Cybercriminals intercepting emails to change the bank details on invoices or other documents is a trend in recent years. The law in these circumstances places a responsibility on the person making the payment to ensure that payment is made to the correct bank account. This article discusses principles extracted from recent case law in relation to liability in these instances.

People and companies making payment into incorrect bank accounts due to fraudulent emails are an unfortunate consequence of increased cybercrime. Law firms, particularly those who act as conveyancers, have become targets of this type of cybercrime. Conveyancers receive the purchase price of property into their trust account pending transfer of the property and cybercriminals aim to diverted payment of the purchase price to another bank account.

In this month alone two High Court judgements were handed down in which the purchase price of property in a sale transaction was paid into the incorrect bank account instead of the conveyancer’s bank account due to cybercrime. These two cases are Gripper & Company (Pty) Ltd v Ganedhi Trading Enterprises CC and Ross and Another v Nedbank Limited. The full descriptions and links to these cases are at the end of this article.  

The disputes which arise are about who should bear the consequences of the cybercrime. Debtors seek to place the blame on creditors for not securing their emails or on banks for not preventing loss due to fraudulent activities. Creditors on the other hand argue that they did not present the correct information.

The courts have had to decide whether a debtor relying on a fraudulent email or document was reasonable. The court in each matter will take into account the facts of that matter to answer this question but the following principles can be extracted:

1.     The general principle in our law is that the debtor must seek out the creditor and until payment is duly made, the debtor carries the risk that the payment may be diverted.

2.     A person making use of computer-based methods of communication and payment in business is deemed to be aware that cybercrime is rampant. Businesspeople are expected to take care and implement systems that limit the impact of cybercrime in general. This is particularly the case in South Africa where crime is rampant.

3.     Where invoiced amounts are significant, the responsibility to ensure that payment is made into the correct bank account is amplified.

4.     Email addresses requesting payment must be closely examined. It is often the case that emails come from similar email addresses but for example letters in the address are left out or changed.

5.     The court will consider whether the proximate cause of the incorrect payment was negligence by the creditor or the bank to secure its systems or failure by the debtor to be prudent in making payment.

6.     In determining proximate cause, the court will take into account whether or not the debtor took any steps to verify or confirm the bank account details before making payment.

7.     The debtor cannot use the bank’s FICA obligations to hold the bank accountable for failing to monitor bank accounts. The Act does not give rise to liability to individuals, it creates obligations to the government. The bank owes a duty to the state to comply with its FICA obligations, not to third parties.

Therefore, it is important for the debtor to ensure that payment reaches the right person or entity. A simple telephone call could suffice to confirm the bank account details. It is probable that a telephone call that reaches the creditor would either cause the creditor to alert a debtor to the fraud or cause the creditor to confirm the bank account details. Such confirmation from the creditor, if incorrect and negligent, could contribute to a conclusion that a debtor has fulfilled its obligations, and the risk has passed to the creditor in that the creditor presented false information.

Each matter must be considered on its own facts, but the courts have tended to scrutinise the conduct of the debtor. It is therefore important to take all reasonable steps to ensure that every payment is made into the right bank account. In general, the person or entity making a payment is required to take steps that a prudent debtor would have taken in the circumstances.

The description and links to the cases mentioned in this article are:

Gripper & Company (Pty) Ltd v Ganedhi Trading Enterprises CC (4725/2024) [2024] ZAWCHC 352 (6 November 2024). Link: https://www.saflii.org/za/cases/ZAWCHC/2024/352.html

Ross and Another v Nedbank Limited (10029/2020) [2024] ZAGPJHC 1146 (8 November 2024). Link: https://www.saflii.org/za/cases/ZAGPJHC/2024/1146.html

This article does not constitute legal advice nor replace the need to seek advice. It also does not contain all the information relevant to the subject matter. Each situation is different and must be evaluated on its own merits. For advice on related matters, our contact details are below.