Warning over invoicing fraud in South Africa – double check your emails
Although electronic invoices and banking details received via email are commonplace, a recently settled case serves as a warning to all consumers to take precautions to ensure that they do not fall victim to increasingly sophisticated cybercriminals.
This was outlined by Jaimee Best, a candidate legal practitioner at PH Attorneys, who said that for many, ignorance is bliss, with many invoices and banking details taken at face value and payments made without thought to the potential cybercriminal lurking in the shadows.
Best said the recent case of Edward Nathan Sonnenberg Inc. v Judith Mary Hawarden “sounds like a resounding warning to all consumers to take precautions to ensure they don’t fall victim to increasingly clever cybercriminals. “
In the case, Hawarden aimed to transfer the purchase price for a property to Edward Nathan Sonnenberg Inc. (ENS).
Unfortunately, she was unaware that cybercriminals had compromised her email. As a result, her email exchanges with ENS employees were intercepted, modifying the banking information intended for the purchase payment.
Hawarden proceeded with the payment without confirming the changed details, ultimately sending R5.5 million to the fraudsters’ bank account.
This fraud was only identified after the transaction, by which point the funds were no longer retrievable.
Hawarden took the matter to the High Court, where she was awarded R5.5 million against ENS. However, the Supreme Court of Appeal (SCA) handed down a judgment overturning this High Court ruling and setting aside the order.
Best explained that when hearing the matter on appeal, the SCA considered whether the element of wrongfulness had been established for a successful claim arising out of the alleged omission of ENS to safeguard Hawarden against cybercrime.
“The Court took into account multiple factors when considering the issue of wrongfulness including that;
- Hawarden was not a client of ENS;
- There was no contractual relationship nor attorney-client relationship in existence at the time of the incident;
- The loss resulted due to Hawarden’s email account having been hacked;
- Hawarden had been warned about the risk of cybercrime;
- Hawarden had failed to confirm or verify the banking details before making payment.
“The SCA concluded that although Ms Hawarden had ample means to protect herself, she had failed to take reasonable steps to mitigate the risk of cybercrime,” said Best.
It was also clarified that the stance of the High Court, suggesting creditors bear a legal responsibility to safeguard debtors against potential cybercrime, is considered “untenable,” as upholding such a view would substantially affect all creditors who communicate their banking information to debtors through email.
“The SCA held that the judgement presented a real danger of indeterminate liability, referring to the case… wherein the Constitutional Court stated that ‘if claims for pure economic loss are too-freely recognised, there is the risk of liability in an indeterminate amount for an indeterminate time to an indeterminate class’,” explained Best.
The legal expert said that Hawarden is just one of many who have been targeted and victimised by cybercriminals, with estimations that these criminals send around 3.4 billion seemingly trustworthy yet dangerous emails each day, which equates to over a trillion emails annually.
The International Monetary Fund’s 2024 Global Financial Stability Report confirms the drastic increase in cyber incidents, stating that the size of losses incurred has more than quadrupled since 2017.
“The case of ENS v Hawarden emphasises why it is important for consumers to take precautions and implement reasonable steps to protect themselves against cybercrime, as those who are victimised may have no viable recourse to mitigate their loss,” concluded Best.