As governments are rolling out tougher measures to halt the rapid spread of the coronavirus pandemic, criminals are taking advantage of the ensuing anxiety to defraud victims online. The sudden increase in remote work has introduced a new set of cyber security risks to organisations.
The FSCA also recently encouraged the public to utilise available digital platforms, where possible, and be on high alert for any fraudulent scams and investment offers that sound too good to be true. It is therefore important for FSPs to ensure that processes are in place to ensure that they and/or their clients do not get defrauded by cyber criminals.
A recent Supreme Court of Appeal (SCA) case highlights the far-reaching implications:
The issue for determination on appeal was whether the appellant, a financial services provider, breached a mandate in terms of which it was authorised to invest and manage money entrusted to it by the respondent by releasing funds in response to fraudulent emails.
● | On 23 November 2015 Mr F, a mining consultant, gave a written mandate to the FSP to act as his agent and invest money with Investec Bank on his behalf. |
● | The written mandate stipulated that “All instructions must be sent by fax or by email with the client’s signature.” |
● | In August 2016 fraudsters hacked the Gmail account of Mr F and, utilising his authentic email credentials, sent three emails to the FSP on 15, 18 and 24 August 2016. |
● | The FSP was instructed to transfer specified amounts to accounts of named third parties at FNB. |
● | As a result the FSP paid out a total of R804 000 from Mr F’s account to unknown third parties in three tranches. |
● | Mr F became aware of this and notified the FSP that the emails had not been sent by him. |
● | The high court found that there had been a breach of the mandate and that consequently the FSP was liable. |
● | In the SCA, the appeal turned on the proper interpretation of the original written mandate and whether the FSP acted in breach thereof. |
The outcome of the SCA case
After considering the meaning of the word ‘signature’, the SCA held that ‘signature’ in every day and commercial context serves an authentication and verification purpose. The SCA held that the court could not be faulted for concluding that what was required was a signature in the ordinary course, namely in manuscript form, even if transmitted electronically, for purposes of authentication and verification.
The instruction was not accompanied by such a signature and the high court correctly held that the funds were transferred without proper instructions and contrary to the mandate. The SCA went on to conclude that in the present case the emails were in fact fraudulent. They were not written nor sent by the person they purported to originate from. They are fraudulent as they were written and dispatched by person or persons without the authority to do so. They cannot be binding on Mr F.
As a result, the appeal was dismissed with cost and the FSP was held liable for his client’s loss. Please revisit your own mandates and make sure they are watertight.
A broker commented as follows on this case. “When instructed via electronic media to pay monies into a client’s account, we should be very cautious. A cross check should be made against existing account numbers, or possibly a phone call to verify the instruction. Simply following an instruction from a Gmail account without taking some precautions may prove costly.”
Click here to download the case report.