Sending bank details via email? Beware your business may attract liability

On 16 January 2023, the High Court of South Africa, Gauteng division Johannesburg in Hawarden v Edward Nathan Sonnenbergs Inc (13849/2020) [2023] ZAGPJHC 14 (16 January 2023) handed down judgment where it held that Edward Nathan Sonnenbergs Inc, a firm of attorneys, (“Defendant”), was liable for the pure economic loss sustained by the purchaser in a property transaction (“Purchaser”) who fell victim to cyber-crime through business email compromise (“BEC”).

Facts of the matter:

1. The Purchaser purchased an immovable property from a third-party seller.
2. The Defendant was appointed as the conveyancer in the transaction.
3. The Purchaser chose to pay a portion of the of purchase price (R5 500 000) by electronic transfer into the Defendant’s trust account.
4. The Purchaser’s email account was hacked, and the email containing the Defendant’s trust account details was intercepted and altered by an unknown fraudster.
5. The funds were deposited into the fraudster’s bank account instead of the Defendant’s account.
6. The Defendant, unaware of the fraud that was committed, called on the Purchaser to make payment of the balance of the purchase price.
7. The parties were unable to resolve the issue, resulting in the Purchaser instituting proceedings against the Defendant for the loss of R5 500 000 due to the cyber fraud.
8. The evidence at trial established that the Defendant was aware of the risks of BEC prior to the fraudulent incident and that they had failed to warn the Purchaser of the known risks of email and pdf manipulation or of precautions that could be taken against BEC prior to the Purchaser effecting the electronic payment.
9. BEC attacks are rife, especially in the conveyancing industry.
10. The Defendant had control over the way in which it conveyed its bank account details to the Purchaser.
11. The Defendant emailed its account details to the Purchaser in an unprotected pdf attachment.

The Purchaser’s claim against the Defendant was delictual in nature and was for pure economic loss caused by omission and the Court held as follows:

1. That a duty of care exists between a purchaser in a conveyancing transaction and the conveyancing attorneys handling the transaction to prevent harm resulting from the conveyancer’s failure (the Defendant) to warn the depositor (the Purchaser) of the dangers of cyber hacking and spoofing of emails or of the fact that pdf attachments to emails containing sensitive information such as bank account details are vulnerable to BEC.
2. The Defendant understood the inherent risks of BEC. The risk was therefore foreseeable, and the Defendant was under a duty to guard against the harm of BEC. The Defendant’s omission to do so was negligent.
3. The Defendant was the proximate cause of the Purchaser’s loss in that it provided its own bank details and was responsible for their accuracy and safety of their transmission. In failing to safeguard the safety of their transmission, the Defendant acted wrongfully.
4. The Purchaser’s loss was both quantifiable and determinate and the risk of indeterminate liability as a policy consideration that militates against the recognition of liability for pure economic loss was thus averted.
5. Factual causation was established in that but for the negligent transmission by the Defendant of its bank account details including its failure to inform the Purchaser, as depositor, of the dangers of BEC, the Purchaser would not have suffered the loss.
6. Legal causation was likewise established as the negligent conduct of the Defendant was linked sufficiently closely to the loss suffered by the Purchaser for legal liability to ensue, given that the loss was reasonably foreseeable under the circumstances.

What should business do:

The Court found that a conveyancer has a duty of care towards a purchaser in property transaction and that such a duty would not exist in many other cases (see pars 108 and 122).This may serve to limit the application of this judgment, however the possibility of this judgment being extended to other types of transactions exists.

Furthermore, it will be interesting to see if the matter is taken on appeal and if so whether it will be upheld on appeal.

That said, one cannot be too careful and therefore we recommend that all businesses implement at least the following risk mitigation measures:

1. Train employees on the risks of BEC and other types of fraud.
2. Regularly warn customers of BEC and instruct them to verify your bank details before making any payments.
3. Use technology to protect communications and identify threats of BEC and other types of fraud.

Here is a link to the full judgment

By Jason Dorning