The judgments on email fraud point to the need for a more secure relationship between law firms and clients, but also have immediate ramifications for anyone using online banking.
Two new court decisions have made it clear that changes must be made to the way confidential details like bank account numbers are handled between conveyancers and clients, particularly where large sums of money are involved in the buying and selling of property. Thieves are developing increasingly sophisticated ways to target funds being moved to pay for property transactions, and there can be huge losses when money is deposited into fraudsters’ accounts. The two new decisions make it clear that the courts will hold the conveyancing firms liable for the lost funds if they haven’t taken proper care to ensure payments can be made safely. But it’s not just conveyancing departments and legal firms generally – the two judgments show how every single person who makes payments via the internet is also a potential target of fraudsters and should urgently adopt strategies to ensure their transactions are safe.
Read Hawarden v ENS judgment
http://www.saflii.org/za/cases/ZAGPJHC/2023/14.html
Read Hartog v Daly judgment
http://www.saflii.org/za/cases/ZAGPJHC/2023/40.html
Two new judgments both deal with thieves who intercepted funds on their way to or from a legal firm. Both concern conveyancing work related to property transfers. Both decisions were delivered by the High Court in Johannesburg in January 2023. They relate to conveyancing transactions in the Johannesburg area approximately five years ago, but it’s not unlikely that similar problems have been experienced in other provinces as well – and that frauds like these are continuing.
Red flags for attorneys and clients
Clearly, this is an ongoing problem, and the two cases should be red flags for both attorneys and their clients: who might be the next victim of what is now being termed “business email compromise” (BEC)?
In both these decisions the courts come out strongly on the duties of a legal firm towards the person whose funds they are handling. The judgments make clear that there is a significant responsibility on companies that deal with money from members of the public to make themselves aware of the dangers posed by fraudsters, and to protect themselves and their clients.
Intercepted emails
The basic story in the two cases is similar, though the detail differs.
In the first case, the client transferred R5.5 million into what she thought was the bank account of the legal firm handling the conveyancing of the property she was buying. However, thieves had intercepted emails from the law firm that stipulated the correct bank account details for payment, and they had sent an altered email to the client, replacing the firm’s bank details with those of the fraudster. The buyer thus unwittingly paid the funds directly to the thief’s bank account.
The court held that the firm had a duty to have raised the existence of such scammers with the client and to have explained what steps the company had in place to minimise that risk.
Altered bank account details
In the second case, the conveyancing attorney wanted to transfer the proceeds of the sale to the seller, but the emails confirming the bank account details of the seller were intercepted and altered, and once again, payment was made by the attorney directly into the thief’s bank account rather than into the correct bank account of the seller. This time, however, the payment that went astray was made by the law firm to the seller.
The clients in this second case sued the law firm for the loss of the funds. When the court found in favour of the clients, the law firm appealed, and the new decision is a judgment of a full bench (three judges) of the High Court.
Experts have ruled out the possibility that the emails were altered on the computers of the law firms or the clients. Instead, according to expert evidence, the fraudsters hack emails after they have been sent but before they are received by the intended recipient.
Exchange of messages
In both cases, there was an exchange of messages in the days leading up to the funds being transferred, and it was these emailed messages that were “doctored” by the thieves to change the bank account details and to make it more difficult for the clients and law firms involved to spot what had happened, even afterwards.
Online frauds such as these have been around for a while, but from the evidence given in the trial, it turns out that many, perhaps even most, law firms (and other kinds of firms that handle large accounts) have not yet adopted any, let alone adequate, systems to protect themselves and their clients.
The crucial lesson had not yet been learnt at the time of these two frauds, and that crucial lesson is never to send bank account details via email. And no, not even a PDF attached to an email is safe, because it, too, may be hacked.
Shockingly lax
There was evidence before Judge Phanuel Mudau, who heard the first case, about the prevalence of security in law firms during 2019 (when the fraud took place). It was shockingly lax, and what was especially worrying in retrospect was the practice – all the expert witnesses agreed it was highly dangerous – of sending a firm’s banking details to others by email.
The court commented, “It is indeed so that the… evidence shows it was a near-universal practice for conveyancers, and indeed for other businesses, to send their banking details to others by email… It does not absolve the attorney of its unsafe behaviour, which it knew at the time was unsafe and knew to take precautions against. It is not as if the legal firm did not know better.”
Judge Mudau added that the client’s case established clearly that sending bank details by email is inherently dangerous and ‘so must either be avoided in favour of secure methods, or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings that are securely communicated.
Effective technologies
The parties’ experts agreed that email is not secure. The parties’ experts agreed that secure portals were available in 2019 and would have averted the fraud.
