PAYMENTS LOST DUE TO CYBERCRIME, WHO IS TO BLAME?
It’s common practice in many law firms, and other law firms alike to send and receive banking details via email. But if you’re familiar with the recent Johannesburg High Court ruling in Fourie v Van der Spuy and De Jongh Inc and Others (2019) JOL458L8 (GP), the court ordered a local law firm to pay a cybercrime victim R5,5 million – plus interest – and punitive legal costs, something that will definitely make any company think twice before hitting the send button.
We have all been exposed to fraudulent emails and phishing attempts, demanding payment into a banking account. What happens when you act upon those instructions and make a bona fide payment into the wrong account? Who is held liable when a supplier demands payment for goods or services and you realize that you have paid into the wrong account? The effect can be devastating for both parties.
The Court held, in the aforementioned case, that the nature of a trust account imposes a very strict obligation on the Attorney and a very high degree of care and skill is required from Attorneys dealing with client’s Trust money. The Attorneys could have easily avoided the situation if they acted diligently and verified the banking details telephonically before transferring money out of the Trust account. The Court held that they failed to act with the required skill and diligence and were therefore held liable to pay the Applicant.
This obligation is not only on an attorney firm, but also on the client, in a lesser degree, and any other company making and or receiving payments from clients.
The new Cybercrimes Act, Act 19 of 2020 might bring some relief to the parties involved. The Act aims to criminalize unlawful access, use and distribution of data and data messages. It will also regulate the power to investigate and adjudicate cybercrimes.
You might think that, if one party’s email system was hacked, that party should bear the liability. While allocating liability to the hacked party would be an easy rule, it is not the rule that has developed, primarily because although the hacked party may (or may not) have failed to implement proper safeguards to prevent an email intrusion, the party that complied with the fraudulent payment instruction may be equally or more culpable and there may be a multitude of other facts that should lead the payor to question the situation.
Conclusion
It is however clear from many previous court battles that the courts will not look favorable on a party that was deemed to be negligent. It is of the utmost importance, when dealing with invoices and payments from an online source, to be vigilant and adopt measures to reduce the risk of EFT fraud and invest in cyber-crime insurance to cover such a loss. Otherwise, a business may find itself in an uncomfortable and very costly law suit with a valued customer or vendor.
Always contact Hendrikz & De Vletter telephonically as well prior to making any payments.