One Call, Millions Saved: The Surge of Cyber Law Cases
Introduction
The Western Cape High Court recently delivered judgment in yet another cybercrime incident. These cases have been growing rapidly, signalling a surge in cybercriminal activities. One might have expected a decline in such incidents, given the legal precedents addressing them, but this has not been the case.
Facts
The parties involved in the case had been doing business together since 2014, with the Applicant consistently using the same banking details throughout their relationship. In October 2021 (although it seems the judgment erroneously recorded the year, as subsequent events occurred earlier in 2021), the parties entered into a sale agreement for valves. The Respondent was to pay the capital amount of R886,726.25 on a later agreed-upon date, although delivery was promptly completed.
At some point, a third party intercepted email communications between the parties and sent an email to the Respondent, purporting to notify them of a change in the Applicant’s banking details—from one reputable bank to a completely different reputable bank. Further fraudulent emails from the third party, including one purportedly confirming the updated banking details, were also sent.
On the agreed payment date, the Respondent proceeded to pay the amount into the fraudulent account provided by the third party without taking steps to verify the legitimacy of the change. The Respondent did not even make a phone call to confirm the details. When the Applicant followed up on the payment after noticing its absence, the Respondent realized it had fallen victim to cybercrime.
Discussion
The Respondent appeared unrepresented during the hearing, although the outcome would likely have been the same even with legal representation. The lack of representation did not significantly prejudice the Respondent in this case.
The Respondent argued that the Applicant was to blame for the email interception, submitting an expert report that confirmed its own systems had not been compromised. The Respondent contended that the Applicant’s negligence allowed the third party to intercept the emails. However, the Applicant, in its founding papers, had already stated that its security systems were not compromised.
The Court referred to established case law, which reaffirms the legal principle that “…it is the debtor’s obligation to seek out his creditor and that until payment is duly effected, the debtor carries the risk that the payment may be misappropriated or mislaid.”
The Court found that the Respondent acted at its own risk by failing to verify the change in banking details. A simple phone call could have prevented the loss. The Court further held that the interception of the email systems was not the proximate cause of the loss. Instead, the loss was caused by the Respondent’s decision to proceed with the payment without verifying the banking details.
Key factors considered by the Court included:
- The rampant nature of cybercrime, which necessitates rigorous steps to verify banking details.
- The long-standing relationship between the parties, during which the same bank account had always been used, requiring heightened diligence.
- The substantial amount in question, warranting greater caution.
- The email address used by the fraudster was similar, though not identical, to the Applicant’s actual address—something the Respondent should have noticed.
- The Respondent failed to take any steps to confirm the authenticity of the updated banking details.
Conclusion
The Court ultimately ruled against the Respondent. This judgment reaffirms that the debtor bears the onus of ensuring that payments are made to the correct and legitimate banking account. It serves as a reminder to businesses that even long-standing relationships do not eliminate the risk of cybercrime, which often exploits trust and routine.
As emphasized in similar cases, a single phone call to verify banking details could save a business millions of rands. Vigilance and basic verification processes remain critical in preventing cybercrime losses.
Exclusion Clauses in Claims-Made Policies: What Insurers Need to Know
Claims-made policies in professional indemnity insurance often include prior exclusion clauses, which serve to limit the insurer’s liability for claims arising from circumstances that occurred o...
January 13 2025
Lessons from the U.S.: Claims-Made Policies and the Importance of Objective Policy Terms Over Subjective Beliefs or Assurances
Can a professional services firm rely on a client’s assurance that they will not pursue legal action to avoid notifying its claims-made professional liability insurer of a potential claim arising fr...
January 07 2025
Litigation: Pensioner’s Battle: Winning the Argument, Losing the Case
Introduction On 29 November 2024, the Johannesburg High Court delivered judgment in a delictual case where the Plaintiff, a lessee on the Defendant’s premises, sued the Defendant after a gate fe...
December 23 2024