Cybercrime has become frequent in conveyancing, where immovable property is bought and sold. This is mostly because property sales are high value transactions and thus a natural target for fraudsters.
Business email compromise (BEC) is an email-based social engineering attack that aims to defraud its victims. BEC attacks often bypass traditional email filters and blend in with normal email traffic; this allows fraudsters to intercept emails and alter the invoices or the mail themselves. The common goal of a BEC attack is to trick the victim into performing some action-usually the payment of funds into a bank account controlled by the hacker.
In Edward Nathan Sonnenberg Inc. (ENS) v Hawarden the court placed a large responsibility on Law Firms to warn and protect their client against BEC attacks:
- Hawarden signed an offer to purchase a property for R6 million. She then paid a R500 000 deposit into the real estate agency’s trust account. She noted the agency’s BEC warning and consequently confirmed the banking details telephonically prior to making payment.
- However, Hawarden did not do this before paying the outstanding amount to the law firm (ENS) responsible for the transfer of the property. The firm emailed Hawarden to tell her how to make payment. Hackers subsequently intercepted this email in a BEC attack and changed the banking details. Hawarden paid RS.5 million into the hacker’s account because of this change. The bank was unable to recover Hawarden’s money.
- Hawarden then sued ENS for the loss that she suffered. She claimed that they had a duty of care toward her to protect her against a BEC attack as they were aware of the risks and should have shared the banking details in a secure manner before she paid the money.
- The court found that the law firm failed to live up to the duty of care owed to Hawarden by failing to safeguard their client against a BEC attack and not making use of the readily available solutions and therefore acted negligently.
However, ENS appealed this judgement by stating that they had in fact taken reasonable care in warning Hawarden of the ever-present risk of cybercrime.
- ENS advised Hawarden to call the agency to verify the banking details before making a payment and attached further warnings pertaining to email hacking, phishing and cyber scams to the letter containing the banking details.
- Hawarden maintained that ENS owed her a legal duty and should have taken further steps to protect her from cybercrime.
- However, the court upheld the appeal and agreed that ENS took reasonable care in warning Hawarden of the prevalence and dangers of cyber scams and that she had ample means available to her to protect herself against the known risk and cannot now shift the
- responsibility of her loss onto ENS.
- The court upheld the appeal.
What is the significance of this outcome for you?
While law firms are obligated to take reasonable care in warning and protecting clients from the danger of cybercrimes and how they may occur, they cannot bear full responsibility for the actions of their clients. This case has made it clear that responsibility will not be shifted from the client if they have not made a reasonable effort to avoid cyber scams; therefore, it is crucial individuals take steps to avoid falling victim to the popular BEC attack.
What are some steps you can take to protect yourself from BEC attacks?
- Update all your software and beef up your anti-virus and anti-malware protections and protocols
- Never pay anything without checking bank details directly with the business, either in person or telephonically (do not use the phone numbers on the emails or invoices, they could easily have been faked as well).
- Check email addresses carefully-make sure the return address is the same as the sender’s address
- Watch for subtle changes like “.co.za’ becoming ‘.com’ or vice-versa, and remember that every hyphen, every letter, and every number in the email address counts.
- Use bank-defined beneficiaries for online banking where possible.
- Be very suspicious of any “we’ve changed our banking details” communications.