In our tech savvy world, fraudsters have begun using highly sophisticated means to steal your money.   In recent years, a type of fraud known as business email compromise (hereinafter “BEC”) or EFT fraud, has become quite prevalent, both nationally and internationally.   Although this type of fraud is often perpetrated in respect of property transactions, it can take place in any industry in respect of any transaction where the parties make use of electronic communication.

The modus operandi of the fraudsters is simple, they cause a payor to pay funds into an account of the fraudster.   This is usually done by way of forging of documents or making it seem that they are who they are not.

The result is that, almost invariably, litigation ensues between innocent parties not party to the fraud.

In the recent case of Hawarden v Ethan Nathan Sonnenbergs Inc ([2023] ZAGPHC 14), Ms Hawarden (hereinafter “the Plaintiff”), the purchaser in a property transaction who became a victim of cyber theft, instituted an action for damages against Ethan Nathan Sonnenbergs Inc (ENS) (hereinafter “the Defendant”), the conveyancers who attended to the transaction, for the loss of monies paid to the firm.

The facts

The Plaintiff purchased a property for R6 000 000,00, a deposit of R500 000,00 was paid into the estate agent’s trust account and the remaining R5 500 000,00 was to be paid into the Defendant’s account. When advising the Plaintiff via email that her offer to purchase had been accepted, the estate agent warned the Plaintiff of the risk of cyber fraud and advised her to telephonically confirm the agency’s banking details before making payment of the deposit.

The Plaintiff duly heeded the estate agent’s warning and telephonically confirmed the agency’s banking details. When effecting the EFT for the balance of the purchase price, the Plaintiff used banking details contained in an email which she assumed had been sent by the Defendant, however, the original email sent by the Defendant had been intercepted by a hacker and the banking details were amended to reflect the fraudster’s banking details. The fraudster had furtively used an @ensafirca.com instead of @ensafrica.com email address. The Plaintiff fell victim to BEC and the money was withdrawn from the account before the fraud was discovered. It is important to note that the security breach occurred on the Plaintiff’s end as it was the Plaintiff’s emails which had been hacked.

Judgment

The Johannesburg High Court had to consider whether the Defendant could be held delictually liable for the pure economic loss suffered by the Plaintiff occasioned by the theft of the R5 500 000,00. Judge Mudau held that the Defendant was delictually liable and had a duty of care to the Plaintiff, regardless of whether the Plaintiff was a client of the Defendant.

The court reasoned that the Defendant was a skilled conveyancing firm that was well acquainted with the threat of cyber fraud, but neglected to alert the Plaintiff to the dangers and preventative steps that could be taken. The Defendant could anticipate the risk of BEC and therefore had an obligation to prevent BEC. The Defendant was not exonerated by the fact that it was industry practice to send banking details via email.

Similarly, the court expressed the view that the Defendant “knew better” as its own investment mandate contained explanations and warnings against cyber fraud. Regrettably, the investment mandate was only sent to the Plaintiff after the EFT was effected and before the fraud had been exposed.

Linking to this, the court explained that there were alternative, more secure methods of dispatching banking details which could have been utilised by the Defendant. A secure portal for the exchange of sensitive information, together with two factor authentication is a possible solution.

Furthermore, the court maintained that the Defendant was the proximate cause of the Plaintiff’s loss, since if the Defendant had adequately warned the Plaintiff of the threat of cyber fraud, the Plaintiff would not have suffered loss through the theft of her money. The Defendant therefore had an obligation to protect the Plaintiff from harm and owed a duty of care to the Plaintiff. This legal duty originates the moment that the conveyancer accepts the instruction.

Discussion and opinion

As highlighted above, the email was intercepted when the Plaintiff’s emails were compromised, accordingly, the fraud occurred after the email had been transmitted by the Defendant firm and the firm’s cyber security could no longer ward off fraudulent attacks. A firm has no control over the strength of a client’s cyber defences, if the client has any security measures in place to begin with.

Furthermore, and worryingly, in this matter the Plaintiff was forewarned, albeit by the estate agent, of the risks of cybercrime and that account details should be verified.   It was accordingly no longer strictly necessary for the Defendant to have advised the Plaintiff thereof.   Causation is accordingly a real issue in this matter.

It should also be noted that, in this case, the Plaintiff as purchaser was strictly speaking not a client of the Defendant in the true sense of the word. It is custom for the Seller to appoint and instruct a conveyancer to tend to the transfer of the property, making the Seller the conveyancer’s client.    Accordingly, the Defendant has been found liable to a third party with whom no mandate was concluded.

This judgment may place an unreasonable burden on conveyancing firms to ensure that clients take steps to guard against cyber fraud and may possibly open the floodgates of litigation, which Courts are usually loathed to do.

It also bodes ill, not only for law firms, but also many industries where cybercrime is prevalent.

We trust that this matter will be taken on appeal and will await the result thereof with anticipation.