Pretoria - In yet another cybercrime matter that ended up in court, it was ordered an investment company had to pay back the money a man invested with it, plus interest.
The cyber criminal depleted the man’s nest egg meant for him and his wife upon retirement.
The Gauteng High Court, Johannesburg, found PSG Wealth Financial Planning, with whom Jan Gerber had invested his money, did not establish that it complied with its contractual obligations to protect Gerber against cybercrime.
It was ordered to pay Gerber more than R800 000 – money he lost due to the cybercrime – as well as interest.
Gerber had a share portfolio with PSG investments of R855 413 to serve as retirement funds for him and his wife.
Hackers of Gerber’s email impersonated him and convinced a representative of PSG, who managed the portfolio, to transfer an initial R250 000 of the funds into a different account.
Another payment wiped out most of his investment. An attempt to get a further transfer of R400 000 from his wife’s portfolio aroused suspicion because of grammar errors in Afrikaans.
Judge Denise Fisher commented that in this technological age, the regulation of financial relationships routinely takes place by way of email.
Types of hacking include crude extortion using sophisticated destructive software (malware) which is installed on the computer system remotely with ransom then being sought by the hackers for its removal; corporate espionage and money transfer fraud.
The judge said this court and others recognised that this latter type of fraud – Business Email Compromise fraud – was rife. The crime is typically committed in anonymity via remote engagement using the internet and other systems.
It is usually a confidence trick – the perpetrators dupe the person who has control over transfer rights of the money into believing that the transfer into the account controlled by the fraudster is in accordance with legitimate instructions.
“Both parties are victims of the fraud. The question is who should bear the loss,” Judge Fisher said.
Gerber and his wife had a share portfolio managed by the investment company for more than a decade.
On October 3, 2019 there was an unusual request which appeared to emanate from Gerber, asking for payment of R250 000 – something he had never sought in all the years. There was a further change alluded to in the email; a change of bank details from his existing account, to another bank.
PSG investments received an email, supposedly from Gerber’s bank, bearing an official-like bank stamp reflecting details of a bank account held in his name for the past 17 years.
The investment company said it did all it could to verify the information. An official sent an email to Gerber, asking for confirmation that the account was indeed his and payment could be made into it. “Unsurprisingly, the reply from the hijacked email account stated the payment should indeed be made into the nominated account,” the judge said.
An email was later sent from the hijacked email account asking for proof of payment.
The hackers had meanwhile successfully achieved payment of R250 000 of the funds from Gerber’s account into the fraudulent account. They continued with the deceit, while Gerber did not know anything about it.
A few days later an email was sent to the company, thanking it for the previous successful transaction and requesting an additional payment to the FNB account. Payment was again made into the fraudulent account, thus wiping out most of Gerber’s investment.
Emboldened by the success, the hacker then asked the company for a statement of all the plaintiff’s investments. This was forwarded.
A request then followed for a withdrawal of R400 000 from Mrs Gerber’s investment account. But this time the company’s official said the email appeared suspicious, as the Afrikaans message was not grammatically correct.
The Gerbers were then personally called by the investment company and they replied they never requested the transactions. The court heard it finally dawned on all parties that they had been duped.
A subsequent investigation revealed Gerber’s Microsoft Outlook email account had been hacked.
PSG denied responsibility for the losses and said Gerber was negligent in not taking all reasonable steps to protect his computer system against hacking.
Gerber testified his system was password protected and he had an effective virus protection software installed.
The judge found the deficiencies in the checking process were clear – and that PSG ignored its own protocols. The checking machinery revealed that the different account was not verified as being legitimate, yet it decided to override this information.
Judge Fisher said the company had a contractual obligation towards its clients that they would not suffer financial loss through theft or fraud, including hacking. “The defendant has not established that it complied with its contractual obligations to protect the plaintiff against cybercrime.”