On 10 June, the Supreme Court of Appeal (SCA) overturned a ruling by the Gauteng High Court, which ordered the law firm Edward Nathan Sonnenbergs (ENS) to pay a Johannesburg property buyer ZAR5.5 million after she had lost that amount of money to a cyber fraud scam. According to Zaakir Mohamed, Director, Head of Corporate Investigations and Forensics, CMS South Africa, the ruling is significant for several reasons, most notably for its underlining of the importance of personal responsibility in cybersecurity.
The case itself dates back to 2019 when cybercriminals intercepted an email sent from ENS to the property buyer Judith Hawarden. They then changed the email’s details to include their bank details, rather than those of ENS. She then unwittingly paid over the money before the fraudsters disappeared without a trace.
In the aftermath of the incident, Hawarden took ENS to court, arguing that the law firm had failed to exercise a duty of care in warning her about potential cybersecurity incidents. She won her initial case in the Gauteng High Court.
That ruling has now been set aside by the SCA’s judgment. In its judgment, the SCA placed the responsibility back on Hawarden, pointing out that she, “must in the circumstances take responsibility for her failure to protect herself against a known risk”.
The SCA further pointed out that holding ENS liable in the circumstances would potentially have created an untenable situation between companies and customers in the future.
The SCA held that “[t]he effect of the judgment of the high court is to require creditors to protect their debtors against the risk of interception of their payments” and that “the high court should have declined to extend liability in this case because of the real danger of indeterminate liability.”
Mohamed is in support of the SCA judgment, pointing out that, “the high court judgment caused a lot of debate.”
“It was a little bit concerning,” he says, “because the court laid the fault of the entire incident on ENS on the basis that because ENS is a law firm, the lawyers at ENS had a legal duty and responsibility to ensure that they made the individual aware of business email compromise scams.”
Mohamed further points out that the SCA judgment is also consistent with the South African common law principle that it is the responsibility of the debtor to seek out the creditor in financial transactions.
“If I owe you money, it is my responsibility to ensure that I pay you the money and that you receive the money from me,” he says. “In the context of these kinds of business email compromise (BEC) cases, the courts have been using that principle to assert that if anyone is paying money over to someone, it is their responsibility to make sure that it is paid into the creditor’s correct bank account.” Each case will, of course, need to be determined and assessed on a case-by-case basis.
Lessons in avoiding business email scams
Given that principle, Mohamed points out that it is critical that people always exercise considerable caution when it comes to financial transactions.
“People need to be aware that, even with the best systems in place, they must be quite vigilant when it comes to paying money over to companies,” he says. “Before you pay money over, do not just rely on bank account details that you receive via email. Phone the person that you are dealing with on a particular transaction and verify with them that the account details are correct.”
Ultimately, he says it is also about customers taking basic, pragmatic steps to ensure that their risk of falling victim to cyber fraud is as low as possible.
“That means being vigilant about things like misspelt email addresses, typos in emails, and designs that do not exactly match those of the organisation concerned,” he says. “With cybercriminals becoming increasingly sophisticated, this kind of vigilance is more important than ever.”
Mohamed adds that businesses can also play a role without increasing the potential for liability.
“If you are a business, you may want to register your account details as a public beneficiary so that customers do not have to fill in details because they have already been pre-loaded on the relevant bank’s system,” he says.
He also believes that it is important for organisations to engage in regular awareness and education programmes with their customers and employees. Not only do such programmes reduce the likelihood of customers falling victim to scams, but they also help ensure that the organisation itself does not fall victim to cybercrime.
“While it is advisable for organisations to engage in such awareness campaigns, the onus cannot lie solely on them,” he concludes. “We all have a responsibility when it comes to our own cybersecurity. Vigilance is especially important in financial transactions as large as the one at the centre of this case, but we should take high levels of care in everything we do online.”