FANews
FANews
RELATED CATEGORIES
Category Fraud/Crime
SUB CATEGORIES General | 

Think twice before emailing banking details

17 February 2023 Myra Knoesen
Anri Dippenaar, Head of Compliance at Masthead

Anri Dippenaar, Head of Compliance at Masthead

In today’s digital age, the risk of becoming a victim of cybercrime is fast becoming a reality for many. FAnews received the press release below which we thought would be interesting to our readers since banking details are emailed daily in our industry.

Anri Dippenaar, Head of Compliance at Masthead said it’s common practice in many industries to send banking details via email. But if you’re familiar with the recent Johannesburg High Court ruling that ordered a local law firm to pay a cybercrime victim R5,5 million – plus interest – and punitive legal costs, you might think twice before hitting the send button.

On 16 January 2023, Judge Phanuel Mudau ruled in favour of Judith Hawarden, who took law firm ENSafrica to court after she paid R5,5 million into what she believed was the firm’s trust account. Unbeknown to Hawarden, her email account had been hacked. This allowed the cybercriminals to intercept emails from ENS and change the firm’s banking details to their own.

How the crime took place

According to the judgment, Hawarden put in an offer to purchase a house in Forest Town, Johannesburg, for R6 million in 2019. She paid the R500 000 deposit directly to the estate agency, and the seller of the Forest Town property hired ENS to act as the conveyancer.

Hawarden later received an email from a conveyancing secretary in the firm’s property division. It detailed what was needed from Hawarden for the sale to go through, plus an attached letter setting out the bank guarantee requirements. This email, however, was fraudulent – the hackers had intercepted the secretary’s genuine email and changed the firm’s account details to their own.

In response to the email, Hawarden called the secretary to ask if she could transfer the funds directly to ENS if her bank couldn’t furnish the guarantees by the date mentioned in the forged email. The secretary said this could be done, and that she would send Hawarden a document from FNB providing ENS’ bank account number. Later that day, Hawarden received an email with the firm’s account details, as confirmed by FNB. However, Hawarden did not notice that the word ‘africa’ in the email address @ensafrica.com was spelt ‘afirca’.

Additional emails were also intercepted between ENS and Hawarden, including one that contained several warnings regarding ‘business email compromise’ (BEC). According to Microsoft Security, BEC is when hackers use email to trick people into paying money into their accounts or divulge sensitive information. This email was sent only after Hawarden had made the payment but before the fraud was discovered.

By the time she became aware of the fraud, the funds had already been withdrawn from the hackers’ account and couldn’t be retrieved.

Despite the discovery of the crime, ENS asked Hawarden to make the payment to secure the sale. Hawarden and the law firm failed to resolve the issue, which led to her taking legal action against them.

The court case

Hawarden’s legal team argued that ENS should have properly warned her about the danger and prevalence of BEC in the conveyancing industry before she made any payments to them, and they should have communicated their bank details in a safe manner, using more secure means to communicate. They should have done more to protect her against the risk of loss, such as ask her to verify the account details. In addition, their account information should have been loaded on online banking systems, instead of sending bank account details as a PDF document attached to an unprotected email. Also, the firm didn’t warn her that a direct transfer was a riskier option than payment by bank guarantees.

ENS’ legal team, on the other hand, stated that Hawarden herself had been negligent in not confirming the account details, and that it is generally the responsibility of the person making the payment to verify the account details.

ENS also stated if they were found guilty, the ripple effect of the judgment would extend to “all businesses who send their invoices, with their banking details, to their clients by email, which is a near-universal practice for all firms and indeed all businesses to do so”.

Judge Mudau said the fact that it was common practice for businesses to use email to send their banking details did not absolve ENS of its “unsafe behaviour, which it knew at the time was unsafe and knew to take precautions against. It is not as if the defendant didn’t know better.”

He added that the cybersecurity experts who testified in court agreed that email is not secure, that PDF documents can be manipulated, and several cybersecurity measures were available at the time which “would have averted the fraud”.

“In my view, the plaintiff’s case established clearly that sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated,” he explained.

“ENS was at fault on the basis of negligent conduct. The defendant [ENS] was an expert conveyancer and was facilitating and managing the transaction. Under these overall circumstances, it is not overly burdensome or unreasonable to impose liability on ENS.”

A precedent for businesses

The judgment could be overturned if ENS appeals, however, it currently sets a precedent applicable to all businesses that use email to send banking details.

