The fraudulent interception of emails to change bank account details is nothing new. The second case recently in the news concerns a transaction that took place in June 2018, and the outcome of the appeal was announced this week.
GroundUp reports as follows:
Judge Strydom said Hartog had emailed Karin and Brigitte informing them of the amount payable to them from the sale. He requested that they send him “instructions and bank details”.
Three days later, Patrick emailed Hartog providing details of his Standard Bank account.
Hartog sent a further email to Patrick confirming the instructions and asking for confirmation of the bank account details.
While Patrick said he responded on the same day, Hartog claimed he did not receive that email.
Then Hartog received what he believed was a further email from Patrick, asking that Hartog deposit the money into another account. Attached was a purported account confirmation from Standard Bank.
Hartog said he accepted the authenticity of this and made the payment.
It later emerged that the email had been sent by a fraudster.
Judge Strydom said Hartog did not inquire further as to the reason for the change of account number. He said neither party made a specific election to use emails, and the question was who should bear the risk for the loss and how the fraudster obtained the information to perpetrate the fraud.
Judge Strydom also dismissed Hartog’s contention that Standard Bank had been negligent.
The bank said Mr Simelane had opened the account following a Fica process. His identity had been verified and proof of residence obtained and there was no reason to suspect that the account was going to be used for fraudulent purposes.
The bank contended that it had no duty to match an account name with an account number.
Judge Strydom said to find the bank liable, wrongfulness and negligence would have to be established.
Mr Simelane was not an anonymous client, and there was no evidence that the bank should have conducted due diligence on the account or that it could have prevented the receipt of funds into it.
The judge said there was no evidence to support a finding that the Fica requirements had been negligently breached.
The other case concerned a prominent legal firm. As reported by Moonstone, the client made an electronic payment of R5.5 million into what she believed was an ENS trust account. The account details were in a pdf attachment that was emailed to her by one of the firm’s conveyancing secretaries.
Unbeknown to the client, her email account had been hacked and the email containing ENS’s account details was intercepted by a fraudster who changed the pdf to reflect the fraudster’s bank account details, resulting in the funds being deposited into the fraudster’s account.
The client contended that ENS was well aware of this type of fraud before the incident took place, which was apparent from the warnings contained in ENS’s investment mandate sent to her after she had made the payment but before the fraud had been discovered.
ENS submitted that the client could have avoided her loss by asking the employees who dealt with her deposit to confirm ENS’s bank details when she spoke to them while she was at her bank, or she should have sought the help of her bank.
A digital forensic expert who testified for the client presented evidence about business email compromise (BEC) and the measures that were available in 2019 to communicate safely. Other witnesses provided testimony about the level of awareness of BEC among conveyancers at the time and the measures they could take to prevent it.
Concerning the legal firm’s responsibility, Judge Phanuel Mudau noted: “ENS is undoubtedly an experienced conveyancer, which understood the risks inherent in conveyancing transactions. The implications of its own investment mandate confirm its knowledge at the relevant time of the dangers of BEC. This is clear from the warnings contained in its investment mandate and its Acceptable Use Policy, and the numerous concessions to this effect made by its witnesses.”
Concerns
- In the first case, the judge said: “The fraudster must have become aware of an imminent transfer of a substantial amount of money … further he must have obtained the email addresses of Patrick and Hartog.”
- In the same case, Standard Bank contended that it had no duty to match an account name with an account number.
- The “purported account confirmation from Standard Bank” would have had to reflect the client’s real name. If not, the bank should investigate how a document which is accepted as legitimate could be modified.
- The judge found no evidence to support a finding that the Fica requirements had been negligently breached.
When the fraudster opened the account into which the money was diverted, he was identified by means of ID and place of residence. This implies that prosecution, and the possible recovery of at least some of the money, should be easy.
Investigations into how the fraudster obtained the email addresses, and became aware of imminent transfer, will no doubt help to address what appears to have become yet another instance of cybercrime. Given the sophisticated state of crime syndicates, this is possibly yet another area of focus for the over-stretched legal apparatus.
I am no expert on Fica, but perhaps a referral of these and many other cases to the Financial Intelligence Centre might elicit a different view from the finding by the court. And, God forbid, more regulations for us to comply with.
Should financial advisers be concerned?
In my view, both the attorney and the law firm were seen to be experts in their field, which must have played a role in the findings against them.
Should a similar situation arise in the financial services industry, the same reasoning will apply. The old “due care and diligence” rhyme will be dusted off and recited with gusto.
As they said in Hill Street Blues: “Hey, let’s be careful out there.”
