- Make sure you have the highest cyber-security and antivirus measures in place;
- Do not transact on public networks;
- Most importantly – for any significant transaction, double-check everything. Phone independent responsible persons in the recipient’s offices to confirm that the email address, the individual who provided you with payment instructions and the banking details themselves are all legitimate.
JOHANNESBURG - The current realities around cyber-fraud and mis-directed payments
There have been countless incidents of internet-related frauds, cons and deceptions in recent times, especially in relation to EFTs.
Fraudsters operate these schemes with varying degrees of sophistication, often depending on the nature of the target entity.
That said, the general pattern is as follows:
X and Y are in the midst of a transaction. X has performed. Y must pay X. X sends to Y an invoice, which includes X’s banking details. However, by whatever means, X’s email is intercepted and altered by a third-party’s malign operation (Z). Z delivers to Y the banking details, which appear to be coming from X (or an agent of X).
The banking details provided to Y are identical to X’s, save for a different account number. Y subsequently makes payment into Z’s banking account, believing it to be X’s bank account. Z sends to X a fake proof of payment.
Of course, it is an offence to intercept electronic communications. However, although these incidents are regularly reported to law-enforcement authorities, it appears that prosecutors are not winning this battle. More to the point - a successful prosecution will not necessarily even result in the return of your lost funds.
You can look to non-criminal procedures for varying degrees of legal recourse. However, these processes incur substantial costs and may take more than a year to finalize.
Likewise, a highly sophisticated fraud can, pragmatically speaking, be too expensive to prove relative to the lost sum.
Guided by the Code of Banking Practice, most banks contract out of liability caused by a customer who is intentionally fraudulent, negligent or acted without reasonable care. Similarly, our courts would likely also follow the position taken in a 2015 English case. That court recognised various arguments for why it is not feasible or commercially viable for banks to cross-reference the correctness of the account number provided, to the name of the account holder.
Medium to large transactions are most at risk. For instance, reports indicate that there were 110 cybercrime related claims from the Legal Practitioners Indemnity Insurance Fund between 2016 and 2018. A large proportion of claims stem from hijacked conveyancing transactions.
This year, the High Court in Port Elizabeth confirmed that conveyancing attorneys must be held to a high standard over money held in trust. Accordingly, it ruled that an attorney bears the responsibility of diligently verifying the correctness of an apparent change in account details.
Does this duty extend to everyday citizens when making EFT payments? A recent decision of the High Court in Limpopo suggests so. However, the judgment muddied the waters by suggesting that the position might be different if the intended recipient’s computer system contained malware that was the root cause of the misdirected payment.
While these issues are hashed out in the courts, our advice in the interim is elementary:
Five minutes of extra hassle is, without a doubt, far preferable to many months of fighting through the courts, particularly given that you might never recover what was lost.
Jason Goodison is a partner at Cox Yeats Attorneys practising in the Corporate & Natural Resources Law Team, He specialises in general Commercial Law, commercial litigation, land claims and is also experienced in Mining Law. Ryan Holtes is a candidate attorney, completing his articles within the Corporate & Natural Resources Law and Construction Teams. They can be contacted on 031 – 536 8500 or via email: [email protected] and [email protected]