

Use a secure platform

The judgment should act as an incentive for businesses to communicate with clients using a secure platform such as Videosign.

Videosign not only enables businesses and professionals to engage with clients remotely, but also to identify and verify clients, and to sign, record and audit their transactions in a secure, legally admissible way.

For a free demo, contact Neil Summers on 072 908 8994 or NSummers@moonstoneinfo.com