The High Court in Johannesburg has ordered PSG Wealth Financial Planning (Pty) Ltd to reimburse a client who lost R800 000 to email fraud. It was also ordered to reimburse the fees and commission, plus pay interest and legal costs.
Moonstone has previously reported on two cases in which the same court found law firms liable for client losses because of business email compromise, which the judge in the latest case described as “rife”.
Read: Cybercrime judgment has implications for FSPs that email bank details to clients
Read: Conveyancing attorney liable for R1.4m after fraudster intercepts email
In her judgment, Judge Denise Fisher said PSG Wealth had a contractual obligation to its clients to employ resources, procedures, and appropriate technological systems that “can reasonably be expected to eliminate, as far as reasonably possible, the risk that the clients will suffer financial loss through theft or fraud. The assumption of these contractual obligations must be construed in the context that cybercrime is universally recognised as a scourge.”
Judge Fisher said PSG Wealth did not establish that it complied with its contractual obligations to protect the plaintiff against cybercrime, nor had it established the estoppel defences raised. The reasons the court rejected PSG’s defences are discussed in a separate article.
Read: Why the High Court rejected PSG Wealth’s defences against liability for client’s loss
This article highlights the tactics employed by the hacker to dupe PSG Wealth, not once but twice within 10 days, which resulted in the client’s account virtually being cleaned out. It was only when the hacker tried his luck a third time that the company’s employees realised something was amiss.
Furthermore, the fraud occurred despite PSG Wealth taking steps to verify the first transfer of funds.
The information below is taken from the judgment, which was handed down on 23 March.
The first fraud: R250 000 lost
PSG Wealth managed JG’s share portfolio for more than a decade. The purpose of the investment was to fund JG and his wife’s retirement.
JG’s wife also had a portfolio with PSG Wealth, in her own name.
By September 2019, the value of JG’s investment was R855 413.
JG had given PSG a discretionary mandate; therefore, the parties rarely interacted. PSG Wealth sent him a monthly statement setting out details of the brokerage activity on the account.
On 3 October 2019, PSG Wealth received an email, which appeared to have been sent by JG, requesting the liquidation and payment of more than a quarter of his portfolio, R250 000. “This was something that he had never sought in all the years that the account had been managed by the defendant,” Judge Fisher said.
In addition, the email stated that JG’s bank account was held at First National Bank (FNB), not Nedbank, which was the account on record.
JF, who managed JG’s portfolio, noted the difference in the bank accounts and asked to be sent a current FNB statement showing the new details. JF’s email was copied to his personal assistant, JvS.
The response email did not contain a bank statement but a letter, ostensibly from FNB, purporting to provide details of a bank account held in JG’s name. It stated that the account was opened in 2002. The letter appeared to bear an official stamp reflecting the date “30 September 2019”. It provided the reader with a mobile number at which the writer could be contacted. JvS was also copied in this email.
On 4 October 2019, JvS sent an email to PSG’s central client services asking that JG’s “new account” be verified and loaded so that payment could be made.
The verification check found that:
- The identity attached to the account did not match the client’s details;
- The account was not more than three months old; and
- Neither the phone number nor the email address attached to the account was “valid”.
JF and JvS testified that these verification reports were often unreliable and that thus they were not regarded as conclusive evidence of a fraudulent account.
Central client services also stated that, when asked, FNB was unwilling to confirm telephonically that the account belonged to JG.
“It was made clear that client services had identified a risk attached to the account and that consequently it would not accept any liability which arose from payment into the account. It thus required confirmation from [JvS] that payment could indeed be made into the account at the risk of the defendant,” Judge Fisher said.
JvS, instructed by JF, sent an email to JG’s email address asking for confirmation that the account was his and that payment could be made into it. The response from the hijacked email account was that payment should be made into the nominated account.
On 8 October 2019, JvS phoned JG on his mobile phone. This was the first personal communication between the parties. JvS told JG that “the money” would be paid into his account that day. JG, who was driving at the time, responded “goed so” (“that’s fine”), although he did not know to what she was referring.
Later that day, an email was sent from the hijacked email account asking for proof of payment.
The second fraud: R550 000 lost
On 15 October 2019, an email was sent to JvS thanking her for the previous transaction and requesting an additional payment to the FNB account. The email was copied to JF. JvS confirmed by return email that this would be done.
On 18 October, payment was made into the fraudulent account, thus wiping out most of JG’s investment.
The attempt to defraud the client’s wife
The hacker then asked JvS for a statement of all JG’s investments, which she forwarded.
JvS asked the sender whether he also wanted a statement relating to his wife’s portfolio. The answer came back in the affirmative. There followed a request for a withdrawal of R400 000 from Mrs G’s investment account.
On 5 November 2019, an email was sent under cover of a letter purporting to be confirmation of Mrs G’s banking details. It had a similar get-up to the previous letter.
JvS testified that this email “didn’t look right”. She indicated that the language and syntax of the covering email were not grammatically correct in Afrikaans, which she spoke fluently.
She expressed her apprehensions to JF.
JF testified that, by this stage, he had had a conversation with a colleague who said that one of his client’s had been hacked in a similar way.
JF phoned Mrs G and asked her about the liquidation of the R400 000 investment. She indicated that she knew nothing about it and referred JF to her husband.
JG said he knew nothing of the requested transaction.
It finally dawned on all concerned that they had been duped.
An investigation conducted by JG some months later revealed that his Microsoft Outlook email account had been hacked. The hacker diverted the emails to and from PSG to a separate file on the account, and so they did not appear in the inbox and outbox. In this way, the correspondence remained hidden until it was too late.
Details of the order
Judge Fisher ordered PSG Wealth to pay JG R811 488.98. It was liable for interest on this amount at the prescribed rate on R250 000 from 8 October 2019 (the date of the first payment) and on R561 488.98, which comprised the second payment of R550 000 and commission and fees of R11 488.98, from 18 October 2019 (the date of the second payment).
She also ordered PSG Wealth to pay the costs of the law suit.
Seems to be any one’s fault but the hacker.
hi I think the error occurred because somebody did not re confirm clients bank details after the error report the management where warned
Agree with the Judge’s decision. PSG did not do enough due diligence especially knowing that the verification of banking details failed. When the assistant called the client, she should have said Mr So, we have received instructions to make a payment on your account and the banking details provided are not what we have on file. Kindly confirm what your banking details through the phone and thereafter send us proof of your banking details by forwarding us a copy of your bank statement.
The fraud would have been detected from the onset.
1.Why didn’t they call the client to properly verify the account seeing that they were already suspecting something is fishy? Instead of sending an email to confirm.
2. Why was the withdrawal processed without properly bank verified details to the satisfaction of Psg? This always poses a risk/loss. And what is the purpose of bank verification is payments can still be made to unverified accounts. (Psg was at fault here) they violated their own rules.
3.The client also was supposed to further question the person who called them, for the reason that they actually called, even though there’s a mandate we can’t just be careless just because there’s a mandate and it’s the broker/service providers responsibility, No!
4. Psg should tighten their security Cyber measures, that’s their priority.
5. And those people who hack accounts must be found out and arrested without bail.
6. Clients have a responsibility to be extra careful to question and verify people who call them regarding their investments/policies before giving away their consent, because we know that we live in a wicked world.
Thanks,