“If you suspect deceit, hit delete!” (Online cybersecurity slogan)
October is Cybersecurity Awareness Month, a good time to note that as cybercrime continues to grow, more and more businesses and individuals are falling victim to the dreaded “BEC” or “Business Email Compromise” fraud.
The million-dollar question: Who takes the hit?
Typically in a BEC fraud, email or other electronic communications between a creditor and debtor (often a seller and buyer, or service provider and client) are hacked by criminals, who con the debtor into paying what they owe into the fraudster’s bank account. By the time the parties realise they’ve been had, the criminals are long gone, and all that remains is the million-dollar (sometimes quite literally!) question: “Which one of us takes the hit?”
Until now we have been faced with conflicting High Court decisions on this point, but now the SCA (Supreme Court of Appeal) has settled it: The risk is the deb
tor’s.
A car dealership must pay twice over
It was a classic case of BEC: A dealership bought two Hyundai Nissan NP200 vehicles from another dealership for R145,000 each. The seller issued invoices showing its banking details. The buyer paid by EFT and sent proof of payment to the seller, which happily (without checking that the funds had actually landed in its account) delivered the vehicles to the buyer.
As always with these cases, one can imagine the sinking feeling that greeted the parties’ realisation that the seller’s emails and the attached invoices had been intercepted, and the banking details subtly altered. As a result, the buyer had paid the full R290,000 to the criminals’ bank account.
Long story short, a real seesaw of a legal battle ensued. The buyer said, “I’ve already paid you”. The seller retorted, “No you haven’t, you paid the criminals,” and sued the buyer for the R290k. The seller won in the Regional Court, lost on appeal to the High Court, but then turned the tables again and celebrated victory in a further appeal to the SCA.
Verify, verify, verify
The SCA’s findings amount to this:
- The onus is always on you as buyer to prove, on a balance of probabilities (i.e. more likely than not), that you have paid the seller.
- When you pay by EFT, you must show that the seller actually got the money. In other words, that you paid into the correct bank account.
- Creditors (recipients) have no legal duty to protect debtors (payers) from the possibility of their accounts being hacked where the debtor could have taken steps to protect itself but failed to do so.
- The obligation therefore is on you as debtor to ensure that the bank account details in the invoice are in fact correct and verified because “it is the debtor’s duty to seek out his creditor”. Fail to follow basic verification steps, and your payment to the wrong account does not remove your liability to pay the debt — you still have to pay your creditor.
Bottom line, the buyer in this case should have verified the banking details given in the emailed invoices before paying. It didn’t, so it couldn’t prove that it had paid into an account authorised by the seller.
It must pay the seller the R290k, with interest and doubtless substantial legal costs.
Don’t make the same mistake
These scams grow more sophisticated by the day, fuelled now by AI-perfected deep fakes, cloned websites and social engineering. Treat all emails, all electronic messages, and all electronic invoices with great suspicion — even if they appear to come from businesses you have known and trusted for decades. Verify bank account details (preferably by speaking to the creditor directly on a number you know to be correct) before paying a cent.
Property sales are particularly vulnerable
Be especially vigilant when buying or selling property because these high-value sales are a particular focus for cybercriminals worldwide. There are rich pickings in the offing, and the opportunities for baddies to intercept and falsify emails is multiplied by the range of trusted role players involved — typically several sets of attorneys, estate agents, and banks as well as the buyers and sellers themselves.
A final note on online security
Let’s end off with a note to everyone: Keep reminding your whole team (not just your accounts department) that securing your computer and email systems against bad-actor compromise is no longer a nice-to-have, it’s essential. This whole unhappy saga could all have been avoided if everyone involved had followed basic security protocols. Prevention is always better than cure.
Give us a call if you need any help or for more guidance contact our Information Technology & Intellectual Property department at DKVG.
Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us for specific and detailed advice.
© LawDotNews