A recent costly ruling against a Johannesburg property buyer has highlighted the danger South Africans should be aware of when making online payments to bank accounts provided via email.
The Supreme Court of Appeal recently overturned a High Court order in favour of the buyer — Judith Hawarden — who had won a case against legal firm Edward Nathan Sonnebergs (ENS) over a 2019 payment which cost her R5.5 million.
The payment was supposed to be for a property in Forest Town, Johannesburg, owned by a trust for which ENS was the conveyancer.
After her email account was compromised, Hawarden had incorrectly paid the amount into what she believed to be ENS’s bank account.
She initially won a case against the law firm in the Gauteng High Court in Johannesburg in 2023, which found that ENS had a legal duty of care to its clients.
However, in a June 2024 ruling delivered by acting judge Fathima Dawood, the appeals court explained that Hawarden should have taken responsibility for failing to protect herself against a known risk.
Dawood ruled that the High Court had erred in extending liability because of the real danger of indeterminate liability.
If the SCA had ruled in Hawarden’s favour, it would have led to creditors being legally obliged to protect their customers’ accounts from getting hacked.
The invoice scam used to defraud Hawarden is a typical case of business email compromise, which begins with fraudsters gaining access to a victim’s email accounts.
Although the method for breaking into Hawarden’s account was not detailed in the case, it could have included the following:
- Using social engineering techniques to convince her to provide her email address and password
- A credit-stuffing attack using information leaked in other data breaches — like a password that might have been used on another website or platform
- Deploying information-stealing malware that captured her email login details
- Exploiting vulnerabilities in email exchange software
Whatever their method, the fraudsters deleted correspondence with ENS providing its actual bank account details and replaced it with their own.
They also used fake email addresses similar to ENS’s real accounts to convince Hawarden that they were the same party.
Hawarden transferred R5.5 million into the hackers’ FNB account, which was quickly emptied before the criminals disappeared.
FNB was unable to retrieve any of the stolen money.
Tips for protecting against business email compromise
The South African Banking Risk Information Centre (Sabric) provides several indications that your email address might have been compromised, including:
- Complaints about spam being sent from your email address
- Emails not being received
- Missing emails
- Receiving large numbers of undeliverable or bounce messages for emails you did not send
- Not being able to log into your email account
- Seeing unknown emails in your Sent Items folder
To further protect yourself from falling for a business email compromise scam, you should verify the bank account details of the company you are paying through multiple official channels.
This can include making phone calls or sending messages to numbers and email addresses listed on the company’s website or social media pages.
In a more sophisticated attack, there could be instances where the website or social media pages are compromised by hackers, who would then put their own email addresses, contact numbers, or bank details in the place of the correct information.
In such cases, a court might also find the creditor liable for failing to protect its systems appropriately, and the victim could be entitled to compensation.
Sabric’s additional tips to protect against an attack also include the following:
- Make sure your PC has the latest operating system updates and antivirus or anti-malware software.
- Set up several email addresses for personal or business communication and a third alternative to communicate with your service provider. Use yet another email address to register for websites, newsletters, online shopping, and other services.
- Use different and strong passwords for each account. Passwords must be at least six characters long and consist of a combination of uppercase and lowercase letters, numbers, and symbols.
- Keep tabs on your email settings and check regularly to see whether anything has been changed, like a backup email or phone number getting amended.
- Never list your main email address publicly or anywhere online.
- Don’t use public computers to check email, they could have been accidentally infected with malware or have had keylogging spyware installed intentionally.
Source
mybroadband.co.za