One Call, Millions Saved: The Surge of Cyber Law Cases

Introduction

The Western Cape High Court recently delivered judgment in yet another cybercrime incident. These cases have been growing rapidly, signalling a surge in cybercriminal activities. One might have expected a decline in such incidents, given the legal precedents addressing them, but this has not been the case.

Facts

The parties involved in the case had been doing business together since 2014, with the Applicant consistently using the same banking details throughout their relationship. In October 2021 (although it seems the judgment erroneously recorded the year, as subsequent events occurred earlier in 2021), the parties entered into a sale agreement for valves. The Respondent was to pay the capital amount of R886,726.25 on a later agreed-upon date, although delivery was promptly completed.

At some point, a third party intercepted email communications between the parties and sent an email to the Respondent, purporting to notify them of a change in the Applicant’s banking details—from one reputable bank to a completely different reputable bank. Further fraudulent emails from the third party, including one purportedly confirming the updated banking details, were also sent.

On the agreed payment date, the Respondent proceeded to pay the amount into the fraudulent account provided by the third party without taking steps to verify the legitimacy of the change. The Respondent did not even make a phone call to confirm the details. When the Applicant followed up on the payment after noticing its absence, the Respondent realized it had fallen victim to cybercrime.

Discussion

The Respondent appeared unrepresented during the hearing, although the outcome would likely have been the same even with legal representation. The lack of representation did not significantly prejudice the Respondent in this case.

The Respondent argued that the Applicant was to blame for the email interception, submitting an expert report that confirmed its own systems had not been compromised. The Respondent contended that the Applicant’s negligence allowed the third party to intercept the emails. However, the Applicant, in its founding papers, had already stated that its security systems were not compromised.

The Court referred to established case law, which reaffirms the legal principle that “…it is the debtor’s obligation to seek out his creditor and that until payment is duly effected, the debtor carries the risk that the payment may be misappropriated or mislaid.”

The Court found that the Respondent acted at its own risk by failing to verify the change in banking details. A simple phone call could have prevented the loss. The Court further held that the interception of the email systems was not the proximate cause of the loss. Instead, the loss was caused by the Respondent’s decision to proceed with the payment without verifying the banking details.

Key factors considered by the Court included:

  • The rampant nature of cybercrime, which necessitates rigorous steps to verify banking details.
  • The long-standing relationship between the parties, during which the same bank account had always been used, requiring heightened diligence.
  • The substantial amount in question, warranting greater caution.
  • The email address used by the fraudster was similar, though not identical, to the Applicant’s actual address—something the Respondent should have noticed.
  • The Respondent failed to take any steps to confirm the authenticity of the updated banking details.

Conclusion

The Court ultimately ruled against the Respondent. This judgment reaffirms that the debtor bears the onus of ensuring that payments are made to the correct and legitimate banking account. It serves as a reminder to businesses that even long-standing relationships do not eliminate the risk of cybercrime, which often exploits trust and routine.

As emphasized in similar cases, a single phone call to verify banking details could save a business millions of rands. Vigilance and basic verification processes remain critical in preventing cybercrime losses.

View Related Blogs
View All
news

Exclusion Clauses in Claims-Made Policies: What Insurers Need to Know

Claims-made policies in professional indemnity insurance often include prior exclusion clauses, which serve to limit the insurer’s liability for claims arising from circumstances that occurred o...

Adams NewsInsurance LawJean-Paul Rudd
news

Lessons from the U.S.: Claims-Made Policies and the Importance of Objective Policy Terms Over Subjective Beliefs or Assurances

Can a professional services firm rely on a client’s assurance that they will not pursue legal action to avoid notifying its claims-made professional liability insurer of a potential claim arising fr...

Adams NewsInsurance LawJean-Paul Rudd
news

Litigation: Pensioner’s Battle: Winning the Argument, Losing the Case

Introduction On 29 November 2024, the Johannesburg High Court delivered judgment in a delictual case where the Plaintiff, a lessee on the Defendant’s premises, sued the Defendant after a gate fe...

Insurance LawMtho Maphumulo