Debtor carries the risk, says High Court in ruling on cyber-fraud liability

Posted on

It is the responsibility of the debtor to verify payment instructions, particularly because it is well known that schemes to commit online fraud are rampant, according to a High Court judgment this month.

The judgment underscores that, in cases of cyber fraud, a debtor’s negligence in not identifying red flags, such as unusual requests to change account details or email inconsistencies, will generally place the loss on the debtor. The courts expect businesses to be aware of cyber risks and to take proactive measures to avoid such losses.

The parties in the matter, Gripper & Company (Pty) Ltd and Ganedhi Trading Enterprises CC, had been doing business with each other since 2014. Throughout this time, Gripper received payments from Ganedhi in a Standard Bank account.

Gripper agreed to sell valves to Ganedhi for R866 725.25, with delivery completed on 29 April 2021. On 23 April, the parties agreed to delay payment until 27 May instead of requiring cash on delivery.

On 24 May, Ganedhi mistakenly paid the invoiced amount into an Absa account. A third party had accessed the email exchanges between the parties and sent fraudulent emails posing as Gripper’s managing director. The fraudster requested that all payments be directed to the new Absa Bank account rather than the established Standard Bank account.

It was common cause that Gripper did not verify the bank account change by phone, relying instead solely on the emails, which led to the erroneous payment.

Gripper brought a claim against Ganedhi for R1 635 129.83, but it abandoned the interest portion of its claim and sought payment of only the capital sum, R866 725.25.

Ganedhi submitted that Gripper’s email system must have been hacked and asserted that the applicant was responsible for this security lapse. Ganedhi contended that because of Gripper’s alleged negligence in managing its email security, it should be estopped (prevented) from claiming the payment.

In response, Gripper asserted that its email and server security had not been compromised, emphasising that the alleged fraudulent emails did not appear on its server. This suggested the fraud was executed from outside its own domain, countering Ganedhi’s claim of negligence.

Significant judgment on a debtor’s liability

The High Court in Cape Town acknowledged the increasing frequency of cyber-crime incidents involving fraudsters diverting payments to unauthorised accounts without either party’s knowledge. As a result, disputes have arisen over who should bear the financial loss. Many such cases have been litigated to determine the responsibilities and liabilities of each party.

Acting Judge Michael Janisch referred to the judgment in Mosselbaai Boeredienste (Pty) Ltd t/a Mosselbaai Toyota v OKB Motors CC t/a Bultfontein Toyota, which was handed down in March by the Full Bench of the High Court in Bloemfontein.

The judgment in Mosselbaai Boeredienste deals at length with the case law on this topic, and the general principles to be extracted from these cases.

Many cases involve the debtor seeking to avoid payment to the rightful creditor by claiming that the creditor’s negligence allowed the fraudulent misdirection of funds. The Full Bench noted that these defences often hinge on whether the creditor failed to secure its systems adequately.

The Full Bench underscored a key principle in South African law: it is the debtor’s duty to “seek out his creditor”. The debtor bears the risk of loss until payment is properly made to the creditor’s account. This was stated in Mannesmann Demag (Pty) Limited v Romatex, where the risk of a misappropriated payment remained with the debtor until the funds reached the creditor.

The court held that payers must ensure bank details are correct before transferring funds. This responsibility remains even if an email containing payment instructions is intercepted and altered by a third party. The payer’s obligation to confirm details directly with the seller is essential to prevent unauthorised transfers.

Failure to verify details before payment means the payer’s debt is not considered settled if payment is misdirected. Thus, the liability to pay persists despite the fraudulent misdirection.

Janisch AJ found that the principles in Mosselbaai Boeredienste applied to the current case. Ganedhi failed to verify Gripper’s bank details independently before making payment, which ultimately resulted in the funds being misdirected.

Despite Ganedhi’s argument and expert report suggesting that Gripper’s system may have been hacked, the court held this to be immaterial. Gripper did not make any representations to Ganedhi that it would receive payment in the fraudulent account, and it was not suggested that Gripper was aware its system had been hacked and failed to take steps to avoid the adverse consequences.

The court reinforced that the debtor bears the risk in ensuring payment is correctly made. This responsibility is not overly burdensome – a simple phone call to confirm account details would generally suffice, as highlighted in Mosselbaai Boeredienste.

Red flags

Janisch AJ identified several factors that pointed to Ganedhi’s lack of diligence and which, cumulatively, suggested that a prudent debtor would have taken additional steps to verify the payment. These factors included:

  • Given the well-known prevalence of cyber-crime, businesses using electronic communications and payments must exercise caution. Ganedhi, as an established business, should have been alert to these risks.
  • For seven years, Ganedhi had consistently paid into Gripper’s Standard Bank account, suggesting a pattern that should have prompted scepticism towards any request to change bank details.
  • The invoice amount was large enough to warrant a special payment arrangement, which should have motivated additional verification steps.
  • The first fraudulent email mentioned an “update” of banking details to Absa, which was inconsistent with prior banking arrangements.
  • Ganedhi began receiving emails demanding payment earlier than expected, indicating an attempt to expedite the fraudulent transfer. Given their long-standing business relationship, this urgency should have aroused suspicion.
  • The emails came from a different domain, a detail that prudent payees would likely notice and investigate.

Janisch AJ found that Ganedhi’s failure to take the steps that a prudent debtor would have taken was the proximate cause of the payment being made into the fraudulent account. Ganedhi did not put up a competent defence, either in law or in fact, to counter Gripper’s claim for payment of the purchase price, which remained due.

He ordered Ganedhi to pay the R866 726.25, plus interest at the prescribed rate from 11 March 2024 to the date of final payment. Ganedhi was also ordered to pay Gripper’s costs on the party-and-party scale.

Advice for debtors

Debtors must take careful steps to verify new bank account details provided by a creditor, particularly when received via email, law firm ENSafrica commented.

This can be done by, for example:

  • phoning the creditor’s chief financial officer or financial manager to verify the bank account details; or
  • using the functionality on electronic banking to verify that the bank account details match the name of the creditor; or
  • transferring a small amount and calling the creditor to check whether it had been received.

When calling the creditor, the debtor should not use the contact details provided in the email that records the new bank account details. Instead, the debtor should use the details provided in previous correspondence, ENSafrica said.