Never trust an invoice sent as an e-mail attachment as expensive cons are rife

Before you pay an invoice via EFT, call the company after sourcing the number from a Google search to confirm their banking details are the same as those on the invoice.

This is crucial advice as there’s a fairly good chance a fraudster intercepted the e-mail, opened the invoice attachment, deleted the company’s banking details and inserted their own.

The official term for this form of cybercrime is business e-mail compromise (BEC). If you pay the invoiced amount without checking, your money could land up in a fraudster’s bank account, never to be retrieved, and you will continue to owe the legitimate service provider.

The chances of the company being held legally liable for your loss has significantly diminished with this week’s Supreme Court of Appeal (SCA) judgment which went against the buyer of a home who unwittingly paid R5.5m into the bank account of a fraudster instead of that of law firm Edward Nathan Sonnenberg (ENS).

Six months ago a Johannesburg high court judge ruled ENS must pay Judith Hawarden her R5.5m loss, plus interest and her legal costs, having ruled the firm was to blame for the fact that she fell victim to BEC. However, on Monday the SCA came to the opposite conclusion, upholding ENS’ appeal against the judgment.

The SCA dismissed Hawarden’s claim with costs, including that of two counsel.

In May 2019, Hawarden bought a residential property for R6m, requiring her to pay a deposit of R500,000 into the trust account of estate agency Pam Golding Properties.

She received a request from the estate agent via e-mail, enclosing their banking details, together with advice to verify their banking details via phone before making payment, which she did.

Three months later, ENS, appointed to handle the transfer and registration of the property into Hawarden’s name, began e-mailing her about payment of the balance of the R5.5m purchase price into the firm’s trust account.

The firm e-mailed her their banking details, but unbeknown to both parties, Hawarden's e-mail account had been intercepted by a cybercriminal days earlier.

The e-mails between her and the law firm were intercepted by the cybercriminal, who opened the invoice attachment and replaced ENS’ banking details with their own. That’s how Hawarden unwittingly paid R5.5m to the fraudster instead of ENS.

She later started legal proceedings against ENS, arguing the firm owed her a legal duty of care to warn her of the dangers of BEC and to advise her on the ways to avoid falling victim to e-mail compromise.

The high court had held ENS liable for the pure economic loss suffered by Hawarden based on an omission. Her legal team had argued the firm sent her their account details in an unprotected e-mail, which could easily be manipulated, and failed to safely communicate them by other means, for example by phone.

“But for the negligent transmission of its account details and failure to warn Hawarden upfront of the inherent danger of business e-mail compromise, she would not have suffered the loss,” the judge found.

The SCA, however, this week found South Africa’s common law does not generally render people liable for the loss they have caused others by omission.

The apex court found the loss did not occur as a result of any failing of the law firm's system but as a result of Hawarden’s e-mail account having been compromised.

Hawarden was aware of the risk of BEC, the court said, as Pam Golding Properties had informed her about it her three months earlier.

She had options available to her to verify ENS’s banking details, but she failed to take reasonable steps to do so.

Hawarden was obliged to take responsibility for her failure to protect herself, the SCA said, and the court found no reason to shift the responsibility for her loss to ENS.

The R5.5m loss remains Hawarden’s to bear, including the fees she paid her two legal counsel.

This is a wake-up call for all of us who receive invoices from service providers or conveyancing attorneys by means of an attachment in an e-mail.

Do not pay until you’ve verified the banking details. This means phoning the company, after sourcing the number from somewhere other than the e-mail, to check the bank details in the e-mail are that of the company. Delay payment until you are able to make the call.

Protect yourself from e-mails being comprised:

The Financial Advisory and Intermediary Services ombud, which mediates disputes between insurance clients and their brokers, has issued a warning about BEC.

“(This office) has been receiving many complaints related to phishing incidents, particularly involving e-mail interceptions between the complainant and their broker, which often result in fraudulent payments made to impostors.”

In one case involving a storm damage claim, a cybercriminal hacked into the insured’s e-mail account and sent an agreement of loss form to the broker instructing them to pay the R52,495 settlement amount to an alternative bank account.

The ombud office’s advice to financial advisers and consumers includes:

• Create strong and unique passwords for your e-mail accounts and other online platforms. Avoid using easily guessable information such as your name or birthdate.
• Keep your devices and security software up to date to protect against known vulnerabilities and malware.
• Implement strict verification procedures for any changes in customer information or payment instructions. This can include confirming such requests through phone calls or in-person meetings.
• Look out for unusual e-mail addresses, grammar errors and unexpected attachments or links in your correspondence with the complainant.

• GET IN TOUCH: You can contact Wendy Knowler for advice with your consumer issues via e-mail: consumer@knowler.co.za or on Twitter: @wendyknowler.