‘Man in the middle’ scam warning for South Africa

 ·15 Jun 2024

Unknown third parties may hack an unsuspecting person’s email account and dupe them into paying into the wrong bank account.

In 2023, the Gauteng High Court handed down a judgement in Hawarden v ENS, which found ENS liable for Hawarden’s loss and ordered the law firm to pay the sum of ZAR 5.5 million to Hawarden.

Victoria Campos, Partner, and Micaela Pather, Associate, at Webber Wentzel, have broken down the case and its reversal at the Supreme Court of Appeal (SCA).

In 2019, Hawarden was purchasing a property, and ENS acted as the appointed conveyancer for the seller.

ENS sent Hawarden an email containing its bank details (attached as a PDF document) so she could make the payment.

Nevertheless, the plaintiff’s email account was hacked by an unknown third party who altered the banking details received from ENS and released them to Hawarden as if they were from ENS.

This is known as the man-in-the-middle attack, with both Hawarden and ENS speaking to the hacker:

By the time the theft was discovered, the funds had been withdrawn and could not be recovered.

Hawarden then sought to recover the funds from ENS, arguing that it should have used more secure means to communicate with her and that she was not notified of the dangers of business email compromise.

ENS told the High Court that the court should not extend liability for pure economic loss, as it will, in the words of the Constitutional Court, create “liability in an indeterminate amount for an indeterminate time to an indeterminate class”.

Although ENS had processes to protect itself from fraud, Hawarden, whose email was hacked, did not.

The judge found in favour of Hawarden, arguing that she was an elderly divorced pensioner who was not sophisticated enough to know how to protect herself from the risk of business email compromise, unlike ENS.

“Despite ENS being aware of the risks, it failed to safely communicate its bank details, using technical safety measures or multichannel verifications,” said Campos and Pather.

“Notwithstanding the near-universal practice for conveyancers, and indeed for other businesses, of sending their banking details to others by email, ENS knew better and should have taken precautions against the loss.”

“Despite the fact that Hawarden was warned by Pam Golding of the risk of this type of fraud just three months prior to making the payment to ENS, she was entitled to ignore that warning whilst dealing with ENS having regard to ENS’s reputation and size.”

“Notwithstanding that there is no contractual relationship between ENS and Hawarden, ENS owed a general duty of care to Hawarden.”

The experts said that the judgement had far-reaching consequences for all creditors who dispatched invoices via email.

ENS appealed the judgment from the Gauteng Division of the High Court.

Not their fault

The SCA focused on determining whether Hawarden established the wrongfulness element for a delicate claim arising from an omission causing pure economic loss.

In South African law, it is an established principle that persons cannot be held liable in delict for losses caused to others via omission.

Hawarden was not ENS’s client, and there was no contractual relationship between them or attorney-client relationship.

In addition, Hawarden’s email account was compromised, and Pam Golding previously warned her about the risks of business email compromise.

She could also have avoided the risk by verifying ENS’s bank details by inquiring with the attorneys at ENS with whom she had telephoned. She also could have asked the employee at Standard Bank who helped with the transaction to verify the bank details.

“Further, Hawarden was faced with the option of furnishing a guarantee versus an electronic transfer to ENS. She elected to forego a bank guarantee for a cash transfer.”

As she had ample means to protect herself, ENS could not be held responsible for Hawarden’s loss.

In addition, warnings from ENS would be meaningless, as the hacker was already embedded in Hawarden’s email.

The court thus upheld the appeal – siding with ENS.

“The appeal judgment serves as a cautionary tale for both creditors and debtors in all businesses, emphasising the importance of vigilance, secure payments and multi-verification payment processes,” said the experts.

“The appeal judgment also serves as a reminder that the person making the payment bears a responsibility to ensure that the payment is made into the correct account.”

“Whilst we are pleased with the judgment, one must be mindful that every case is fact-dependent, and the conduct of both parties will be considered in deciding where liability lies.”

Read: South Africans are dumping Eskom – and it shows in one graph

Show comments
Subscribe to our daily newsletter