“Accordingly, the fact that large legal firms chose not to use effective technologies and measures that were available and were used by smaller conveyancers does not avail them in making a ‘common practice’ argument.”
Another important point made by the judge was that the buyer (the woman who, unknowingly, paid the purchase price of the property into the fraudster’s bank account) was not a client of the law firm doing the conveyancing of the property. The client would have been the seller, and the fraud was perpetrated on the buyer. Though some might therefore conclude that the law firm did not have a particular duty to worry about the safety of her funds, the judge had other views: she may not have been a client, but she was “still in the care of the law firm and vulnerable to risk.”
Due care
The judge held that the firm was at fault “on the basis of negligent conduct.” The firm was an “expert conveyancer”, responsible, in this case, for “facilitating and managing the transaction.” He held that it should have been done with due care.
In the second case, which concerned an attorney who paid the money due to the seller into a fraudster’s bank account, the court heard evidence that suggests how carefully planned, and how long in advance the fraudsters begin to put their plans into operation.
A “Mr Simelane” had opened an account at Standard Bank, Volksrust, on 7 May 2018, sometime before payment from the attorney to the seller was due. Simelane’s application was duly subjected to the FICA process of verification. He produced proof of residence, and copies of all the needed documents were uploaded to the Standard Bank computer. Everything looked quite normal.
“There was no reason to suspect that the account was going to be used for fraudulent purposes,” the court notes.
Doctored version of the original email
On 14 June 2018, well over a month later, the attorney received an email purporting to be from the seller, with details of the account into which almost R1.5 million was to be transferred. It was, as the attorney was later to discover, a doctored version of the original email, and it replaced the correct details with those of “Simelane.”
The attorney duly followed the instructions in the altered email and put the funds into Simelane’s bank account. Quite clearly, the attorney believed that the email he had received was from the seller and that the bank account details contained in that email were those of the seller, but they were not.
The next day, most of the money was withdrawn from his account by “Simelane,” and he then vanished.
Verification procedures
In another important finding, the court held that Standard Bank was not ordinarily obliged to ensure that the account name on the EFT instruction matched the name of the holder of the account into which the funds were paid. In other words, where banks follow the correct verification procedures (as Standard Bank did in setting up Simelane’s account), they cannot be held responsible when funds go missing in fraudulent transactions such as this.
Although some banks offer an account verification facility, it is not a standard feature, and a client would have to specify and pay extra for it.
Some readers may feel the courts have been unduly harsh on the law firms involved in these cases, who must now pay back large sums of money.
Consumers rights
The judges have been firm that the attorneys are legal and conveyancing experts who know, or who ought to know, that it is extremely unsafe to send or receive bank account numbers via email and that they should have put systems in place to prevent this from happening.
That is where clients, as good consumers, should know and understand their rights. They should ask their conveyancing team questions about the precautions the firm takes to avoid such scams from the start, and ensure that they understand and believe these precautions are adequate.
However, clients, and anyone else who uses the internet for payment, should benefit from the wake-up call provided by these two cases. If you are paying a creditor online for the first time, you have to ensure that the bank account details the company sent you via the internet are correct. Make a call to confirm. If you receive a notice that the company’s bank account details have changed, do not fall for it – contact the company by phone to make sure. You might be extremely glad you did.
Conclusion
Fraudsters (cyber criminals and email hackers) have become increasingly skilled (or, rather, deceitful) at intercepting emails and forging the proof of bank account details. Legal firms are under constant “attack” from these fraudsters. The risk of cybercrime has become so high that insurance companies are reluctant to insure losses resulting from it.
The staff of Herold Gie Attorneys undergoes regular training to understand the methods used by the fraudsters and to remain vigilant.
Herold Gie Attorneys insist that clients verify our firm’s trust account details telephonically before any payment is made. Our firm is an approved beneficiary on the internet banking platforms of many banks.
Herold Gie Attorneys will not accept a change of bank account details from the seller, purchaser, or any third party unless the party is in person and signs an original wet ink “authority” at our offices to change such bank account details.
Nowadays, attorneys prefer to communicate their trust account details to purchasers, sellers, and all other third parties engaging with the firm via secure online platforms and/or apps where the parties could only access trust account details with a personal password.
Fraudsters regularly change their tactics to defraud legal firms or their clients. For example, recently, fraudsters called conveyancing attorneys a day or two before the anticipated transfer registration .The fraudster would pretend to be the seller and advise the attorney that he closed his previous bank account and instructed that the proceeds of the sale be paid into a new bank account (which belongs to the fraudster).
Regrettably, fraud and corruption are an ugly reality in our country and society at large. We have learnt to treat all communications with clients and other third parties (whether telephonically or via email) with extreme caution and suspicion in an effort to stay one step ahead of the fraudsters. We constantly educate our clients to do the same.