Get Exam-Ready with our RE 5 Preparation Package.  Find out more 

Media Articles

Recent cybercrime judgment impacts businesses that email bank details – learn how to protect yourself ...

Posted on 13 Feb 2023

It’s common practice in many industries to send banking details via email. But if you’re familiar with the recent Johannesburg High Court ruling that ordered a local law firm to pay a cybercrime victim R5,5 million – plus interest – and punitive legal costs, you might think twice before hitting the send button.

On 16 January, Judge Phanuel Mudau ruled in favour of Judith Hawarden, who took law firm ENSafrica to court after she paid R5,5 million into what she believed was the firm’s trust account. Unbeknownst to Hawarden, her email account had been hacked, which allowed the cybercriminals to intercept emails from ENS and change the firm’s banking details to their own.

We look at the court case and give advice on how you can protect yourself and your clients from cybercriminals.

How the crime took place:

According to the judgment, Hawarden put in an offer to purchase a house in Forest Town, Johannesburg, for R6 million in 2019. She paid the R500 000 deposit directly to the estate agency, and the seller of the Forest Town property hired ENS to act as the conveyancer.[1]

Hawarden later received an email from a conveyancing secretary in the firm’s property division; it detailed what was needed from Hawarden for the sale to go through, plus an attached letter setting out the bank guarantee requirements. This email, however, was fraudulent – the hackers had intercepted the secretary’s genuine email and changed the firm’s account details to their own.

In response to the email, Hawarden called the secretary to ask if she could transfer the funds directly to ENS if her bank couldn’t furnish the guarantees by the date mentioned in the forged email. The secretary said this could be done, and that she would send Hawarden a document from FNB providing ENS’ banking account number. Later that day, Hawarden received an email with the firm’s account details, as confirmed by FNB. However, what Hawarden didn’t notice was that the word “africa” in the email address @ensafrica.com was spelt “afirca”.

Additional emails were also intercepted between ENS and Hawarden, including one that contained several warnings regarding “business email compromise” (BEC). BEC is when hackers use email to trick people into paying money into their accounts or divulge sensitive information.[2] This email was sent only after Hawarden had made the payment but before the fraud was discovered.

By the time she became aware of the fraud, the funds had already been withdrawn from the hackers’ account and couldn’t be retrieved.

Despite the discovery of the crime, ENS asked Hawarden to make the payment to secure the sale. Hawarden and the law firm failed to resolve the issue, which led to her taking legal action against them.

The court case:

Hawarden’s legal team argued that ENS should have properly warned her about the danger and prevalence of BEC in the conveyancing industry before she made any payments to them, and they should have communicated their bank details in a safe manner, using more secure means to communicate. They should have done more to protect her against the risk of loss, such as ask her to verify the account details, and their account information should have been loaded on online banking systems, instead of sending bank account details as a PDF document attached to an unprotected email. Also, the firm didn’t warn her that a direct transfer was a riskier option than payment by bank guarantees.

ENS’ legal team, on the other hand, stated that Hawarden herself had been negligent in not confirming the account details, and that it is generally the responsibility of the person making the payment to verify the account details.

ENS also stated if they were found guilty, the ripple effect of the judgment would extend to “all businesses who send their invoices, with their banking details, to their clients by email, which is a near-universal practice for all firms and indeed all businesses to do so”.

Judge Mudau said the fact that it was common practice for businesses to use email to send their banking details did not absolve ENS of its “unsafe behaviour, which it knew at the time was unsafe and knew to take precautions against. It is not as if the defendant didn’t know better.”

He added that the cybersecurity experts who testified in court agreed that email is not secure, that PDF documents can be manipulated, and several cybersecurity measures were available at the time which “would have averted the fraud”.

“In my view, the plaintiff’s case established clearly that sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated,” he explained.

“ENS was at fault on the basis of negligent conduct. The defendant [ENS] was an expert conveyancer and was facilitating and managing the transaction. Under these overall circumstances, it is not overly burdensome or unreasonable to impose liability on ENS.”

How to protect yourself and your clients

The judgment could be overturned if ENS appeals, however, it currently sets a precedent applicable to all businesses that use email to send banking details.

This case also puts a spotlight on the prevalence of cybercrime in South Africa, as well as how sophisticated hackers have become. According to a report by iDefence, an Accenture security intelligence company, South Africa saw a spike in cyberattacks on all fronts in 2019. The report also noted that when it comes to cyber threats, “South African internet users are inexperienced and less technically alert than users in other nations”.[3]

Regardless of the type of business you run, it is risky to send invoices and communicate your banking details via email, and you should consider other, safer means to communicate sensitive information. Should you find yourself in a similar situation as ENS, it could result in liability for any monetary loss caused by cybercrime and serious reputational damage. A lack of trust in your business could curtail client growth and retention and ultimately your business’ profitability and sustainability. [4]

Here are six measures you can take to avoid becoming a victim of cybercrime:

1. Educate yourself and your employees

You and your staff need to take the time to learn about the different types of cybercrimes and how hackers operate. The judgment revealed inadequate awareness of BEC amongst ENS’ staff.

