WHO IS HELD RESPONSIBLE FOR PAYMENTS LOST DUE TO CYBERCRIME?

Summary

We have all been exposed to fraudulent emails and phishing schemes demanding payment into a banking account. What happens when you act upon those instructions and make a bona fide payment into the wrong account? Who is held liable when a supplier demands payment for goods and you realise that you have paid into the wrong account? The effect can be devastating for both parties.

Article

This is exactly what happened in Fourie v Van der Spuy and De Jongh Inc. and others. The First Respondent was a law firm and the Second and Third Respondents were practising Attorneys. The Applicant claimed payment of R1 744 599.45 from the Respondents. The First Respondent had a mandate to deal with money paid into Trust by the Applicant. The Second Respondent, upon receiving instructions to make payments via email, paid the money into a banking account belonging to an unknown third party who fraudulently hacked the email server of the Applicant and sent emails to the First Respondent containing the wrong instructions and the wrong banking details.

The Court held that the nature of a trust account imposes very strict obligations on the Trust Attorney and a very high degree of care and skill is required from Attorneys dealing with a client’s Trust account.  The Attorneys could have easily avoided the situation if they acted diligently and verified the banking details before transferring money out of the Trust account. The Court held that they failed to act with the required skill and diligence and were therefore held liable to pay the Applicant.

In another matter, a sales agreement was concluded between the Respondent and a car Dealership. The Respondent transferred the funds for a motor vehicle into a fraudulent account and sent proof of payment to the Dealership. He collected the vehicle soon thereafter. Neither the Applicant nor the Dealership checked that the proof of payment reflected the correct bank account number. The mistake was discovered when the funds did not reflect in the Dealership’s bank account.

The Respondent raised the defence of estoppel. He held that the Dealership’s normal procedure was to release the motor vehicle after receipt of money and not just receipt of the proof of payment. He further held that the Dealership was negligent in that they failed to check that the proof of payment contained the correct banking details, which resulted in a delay that would otherwise have been flagged by the bank and the transaction blocked. Again, the Court decided in favour of the Dealership and held that a Debtor (The Respondent in this case) always bears the duty and risk when payment is due to the creditor.

The new Cybercrimes Act (the Act) might bring some relief to the parties involved. The Act aims to criminalise unlawful access, use and distribution of data and data messages. It will also regulate the power to investigate and adjudicate cybercrimes. Section 8 in particular relates to the above-mentioned cases, where it aims to create statutory offences of Unlawful Access (hacking) and Cyber Fraud. It reads:

“Any person who unlawfully and with the intention to defraud makes a misrepresentation by means of a data or computer program or interference with a data or computer program is guilty of an offence.”

A fine and/or imprisonment of up to 5 years for a conviction of Unlawful Access is possible, and for “Cyber Fraud” the Courts have the discretion to impose a penalty appropriate for convictions under S 276 of the Criminal Procedure Act 51 of 1977.

From the above cases and the many others not mentioned in this article, it is clear that the courts will not be in favour of a party that was deemed to be negligent. It is of paramount importance, when dealing with invoices and payments from an online source, to be vigilant and always have checks in place to reduce the chances of being a victim of cybercrime.

 

References: 

  • Fourie v Van der Spuy and De Jongh Inc and Others (2019) JOL458L8 (GP) 
  • Galactic Auto (Pty) Ltd v Venter (4052/2017) (2019) ZALMPPHC 27
  • Cybercrimes Act 19 of 2020

Powered by Succeedgroup