A victim of email fraud in South Africa must get more than R5.5 million from a South African law firm.
One of the top legal firms in South Africa has been found responsible for R5.5 million that a prospective buyer of property planned to deposit in its trust account. The money was taken as a result of scammers faking emails from a company employee.
Judge Phanuel Mudau of the Johannesburg High Court determined that Edward Nathan Sonnenbergs (ENS) must pay Judith Hawarden R5.5 million, plus interest, and punitive court costs.
Hawarden asserted in her arguments that ENS owed her a duty of care and that, in communicating with her, it had a legal obligation to alert her to the threat of “business email compromise (BEC),” which was on the rise and was already pervasive.
She claimed that the business should have advised her to confirm the account information before making any payments and that it should have loaded its trust account information onto online banking platforms rather than requiring that the account number be transmitted via unprotected and risky emails.
ENS denied responsibility, arguing that Hawarden had been careless in using an electronic transfer without verifying the accuracy of the bank information.
The incident began in 2019 when Harwarden made an R6 million bid through Pam Golding Properties on a property in Forest Town. She gave the estate agent a straight deposit of R500,000.
The conveyancing attorney was chosen by the seller to be ENS.
Eftyhia Maninakis, a secretary in the law firm’s property division, sent Hawarden an email with information about what was still needed for the deal to close and the choice of offering a bank guarantee for the outstanding sum.
Hawarden was unaware that this email was a scam, that the legitimate email had been intercepted, and that the details of the company’s bank account had been changed.
A few days later, Hawarden called Maninakis in response to this email. Maninakis assured her that she could give ENS a straight cash payment for the unpaid balance.
Later that day, Hawarden got an email that seemed to be from Maninakis, which she thought was a follow-up to their previous talk.
The company’s bank account number was included in that email, according to First National Bank.
The email address was from ensafirca.com, not ensafrica.com, which Hawarden missed.
Judge Mudau said the emails actually sent by ENS had been intercepted and forged and the bank account details were incorrect.
Further correspondence between Hawarden and Maninakis was also intercepted by the fraudsters, including an investment mandate which contained several warnings about BEC. This was after payment had been made but before the fraud was discovered.
The money was paid into the FNB account but was transferred out, and the bank was unable to retrieve the misappropriated funds.
The now-retired Hawarden testified in court that neither of the two emails made it clear that they were false, and that she was unaware of the risks associated with corporate email intrusion.
She claimed that after depositing the funds into the bank account of the scammers, ENS sent her a statement of account requiring a second payment.
A caution that had been missing from earlier messages was present at the bottom of that account, advising readers to call the company’s bank to confirm its financial information.
Hawarden admitted in court that she had dealt with a lot of money before and after her divorce and that she had heard the BEC’s warning on the Pam Golding email, but she claimed that she had not engaged in any financial misconduct.
Hawarden called in Anton Van’t Wout, a digital forensics expert witness, who created a video presentation for the court demonstrating how easily an email may be changed.
He offered alternate, safer channels for disseminating information.
According to his testimony, ENS could have used a secure site without a problem.
This type of cybercrime is a well-known issue, according to another witness, attorney Mark Heyink, a specialist in information and communications technology law.
In response to cross-examination, he acknowledged that the majority of lawyers send client invoices via standard emails with PDF attachments and that his evidence reflected what should be done rather than what really occurs.
Maninakis’ testimony was lead by ENS, who claimed not to be aware of the PDF
She said that because she did not know at the time that Hawarden would pay the money in cash rather than by bank guarantee, she did not send the initial mandate letter with the fraud warnings to Hawarden.
Because she was communicating with her own bank about the situation, she also believed Hawarden was in “safe hands.”
Hawarden, according to Judge Mudau, blamed ENS for her loss because the company, in her opinion, should have taken more precautions to protect her and employed more secure channels of communication with her.
According to her, ENS was well aware of this kind of scam.
The evidence in this case demonstrates how common BEC assaults are, particularly in the conveyancing sector.
The parties’ experts concur that BEC has existed for some time.
“ENS argues that if this court finds ENS responsible, it would subject all conveyancers, large and small, to similar claims from third parties, with whom they have no contact, for damages they sustained at the hands of fraudsters who breached their own email accounts.
“ENS asserts that this practice, which is almost widespread among firms, would have a rippling effect on not only all law firms but also all companies that send invoices to customers through email that include banking information.
The judge stated, “ENS maintains that it is the debtor’s responsibility, who chooses to make an electronic payment, to verify that it is deposited into the proper account.
“ENS failed to safely communicate its bank details using technical safety measures … Hawarden depended on (ENS) to act professionally.”
The judge said the fact that most businesses sent their banking details by emails did not absolve the law firm from unsafe behaviour “which it knew at the time was unsafe and knew to take precautions”.
“Viewed objectively, Hawarden cannot be faulted for placing her trust in the firm who she believed was a very large and reputable firm.
“I have no difficulty in finding that the firm’s banking details were financially sensitive information and needed to be treated as such, that the risk of BEC was foreseen by ENS….and that sending bank details by email is inherently dangerous.
“The risk of loss to Hawarden was highly foreseeable by ENS.
“The interests of society demand that a legal duty is recognised in this case,” Judge Mudau said.
Punitive cost order
The judge awarded a punitive cost order because ENS breached Hawarden’s privacy by including irrelevant documents about her divorce and other investments and business dealings in the court papers.
Hawarden had made her hard drive available to ENS to conduct a forensic investigation to determine where the hacking occurred. ENS breached an undertaking not to copy certain documents on her hard drive.
%20(1).png)
