Santam alerts advisers to email interception cyber scam

Moonstone recently reported on a case involving a prominent law firm that was the victim of a business email scam.

Read: Cybercrime judgment has implications for FSPs that email bank details to clients

“[…] top law firm ENSafrica was ordered to pay R5.5 million, plus costs at a punitive scale, to a property purchaser who was a victim of cybercrime.

“The circumstances that led up to the judgment are similar to those that can occur when an FSP emails its banking details to clients so they can make investments.

“Moonstone Compliance is aware of at least three instances where FSPs have experienced similar fraud.

“Unless the judgment is overturned on appeal, the case sets a legal precedent in relation to liability for business email compromise (BEC).”

What clinched the case against the law firm was that, given their expertise, they should have taken more care.

“The evidence also showed it was a near-universal practice for conveyancers, and other businesses, to send their banking details to others by email.

“It does not absolve the defendant of its unsafe behaviour, which it knew at the time was unsafe and knew to take precautions against. It is not as if the defendant didn’t know better,” Judge Mudau said.

Although the case concerned a property transaction, any financial adviser whose correspondence with a client includes banking details is equally at risk.

As we know from experience, the old requirement that you should effect your business dealings with “due care and diligence” will nail you if you fall victim to a similar scam.

In an operational circular dated 1 March 2023, Santam warned financial advisers of the latest fraud involving the same modus operandi as was the case in the ENSafrica matter.

“Email interception remains a preferred method for fraudsters to exploit users and commit fraud. Reports indicate that organisations have suffered huge financial losses due to an increase in email interception attacks.

“Be extra vigilant when you are requested to change bank details before processing payments. Consider if the request is a legitimate request or a scam.”

How fraudsters trick you into using fraudulent banking details

• They intercept an email you’re meant to receive, change the banking details on the email or invoice, and cause you to make the payment into a fraudster’s account.
• They create fraudulent business letterheads and send you emails, asking you to make future payments into their “new” account. To make the request seem more legitimate, fraudsters may even attach an account confirmation letter as “proof” that their banking details have changed.
• Fraudsters provide false telephone and contact person details for telephonic authentication of the bank change.

Important guidelines

• Scrutinise the banking documents and emails for differences (inconsistencies with font style, colour, and sizes).
• Beware of near-identical email addresses. Fraudsters may add a full stop or replace a letter, or the email may subtly end with santann.co.za or san.tam.co.za instead of santam.co.za.
• Hover over the email address to make sure the response email address is the same as the email address of the sender.
• If possible, use bank-approved beneficiaries when using online banking.
• Always confirm a change of banking details with a person you know at the organisation (supplier) before making any payments.
• Validate the banking details provided via telephone before processing the transaction. Don’t use the number on the communication that you received because this information is most likely the fraudster’s details.
• Refrain from using words such as “bank”, “bank statements”, “bank details” and “agreement of loss” in the subject line of the email.

An inside job?

What was not mentioned in any of the reports I read was the fact that the perpetrators of these schemes must have known of the pending payment, which implies inside knowledge.

Another question that arises is how the false bank account is opened. With all the identification requirements, surely the bank should be able to identify the perpetrator.

Red tape

The increase in criminal activity has added tremendously to the administrative burden on product providers. Advisers, as the intermediaries between providers and clients, are saddled with the practical outcomes. One only has to look at the FICA requirements to get an idea of what this entails.

Between crime prevention and the fair treatment of clients, the poor man in the middle is saddled with more and more obligations and, unlike our faltering state-owned enterprises, there are no financial lifelines every time you mismanage your practice into the red.

Grey-listing implications

As if the current burden is not enough, we are still awaiting the practical implications of the recent decision by the Financial Action Task Force (FATF). Allan Gray noted that it is somewhat reassuring that, due to the measures implemented by the financial services sector, it was not included in eight areas of strategic deficiencies that have to be addressed.

“However, this does not mean that the sector will not be impacted. Following the FATF’s decision, international fund managers and their administrators will review their distribution practices in South Africa, based on their own internal risk-based approaches. This could result in additional due diligence requirements.”

My biggest concern is that our profession is becoming less and less attractive to potential new advisers. In the end, the good intentions of legislators could be to the detriment of those they profess to protect, and lead to the destruction of an industry that fulfils an extremely important role in the provision of protection on a wide front.