Do you and those in your employ know how to spot a phishing email, or that you should only use trusted Wi-Fi networks? Do you know how to verify the authenticity of a website? Is your antivirus software up to date? For more on this, read our articles ‘Cybersecurity is everyone’s responsibility – how to protect ourselves and each other online’ and ‘Tips to mitigate cybercrime risk’.

You can also encourage staff to do courses on cybersecurity. Masthead has several online cybersecurity courses that can equip you and your team with the know-how to protect yourself and your business from cybercrime. Click here to read more.

2. Educate your clients

Speak to your clients about the threat of cybercrime and BEC. Even if your cybersecurity measures are up to scratch, theirs might not be. They need to be aware of the verification and security processes you have in place.

3. Scrutinise email requests from clients

As the case between Hawarden and ENS illustrates, hackers can quite easily intercept and alter emails including PDF documents. If you receive instructions from a client via email, call them to verify their request. Also check the email address as well as the banking account details mentioned in the email – are they the same as what you have on file for your client? Implementing these additional steps may also be required by your PI insurer to pay out claims relating to cybersecurity. Your employees also need to be aware of and follow your verification processes when receiving requests from clients.

Note: Contact your PI cover to find out what their exact requirements are regarding instructions from clients.[5]

4. Click with caution

Most people know not to click on links in email messages from strangers but also be wary of unexpected requests from people you know. Hackers can pretend to be someone by slightly altering their email address to look similar to that of an acquaintance or a colleague’s email address.

If you do click on a harmful link, immediately disconnect your device from the internet by either unplugging your network cable or disconnecting from the Wi-Fi and run a full anti-virus scan. Then, use a different device to change the passwords stored on your device. Wait until the anti-virus scan has successfully completed before using your device again.

5. Don’t send sensitive information with email

During the trial, an expert witness in the field of digital forensics and data analytics demonstrated to the court the ease with which an email could be spoofed, adding that email should not be used for “high value business transactions”.

And during a joint expert meeting, the expert witnesses agreed that when sharing sensitive information, like bank account details, a secure portal that requires two-factor authentication is a practical alternative to email. An example of two-factor identification is when a one-time pin is sent to your phone when you log into an account with your username and password.

6. Utilise email security platforms

The expert witnesses also mentioned available safety technologies that make it more difficult for hackers to spoof email addresses. These email security platforms can verify and check the authenticity of emails before they are delivered to your mailbox or alert you to the fact that the email might be harmful or carry malicious content. These include Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance Protocol (DMARC).

Cybercrime is on the rise – both worldwide and in South Africa – and hackers are using more sophisticated methods to trick people. However, by educating yourself and taking the necessary precautionary measures, you can better protect yourself, your business and your clients from cybercriminals.


Sign up for Masthead’s cybersecurity courses

To understand the responsibilities and impact that cybercrime has on a business and its clients, and to be more equipped to identify and avoid cyberattacks, register for Masthead’s cybersecurity courses. (These courses count towards your CPD hours.)

Click here to read more and register or contact your nearest Masthead Regional Office for assistance.


SOURCES:

[1] Hawarden v Edward Nathan Sonnenbergs Inc (13849/2020) [2023] ZAGPJHC 14 (16 January 2023). https://www.saflii.org/za/cases/ZAGPJHC/2023/14.pdf
[2] What is Business Email Compromise, Microsoft. https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec
[3] Insight into the cyberthreat landscape in South Africa, Accenture. https://www.accenture.com/_acnmedia/PDF-125/Accenture-Insight-Into-The-Threat-Landscape-Of-South-Africa-V5.pdf
[4] Tips to mitigate cybercrime risk, Masthead. https://www.masthead.co.za/tips-to-mitigate-cybercrime-risks/
[5] Cybersecurity is everyone’s responsibility – how to protect ourselves and each other online, Masthead. https://www.masthead.co.za/cybersecurity-is-everyones-responsibility-how-to-protect-ourselves-and-each-other-online/

MASTHEAD IS

A national supplier of risk management services to independent financial advisors and other licensed financial service providers (FSPs). Established in 2004, we help our clients overcome their risk management challenges so they can grow and thrive in an increasingly regulated industry. Providing professional guidance and practical support, our team of specialists is passionately committed to delivering tangible solutions.

Why Masthead?

CONTACT US

Phone:

021 686 3588

E-mail:

  Show Email

B-BBEE CERTIFICATE

Masthead is a level 1 B-BBEE contributor.

Read more and view certificate