Anyone can fall victim to a cyber-attack of sorts. An article published in a conveyancing attorney’s newsletter brought to our attention phishing attacks where the property buyer is expected to take responsibility for protecting themselves against known cyberspace/digital risks. We asked our legal expert, Adv. Bryan Hack to comment.
By Bryan Hack
Some years back, I had a very distressed client, an estate agent, now known as a property practitioner, who had received a summons to pay a sum of money due by the buyer to the seller arising from the sale of immovable property.
When asking the buyer why the payment was not made, the response was that it had been paid, and proof of payment had been provided. According to the buyer, the evidence showed that payment had been made to the account of the transferring attorney. They, of course, were the next port of call to explain why the money had not been reflected in the statement of account to the seller. They had no record of the payment.
Revealing the fraud
Further investigation revealed what had happened. The buyer had received an email from the property practitioner informing him that there had been a change of account and that he had to make further payments into this new bank account. He duly made the payment into this new bank account. This email was fraudulent, did not originate from the property practitioner, and the bank account was not that of the property practitioner. Immediately after the payment had been made into that account, it was again withdrawn, and no trace could be found as to who had ultimately received the money.
The seller then alleged that the payment liability rested on the property practitioner. My advice at the time was that they could not be held liable in the absence of any negligence on the property practitioners’ part.
At the time, the question of who could be liable was novel; in other words, it had not yet been considered and ruled upon in a court of law. Such a ruling has now been made in the Supreme Court of Appeal in the judgment of Edward Nathan Sonnenberg Inc v Hawarden, an unreported case but one that can be read on the internet service known as Saffli1.
The circumstances in the above case are very similar to my client’s. What is different is that the plaintiff held the conveyancing attorney liable as the fraudulent emails purportedly came from that firm and not from the property practitioner. Regardless of the identity of the parties, the legal principles applied by the court are the same. The court identified the question to be decided as to whether or not the plaintiff had established the wrongfulness for a delictual claim arising out of any omission causing pure economic loss.
The case came to the Supreme Court of Appeal after the lower court (the High Court) found that the attorney was liable to compensate the buyer for the loss. The Supreme Court of Appeal rejected the lower court’s finding and upheld the appeal. It found that the conveyancing attorney was not liable. In addressing the different views it had with the lower court, the Supreme Court of Appeal said the following: “The effect of the judgment of the high court is to require creditors to protect their debtors against the risk of interception of their payments. The high court should have declined to extend liability in this case because of the real danger of indeterminate liability.”
Lessons learned
The court’s decision, however, again emphasises the need to be alert, cautious and consistently aware of the rise of cybercrime when effecting electronic transactions.
The court said that the issue of wrongfulness had to be decided on various considerations. First, the buyer was not the attorney’s client, and they had no contractual relationship. The loss occurred when there was no attorney-client relationship between them. The buyer suffered a loss not because of any failure in the attorney systems but because hackers had infiltrated the buyer’s email account and fraudulently diverted her payment, which was meant for the attorney, into their own account.
The interference that caused the loss resulted from the buyer’s email account being compromised. When the buyer made the payment, she failed to verify the account. The court said it would have been relatively easy for the buyer to have avoided the risk by verifying the account details with the attorney’s office. In its judgment, the court was influenced by the fact that the buyer could not explain why the account was not verified and concluded that the buyer had ample means to protect herself.
The court said that the lower court’s finding that the attorney’s failure to warn the buyer attracts liability has profound implications for the attorneys’ profession and all creditors who send their bank details by email to their debtors. The court said that the ratio of the high court judgment that all creditors in the position of the conveyancing attorney owe a legal duty to their debtors to protect them from the possibility of their accounts being hacked is untenable.
The lesson to be learnt is that the person making the payment must always verify the account details because they cannot recover any loss suffered by having paid to the wrong account.
Bryan Hack can be contacted at his advocates chambers on +27 21 423 5441 or email him at hack@capebar.co.za
What is phishing, and what can I do about it?
Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware (source: Wikipedia).
As a safeguard against a phishing attack, we asked an expert for some plain advice:
in such a quickly moving world, it can be hard to stay on top of all the emerging technologies and the security risks that come with them. However, we should be aware of the vulnerabilities within our daily cyberspaces. Phishing is probably one of the most common methods of tricking victims. The reputation of a trusted firm or friend is leveraged to entice a user to perform compromising actions or provide valuable information.
Be sure to authenticate the sender, follow up with a phone call, and if you send any links, do not download any files you are not 100% confident come from a reputable source. The cons may be crafty, but if you are vigilant, you may save yourself a massive headache!
Pro Tip: the con artist has another trick up their sleeve: spoofing. One way to see if a link has been spoofed is to hover over the link and view the full weblink in the bottom left corner. If the link is different from the official website, do not click it!
1 https://www.saflii.org/za/cases/
Edward Nathan Sonnenberg Inc v Hawarden (Case no 421/23) [2024] ZASCA 90 (10 June 2024)
