See all Litigation Committee articles

Business email compromise: who bears the risk of liability?

Friday 29 November 2024

Aslam Moosajee
Edward Nathan Sonnenbergs Inc, Johannesburg
amoosajee@ENSafrica.com

Shenaaz Munga
Edward Nathan Sonnenbergs Inc, Johannesburg
smunga@ENSafrica.com

Olonathando Nxumalo
Edward Nathan Sonnenbergs Inc, Johannesburg
Olnxumalo@ENSafrica.com

In today’s digital age, business email compromise (BEC) has become a threat to businesses and individuals. BEC can be defined as ‘a criminal act where criminals illegally access an email account and communicate as if they are the user’. An example of BEC is where a fraudster impersonates a business or an individual using their email account, to lure the recipient of the email to make a payment into the fraudster’s account.

Courts globally have had to determine who becomes liable for the loss suffered in such instances. This article provides brief examples of how this issue has been dealt with in different jurisdictions.

South Africa

The leading authority on BEC cases in South Africa is the Supreme Court of Appeal’s (SCA) judgment in Edward Nathan Sonnenberg Inc v Hawarden. In this case, Ms Hawarden, who was not a client of the law firm, Edward Nathan Sonnenberg Inc (ENS), purchased a property from ENS’ client. As per the purchase agreement, Hawarden paid the commission into the estate agent’s account (who warned her about the risks of cybercrimes) and elected to pay the remaining balance into ENS’ trust account.

ENS emailed a letter to Hawarden which contained ENS’ bank account details. However, unbeknown to the parties, Hawarden’s email account was hacked, and the fraudster replaced ENS’ letter with a letter containing the fraudster’s bank account details. Consequently, Hawarden paid ZAR 5.5m into the fraudster’s account.

After becoming aware of the fraud, Hawarden proceeded to make payment into ENS’ correct trust account in order to advance the purchase. She subsequently instituted a claim for damages against ENS in which she contended that ENS owed her a duty of care and ought to have warned her about the risks of BEC. Hawarden was successful in the High Court, which was then overturned by the SCA.

The SCA inter alia found that: (1) because there was no contract of mandate between ENS and Hawarden, it would be an overreach to extend ENS’s duty of care to include safeguarding risks against third parties; (2) Hawarden was warned by the estate agent about the cybercrime risks and thus could have verified ENS’ bank account details; and (3) she made the payments physically at the bank and could have asked her bank to confirm ENS’ bank details.

The SCA also accepted ENS’ submission that if it is found to be liable, the finding would have profound implications not only for attorneys but for all creditors who send their bank details by email.

Hawarden has applied to South Africa’s Apex Court, the Constitutional Court, to overturn the SCA’s findings. The Constitutional Court is still to determine her application. If it overturns the SCA’s judgment, it would be creating a new category of liability for a delict (tort) in South African Law.

In Gerber v PSG Wealth Planning (Pty) Ltd, PSG Wealth Planning (PSG) received an email from a cybercriminal, purporting to be Gerber (a client of PSG). In the email, PSG was requested to liquidate a portion of Gerber’s investments and to transfer those funds into a bank account, which was different from Gerber’s account in PSG’s file. PSG made the payment in accordance with the email that was sent by the cybercriminal.

Consequently, Gerber instituted a contractual claim for the payment that was made by PSG. The High Court held that PSG was contractually liable to compensate Gerber for the financial loss he suffered. The Court held that PSG’s contractual obligation to its clients included ‘effectively employing the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that the clients will suffer financial loss through theft or fraud’. Additionally, PSG had ignored their own security safeguards with regards to verifying bank accounts, and therefore failed to discharge their contractual obligations.

Canada

In St. Lawrence Testing & Inspection Co. Ltd. v Lanark Leeds Distribution Ltd, St Lawrence Testing & Inspection Co. Ltd (St Lawrence) and Lanark Leeds Distributions Ltd (Lanark) concluded a settlement, which was subsequently made a court order. In terms of the settlement, Lanark undertook to pay St Lawrence a sum of $7000 for services rendered to it. Lanark received an email from a fraudster, purporting to be St Lawrence’s paralegal, instructing Lanark to pay the funds into a different account than the one previously sent by the paralegal. This resulted in Lanark making payment into a fraudster’s account.

Lanark instituted an application seeking an order confirming that it complied with the settlement, despite St Lawrence not receiving the funds.

The court rejected the contention that St Lawrence should be liable for the loss as: (1) the parties did not have a contract stipulating that Lanark can rely on fraudulent payment instructions to shift liability for loss to St Lawrence; (2) there is no evidence of wilful misconduct or dishonesty on the part of St Lawrence or its paralegal; and (3) St Lawrence’s paralegal did not act negligently in respect of its computer/email security system. The court held that Lanark failed to follow the terms of settlement and it was ordered to pay the sum of $7000 to St Lawrence.

United Kingdom

In Sell Your Car With Us Ltd v Anil Sareen, Sell Your Car with Us Ltd (the company) and Mr Sareen entered into a contract in terms of which the company undertook to sell Sareen’s vehicle and pay him £51,800. A third party, purporting to be Sareen, requested the company to send £30,000 of the sale price to an account presumably under the third party’s control. The company proceeded to make payment to the third party.

In related injunction proceedings, the company instituted a counterclaim which was grounded on the contention that Sareen breached an implied term in the contract which stipulated that he would take reasonable care over the security of his email communications; and when Sareen agreed to communicate by email, he represented that he would take care over the security of his email account.

The court[1]  found that there was no need to imply a term into the contract to achieve business efficacy. While the contract may be improved by such a term, the court held that the contract could function without it since the parties can combat the risk of fraud by the use of telephone calls or other verification procedures. 

In addition, the court held that when the parties consented to engage via email, the company did not refer Sareen to basic security requirements or warn him that he was impliedly representing that he would employ reasonable security measures over his email account. Instead, the court found that the company alone was responsible for making payment into an unauthorised account. This is because the company was alert to the risk of fraud, and it also overlooked the checks included in the company’s procedures.

Accordingly, the company’s claims were rejected, and the court held that the company was indebted to Sareen.

United States

In Studco Building System US, LLC v 1st Advantage Federal Credit Union, Studco Building Systems (Studco) sought damages against 1st Advantage Federal Credit Union (1st Advantage) as a result of the latter processing a payment order that was allegedly induced by fraudulent conduct on the beneficiary’s part.

While Studco was waiting for its supplier to send its new banking details, Studco received an email from an unknown third party purporting to be the supplier providing new bank details. Studco proceeded to make payment to an account held with 1st Advantage which identified the supplier as the beneficiary but listed a different party’s account number.

Consequently, Studco instituted a claim for damages against 1st Advantage, which was granted by the court. The court reasoned that 1st Advantage violated Virginia’s Uniform Commercial Code (UCC). According to the UCC, where a beneficiary’s bank knows that the number and the name identify different accounts (ie. that there is a conflict between the beneficiary’s name and account) and it still processes the payment, then the bank could be in violation of the UCC. Furthermore, according to the rules of the National Automated Clearing House Association, applicable to 1st Advantage and the UCC, 1st Advantage was required to act in a commercially reasonable manner or to exercise ordinary care when it makes transfers.

Conclusion

While the principles laid down in different cases have been valuable, Deputy Judge Shane Kelford in St Lawrence v Lanark correctly held that this area of law would benefit from having legislation to establish clear principles for the allocation of liability.

International Bar Association 2024 © Privacy policy Terms & conditions Cookie Settings Harassment policy

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.