Authored by Tamlyn van der Merwe

In a judgment[1] handed down on 16 January 2023 in the High Court of South Africa, Johannesburg, the court addressed the reality of business email compromise (BEC) and highlighted the duties of parties when requesting payment and making payment in the face of such reality.

WHAT IS BUSINESS EMAIL COMPROMISE (BEC)?

BEC is a type of cybercrime where the scammer uses emails to trick someone into sending money or divulging confidential company information.

BEC fraud occurs when a party is induced via email into paying or effecting a transfer to a scammer. The party who effects payment is led to believe that he is effecting payment to the intended recipient whereas in truth and in fact the intended recipient is not paid but the scammer is paid, to the prejudice of the parties.

Alongside BEC are several other cybercrimes on the rise such as:

Phishing – this entails sending out an email pretending to request information from the recipient for some legitimate purpose, often taking the form of a request for personal details from the recipient’s bank. [2]

Spoofing – this is akin to “identity theft” and entails acquiring sufficient personal details to realistically impersonate someone for the purpose of inducing another party into, for example, revealing information and furthering fraudulent activity. [3]

Hacking – gaining access to data, a system or computer without permission or authorisation.

Cybercrimes such as the ones stated above have been criminalised by the Electronic Communications and Transactions Act 25 of 2002 (ECTA). For example, intentionally accessing or intercepting any data without authority or permission to do so is deemed an offence in terms of section 86(1) of ECTA. Further, computer-related extortion, fraud and forgery is also deemed an offence under section 87 of ECTA.

However, perpetrators of a cybercrime are not always identifiable. Consideration is also given to the parties on whom our law places a duty of care to take preventative steps or precautionary measures against the commission of such crimes.

THE MATTER BEFORE THE JOHANNESBURG HIGH COURT

Party A purchased an immovable property from a third-party seller who appointed Party B as the conveyancer of the transaction. Party A elected to make an EFT payment of the balance of the purchase price (R5.5 million) directly into the trust account of Party B, using account details of Party B contained in an unprotected pdf attachment to an email purportedly sent by Party B.

An unknown cyber-criminal hacked the email sent by Party B and altered the account details of Party B to reflect the account details of the cyber-criminal. As a result, Party A unknowingly made payment into the cyber-criminal’s account.  

Party A then instituted action proceedings for a delictual claim against Party B for the loss sustained as a result of the cyber fraud.

THE DECISION OF THE HIGH COURT

The High Court, per Judge Mudau, held that Party B, as the conveyancer, owed Party A a legal duty of care in the conveyancing transaction[4] and that Party B had a duty to warn Party A of the risk of BEC and to take the necessary precautions against it.[5] Party B was found to be negligent for transmitting its bank details via email without additional safety measures, which the High Court found to be sufficiently linked to the loss suffered by Party A.[6]  

Accordingly, the High Court ordered Party B to pay R5.5 million plus legal costs to Party A.

SHOULD EMAIL ALONE BE USED FOR HIGH VALUE TRANSACTIONS?

The High Court highlighted that sending bank details via email is inherently dangerous.[7] Given the ever-present threats of cyber fraud, businesses and individuals are encouraged to implement additional precautionary measures against BEC, especially for high value business transactions. Expert witnesses in the case confirmed the existence of mitigating technologies available at the time that the BEC occurred.  Businesses and individuals which are party to high value transactions ought to consider the following measures mentioned in the judgment:

1. Verifying bank details telephonically or in person;
2. Using a secure portal that requires two-factor authentication;
3. Using password protected pdfs to prevent the manipulation of the pdf;
4. For conveyancing purposes, using technological products such as LexisTracker and SecureChat to communicate bank details; and
5. Inserting email disclaimers to raise awareness of BEC.

Whilst every effort was made to ensure that the content of this article is updated and correct at the time that this article is published, the information and material published on this website is provided for general purposes only and does not constitute legal advice. RHK Attorneys Inc. accepts no responsibility for any loss or damages, whether direct or consequential, which may arise from reliance on the information contained in this article. Please contact our offices with regards to any specific legal problem or matter. For permission to reproduce an article or publication, please contact reception@rhkattorneys.co.za.

For the latest developments on this topic, please view our latest article by clicking here https://rhkattorneys.co.za/2025/05/14/email-interception-and-erroneous-payments-an-avoidable-calamity/

[1] 2023 (4) SA 152 (GJ) (16 January 2023).

[2] Eiselen et al Information and Communications Technology Law, 2^nd Edition, Chapter 4: Criminal Law page 69.

[3] Eiselen et al Information and Communications Technology Law, 2^nd Edition, Chapter 4: Criminal Law page 69.

[4] 2023 (4) SA 152 (GJ) (16 January 2023) at par 108.

[5] 2023 (4) SA 152 (GJ) (16 January 2023) at par 122.

[6] 2023 (4) SA 152 (GJ) (16 January 2023) at par 129.

[7] 2023 (4) SA 152 (GJ) (16 January 2023) at par 127.