PROTECT YOURSELF: TIPS TO AVOID BUSINESS EMAIL COMPROMISE!

Eleanore Hiralall | Legal Advisor

Email remains a crucial communication tool for businesses. With the continual increase in fraud, cyber threats and cyber-crimes, email users have become an easy target for criminals to exploit. Safeguarding your emails from interception by criminal syndicates is more crucial than ever, especially when the potential loss could amount to thousands, if not millions, of rands.

Business email compromise is a sophisticated scam targeting businesses and individuals, leading to significant financial and data losses. Understanding how to safeguard your email communications and implementing effective security measures is essential to prevent falling victim to these attacks.

 Case Law

Leading case law on business email compromise is currently being adjudicated upon by our courts.

The Supreme Court of Appeal (“SCA”) recently handed down judgment in the matter of Edward Nathan Sonnenberg Inc v Hawarden 2024 (5) SA 9 (SA), which judgment has been referred to the Constitutional Court for a final determination.

Background

Edward Nathan Sonnenberg Inc. (“ENS”), a law firm, faced a dilemma when the email of a purchaser to a property transaction which it was handling was intercepted by criminals.

The fraudsters manipulated the banking details of ENS to reflect their own account.

The purchaser (Ms Hawarden) placed reliance on the fraudulent communication and effected payment into the fraudster’s bank account.  It is confirmed that Ms Hawarden was not a client of ENS.  She had purchased property from ENS’s client. 

Ms Hawarden suffered financial loss as a result of making payment into the wrong account.  In order to seek appropriate relief for her loss, she instituted a claim for damages against ENS.  Her claim was based on the concept of “Duty of Care” which she believed ENS owed to her in that they failed to warn her of the risks of cyber-crime and email compromise.  

The High Court supported Ms Hawarden’s view holding ENS liable for her loss.  This decision, having severe consequences for Attorney firms, was not taken lightly and appealed by ENS.

The SCA overturned the High Court’s decision and held that:

a)    There was no contractual relationship between the firm and Ms Hawarden (she was not their client);

b)    To extend the duty of care on cyber-related risks to third parties is far reaching;

c)     Ms Hawarden was no stranger with risks associated with email interception, cybercrime and fraud, as prior to the payment made to the fake ENS account, she had made payment to the Estate Agent for their commission during which they had disclosed the dangers of fraud and cyber-crime to her.

d)    With knowledge of such risks, she had the option to request her Bank to verify the ENS bank account;

The SCA’s Findings

The SCA agreed with the submission put forward by ENS supporting the view that it could not be liable for a third-party placing reliance on information provided, as such liability will be far reaching, in light of there being no contractual relationship between the parties.

Ms Hawarden has not accepted the SCA’s findings and has referred the SCA’s judgment to the Constitutional Court to be overturned as she is of the view that ENS remains liable to her for the financial loss she suffered.  This application is yet to be heard and will undoubtedly set a precedent for all attorney firms and other creditors going forward.

Key Learnings

Whether or not you have a contractual relationship with a financial institution or Attorney firm, with the significant increase in fraud, business email compromise and cyber related crimes, it is crucial to always verify banking details before making payment into an account. 

Here are some tips for you to be mindful of.  Ensure that you:

·       Employ email filtering and security solutions for your emails;

·       Encrypt sensitive data using password protection;

·       Check the email address the message originates from to ensure legitimacy; this could be an early warning sign if something such as a letter or digit in the naming convention is incorrect

·       Avoid clicking on any suspicious links;

·       Install Multi-Factor Authentication;

·       Whenever possible, have a face-to-face meeting where possible to reduce the risk of sensitive information being intercepted online;

·       Request a printout of the actual letter with banking details directly from the organization, in this way there will be little to no room for email interception; and

·       Make telephonic contact to confirm banking details.

It is the responsibility of each of us to ensure that when making payments to external third parties, due diligence is carried out to avoid falling prey to any fraudsters or scams.