In the modern economy, handling physical cash is largely something of the past. Nowadays, thanks to advances in banking technology, funds are transferred from one account to another electronically.
While our banking systems are for the largest part completely reliable, they are also the target of cyber criminals.
Who then carries the risk for an electronic payment that has been subverted by a cybercriminal? This article explores this question with reference to some useful case law.
When is a debtor's liability discharged?
Cheques
Our courts started developing our law on this question back when the world used cheques. Although cheques are largely outdated now this was once the most prevalent form of payment. In Eriksen Motors (Welkom) Ltd v Protea Motors, Warrenton and another [1973] 4 ALL SA 116 (A) the position was formulated that when a debtor tenders payment by cheque and the creditor accepts it, the payment remains conditional and is only finalised once the cheque is honoured. One might understand this position, as payment by cheque was fraught with risk, not the least of which that it may not be honoured or otherwise have been fraudulently signed.
There was an exception to this rule, namely that where a creditor requested that a debtor make payment using a specific method of delivery of payment (such as posting of a cheque) and the debtor complies with such request, then the risk inherent with that method of delivery is borne by the party specifying that method (that is, by the creditor). In such a case if the cheque is fraudulently intercepted, the debtor's payment obligation is nonetheless considered fulfilled despite the creditor's account not being credited.
Electronic fund transfers
In Galactic Auto (Pty) Ltd v Andre Venter [2019] ZALMPPHC the creditor sent the debtor an invoice via email and thereafter sent the debtor its banking details. Instead of receiving the creditor's banking details, however, the debtor received an email containing a different set of banking details, from an email address that was similar but not identical to the one used by the creditor. The debtor made payment to the fraudulent bank account, unaware that the details did not belong to the intended recipient. When the error was discovered, the debtor claimed that its payment into the incorrect bank account should be treated as payment in full, since it argued that the creditor was the one to have supplied these details. The high court held that the creditor is obliged to prove only that it provided the debtor with the correct bank details – that is, that the banking details which the creditor sent to the debtor were correct. Once this onus is discharged, the onus shifts to the debtor to prove that the money was transferred to the bank account provided by the creditor.
In the above case, the high court relied on Mannesmann Demag (Pty) Ltd v Romatex Ltd and Another [1988] 2 ALL SA 353 (D) in that payment, even when accepted by the creditor, remains conditional and is only finalised when the payment is honoured. The court held that to detect interception and fraudulent alteration, the debtor was merely required to verify the bank account details with the creditor before making the payment. Had the debtor done this, the risk would have been mitigated.
Professional's fiduciary duty
For those managing money on behalf of others, a higher duty of care is required before making payments with that money. For instance, in Fourie v Van der Spuy and De Jongh Inc [2019] ZAGPPHC , a firm of attorneys received an instruction, ostensibly from a client, that its banking details had changed. The firm thereafter processed six payment instructions to the new bank account before speaking with the client telephonically, at which point it was discovered that the client's email account had been hacked and the money received by fraudsters. In this case, the court held that due to the fiduciary duties owed to the client the attorney owed a legal duty to deal with the money without negligence and is required to exercise a certain degree of skill, adequate knowledge and diligence and will be liable if same is not undertaken.
The high court relied on Potgieter v Capricorn Beach Homeowners Association and another [2012] ZAWCHC where it was held that "it is not a defence to a claim by the client for the attorney to submit that he paid the wrong person and therefore he had discharged his duty to the client". Further support for this principle was drawn from Nissan South Africa (Pty) Ltd v Marnitz NO & Others 2005(1) SA where the SCA stated that "payment is a bilateral juristic act requiring the meeting of two minds." In this matter, the court held that the attorneys had failed to pay the amount due to the client, and therefore they had failed to discharge the obligation to the client. The court emphasised that had a verification process been undertaken the fraud would not have occurred.
It is therefore vital for professionals who hold money on behalf of others to put in place strong measures to reduce the risk of fraud, and failure to do so will be viewed as a breach of their fiduciary duties.
Protection against interception
The legal principle that the debtor remains liable until the payment has been credited into the creditor's bank account has not changed. Email-based fraud, by contrast, is on the rise, with 88% of international IT decision-makers reporting that they had experienced email-based spoofing of business partners or vendors in the past year. All businesses, therefore, need to protect themselves from fraud.
In Fourie, the court made some interesting, but somewhat impractical suggestions to help circumvent falling victim to such scams. These included that EFT's should be conducted in the presence of creditors or verifying account details over the phone. In a day and age where business deals are conducted from all corners of the world, it cannot be assumed that creditors will be available to oversee an EFT. Verifying details over the phone does add an extra layer of protection (assuming that the debtor contacts the creditor via the creditor's usual telephone number and does not rely on any contact details included in the dubious payment instruction), but is also no guarantee of authenticity, particularly in an era of sim swaps and cell phone theft, and in cases where the fraud takes place over multiple emails.
When preparing a policy on business email compromise ("BEC"), it is advisable to take a multi-pronged approach to build in as much redundancy as possible:
- Businesses that regularly receive payments are advised to include a prominent statement (whether in their official communication, their terms and conditions, or on their website) that they will not change their banking details via email.
- Individuals who regularly process payments should be trained on the mechanics of business email compromise and have appropriate methods to verify any changed banking details or unusual payment instructions, particularly when these appear to be received from unusually senior individuals in the business (a so-called "fake president" scam).
- Simulated attacks should be run on a regular basis, with data collected on employee responses to be used to improve employee training.
- Businesses should ensure that their email exchanges use state of the art security. For instance, it is relatively simple for criminals to forge the 'From' header to trick email clients into displaying an internal name and email address on their external email. Adding SPF, DKIM and DMARC DNS records to the business's domain name can make this much harder to do.
- Mandating the use of sufficiently secure electronic signatures whenever giving or changing payment instructions can further reduce the risk, particularly when this is required at the contractual level. However, we caution that using self-issued digital certificates provides a false sense of security, as they too can be spoofed with relative ease.
Making use of the above recommendations can substantially reduce the risk of losses due to business email compromise; however, as spoofing attacks grow in frequency and complexity it cannot be guaranteed that even the most comprehensive email security policy will prevent every attack from bearing fruit. For this reason, we recommend that businesses also obtain appropriate cyber fraud insurance policies.
Conclusion
Despite the rise in spoofing attacks, case law clearly shows us that debtors cannot raise a defence that they have discharged their obligation by making payment according to the information they received without taking steps to verify such information. For those holding money on behalf of others, the duty to verify this information is even stronger as they are required to exercise a certain degree of care and skill in doing so.
Contact us if you would like assistance in preparing appropriate policies or employee training material to address this risk.