Businesses should not underestimate the tactics cyber-criminals will employ to commit fraud by intercepting emailed bank details – what is known as “business email compromise”.
Details of the cyber-criminal’s modus operandi were disclosed in a judgment handed down by the Supreme Court of Appeal (SCA) earlier this month.
OKB Motors CC, trading as Bultfontein Toyota, agreed to buy a Toyota Etios from Mosselbaai Boeredienste (Pty) Ltd, trading as Mosselbaai Toyota, on 7 February 2018 for resale.
Mosselbaai Toyota’s sales manager emailed an invoice to an employee of Bultfontein Toyota. The vehicle was delivered the following day, but Mosselbaai Toyota did not receive payment of R159 353.76.
A third party had intercepted the emailed invoice and changed the bank details. The money was paid into the fraudster’s bank account.
The fraudster went even further. On 8 February, Bultfontein Toyota emailed the proof of payment, which reflected the incorrect (the fraudster’s) bank details, to Mosselbaai Toyota. The fraudster also intercepted this email and changed the incorrect bank details to the correct details, leading Mosselbaai Toyota to believe that Bultfontein Toyota had paid for the vehicle.
After the fraud came to light, the two motor dealerships could not resolve the payment dispute between themselves, and Mosselbaai Toyota issued summons against Bultfontein Toyota in the Magistrate’s Court.
In that court, Bultfontein Toyota raised the defence of estoppel by representation. This legal doctrine prevents a person from going back on their word or denying a previous statement or representation if another person has reasonably relied on that representation and would suffer harm or detriment because of the person’s change in position.
The Magistrate’s Court upheld Bultfontein Toyota’s plea and dismissed Mosselbaai Toyota’s case.
Mosselbaai Toyota appealed to the High Court in Bloemfontein in April 2021.
Procedural problems
The appeal was noted timeously in accordance with the Magistrates’ Courts Rules. But Mosselbaai Toyota failed to comply with the procedures for an appeal as prescribed by the Uniform Rules of Court, and the appeal lapsed in July.
Mosselbaai Toyota applied for condonation of its non-compliance with the Uniform Rules of Court, and if successful, for the appeal to be reinstated.
In November 2021, the High Court dismissed the application for condonation for two reasons:
- There were no prospects the appeal succeeding; and
- Mosselbaai Toyota failed to file a power of attorney.
Mosselbaai Toyota then applied to the SCA for special leave to appeal.
Judge Zeenat Carelse, who wrote the SCA’s judgment, said a power of attorney is not required to reinstate an appeal. Thus, the main issue for determination was whether Mosselbaai Toyota established reasonable prospects of success on appeal.
Does the estoppel defence hold up?
Judge Carelse said the Magistrate’s Court failed to consider three issues.
One of these issues was the court’s upholding Bultfontein Toyota’s estoppel defence – namely, Mosselbaai Toyota negligently misrepresented that the banking details on the invoice were the correct details.
It was common cause between the IT experts that Mosselbaai Toyota’s email system had been spoofed. Mosselbaai Toyota was aware of cybercrime in the motor industry and failed to take measures to guard against this. As a result, the Magistrate’s Court held that Mosselbaai Toyota was estopped from denying that the altered bank details were its bank details.
But Judge Carelse said the Magistrate’s Court failed to consider a material contradiction in the testimonies.
“Mr Oliver (for the defendant) testified that before he had authorised the electronic transfer of funds to the plaintiff, he had specifically asked Mrs Steyn, the sales assistant (for the defendant), whether she had verified the correctness of the plaintiff’s bank details, which she confirmed. However, when she testified, she denied this,” the judge said.
Second, the Magistrate’s Court failed to consider whether the alleged negligence was the proximate cause of the payment having been transferred by Bultfontein Toyota into the incorrect bank account. It also failed to consider whether the damage or loss that was caused by the third party who intercepted the emails was foreseeable.
Case law: is the debtor liable?
Judge Carelse said a fourth issue that must be considered was whether Bultfontein Toyota ought to remain liable for payment until such payment has been credited to Mosselbaai Toyota’s account.
She said that in the case of Eriksen Motors (Welkom) Ltd v Protea Motors, Warrenton and Another (1973), the then Appellate Division re-affirmed the principles to be applied in cases where cheques have been intercepted in the post and misappropriated by a thief.
When a debtor tenders payment by cheque, and the creditor accepts it, the payment remains conditional and is only finalised once the cheque is honoured. Any risk of fraudulent misappropriation should be borne by the debtor because it is the debtor’s duty to seek out its creditor. But where the creditor stipulates the mode of payment, and the debtor complies with it, any inherent risk in the stipulated method is for the creditor’s account.
Judge Carelse also referred to the case of Galactic Auto Pty Ltd v Andre Venter (2019). The creditor sent the debtor an invoice via email and thereafter sent the debtor its bank details. The email was intercepted, and the debtor received the email with incorrect banking details. The High Court in Polokwane relied on the Appellate Division’s decision in Mannesmann Demag (Pty) Ltd v Romatex Ltd and Another (1988) and found in favour of the creditor.
“The question that arises in this case is whether the same legal principles should find application, namely, where the debtor remains liable until payment has been credited to the creditor’s bank account. The question concerning the interception of a creditor’s banking details sent by electronic means has yet not been decided by this court,” she said.
Conflicting High Court judgments
A further reason for granting special leave to appeal was the conflicting High Court judgments on who should bear the loss arising from business email compromise, Judge Carelse said.
In Andre Kock en Seun Vrystaat (Pty) Ltd v Snyman NO (2022), the High Court in Bloemfontein held that the debtor was responsible for verifying the creditor’s banking details.
In Hawarden v Edward Nathan Sonnenbergs Inc (2023), the High Court in Johannesburg held that the defendant had a general duty of care to the plaintiff, the purchaser of immovable property, and concluded that the purchaser could not be held liable for the electronic transfer of funds into a banking account where the bank details had been fraudulently changed.
Read: Cybercrime judgment has implications for FSPs that email bank details to clients
In Gerber v PSG Wealth Financial Planning (Pty) Ltd (2023), the same court held that “the proximate cause of the loss was not the hacking; it was the failure to employ the necessary and contractually prescribed vigilance when monies held in trust were paid into a different account”.
Read: Financial services firm caught in email fraud must reimburse client
In Hartog v Daly (2023), the same court held that the electronic transfer of funds into the incorrect account did not absolve the debtor from payment.
Read: Conveyancing attorney liable for R1.4m after fraudster intercepts email
Judge Carelse found that Mosselbaai Toyota had established reasonable prospects of success on appeal.
The SCA upheld the condonation application, with costs, and referred the matter to the High Court in Bloemfontein to determine the merits of the appeal.
Use a secure platform
The prevalence of email fraud – and the resulting legal dispute – is why businesses should transact using a secure platform such as Videosign.
Videosign not only enables businesses and professionals to engage with clients remotely, but also to identify and verify clients, and to sign, record and audit their transactions in a secure, legally admissible way.
For a free demo, contact Neil Summers on 072 908 8994 or NSummers@moonstoneinfo.com