This case also puts a spotlight on the prevalence of cybercrime in South Africa, as well as how sophisticated hackers have become. According to a report by iDefence, an Accenture security intelligence company, South Africa saw a spike in cyberattacks on all fronts in 2019. The report also noted that when it comes to cyber threats, “South African internet users are inexperienced and less technically alert than users in other nations”.

If you run a business, it is risky to send invoices and communicate your banking details via email. You should consider other, safer means to communicate sensitive information. Business owners who find themselves in a similar situation as ENS, may be liable for any monetary loss caused by cybercrime and serious reputational damage. A lack of trust in your business could curtail client growth and retention and ultimately your business’ profitability and sustainability.

Here are six measures business owners can take to avoid becoming a victim of cybercrime:

  1. Educate yourself and your employees

You and your staff need to take the time to learn about the different types of cybercrimes and how hackers operate. The judgment revealed inadequate awareness of BEC amongst ENS’ staff.

Do you and your staff know how to spot a phishing email, or that you should only use trusted Wi-Fi networks? Do you know how to verify the authenticity of a website? Is your antivirus software up to date? Masthead has written articles on these topics to educate business owners, including, ‘Cybersecurity is everyone’s responsibility – how to protect ourselves and each other online’ and ‘Tips to mitigate cybercrime risk’.

You and your staff can also attend courses on cybersecurity. For instance, Masthead offers several online courses that can help you and your employees be more equipped to identify and avoid cyberattacks, and to understand the responsibilities and impact of cybercrime on businesses and clients.

  1. Educate your clients

Speak to your clients about the threat of cybercrime and BEC. Even if your cybersecurity measures are up to scratch, theirs might not be. They need to be aware of the verification and security processes you have in place.

  1. Scrutinise email requests from clients

As the case between Hawarden and ENS illustrates, hackers can quite easily intercept and alter emails, including PDF documents. If you receive instructions from a client via email, call them to verify their request. Also check the email address as well as the banking account details mentioned in the email – are they the same as what you have on file for your client?

Implementing these additional steps may also be required by a Personal Indemnity (PI) insurer to pay out claims relating to cybersecurity. Your employees also need to be aware of and follow your verification processes when receiving requests from clients.

It is important to contact your PI insurer to find out what their exact requirements are regarding instructions from clients.

  1. Click with caution

Most people know not to click on links in email messages from strangers, but also be wary of unexpected requests from people you know. Hackers can pretend to be someone by slightly altering their email address to look similar to that of an acquaintance or a colleague’s email address.

If you click on a harmful link, immediately disconnect your device from the internet by either unplugging your network cable or disconnecting from the Wi-Fi and run a full anti-virus scan. Then, use a different device to change the passwords stored on your device. Wait until the anti-virus scan has successfully completed before using your device again.

  1. Don’t send sensitive information via email

During the trial, an expert witness in the field of digital forensics and data analytics demonstrated to the court the ease with which an email could be spoofed, adding that email should not be used for “high value business transactions”.

During a joint expert meeting, the expert witnesses agreed that when sharing sensitive information, like bank account details, a secure portal that requires two-factor authentication is a practical alternative to email. An example of two-factor identification is when a one-time pin is sent to your phone when you log into an account with your username and password.

  1. Utilise email security platforms

The expert witnesses also mentioned available safety technologies that make it more difficult for hackers to spoof email addresses. These email security platforms can verify and check the authenticity of emails before they are delivered to your mailbox or alert you to the fact that an email might be harmful or carry malicious content. These include Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance Protocol (DMARC).

Cybercrime is on the rise – both worldwide and in South Africa – and hackers are using more sophisticated methods to trick people. However, by educating yourself and taking the necessary precautionary measures, you can better protect yourself, your business and your clients from cybercriminals.

Writer’s Thoughts:
Sending bank details by email is dangerous. Judge Mudau said the fact that it was common practice for businesses to use email to send their banking details did not absolve ENS of its “unsafe behaviour, which it knew at the time was unsafe and knew to take precautions against. Do you believe ENS was at fault on the basis of negligent conduct? If you have any questions please comment below, interact with us on Twitter at @fanews_online or email me - myra@fanews.co.za

 

 

 

Comments

Added by MARIA FAGUNDES, 16 Feb 2024
Unfortunately we are in the same situation. The same thing happened to us in September 2022. The banks and attorneys involved aren't taking responsibility. The police have done nothing. The culprit was apprehended at airport in December 2023, he is sitting in jail but he is a flight risk, waiting for bail. Where do we go from here? We don't have a clue on what the next step is. The investigating officer has so many cases but not focusing on ours. Any suggestions are welcome.
Report Abuse
Added by CA , 20 Feb 2023
It is a hard one to judge who was at fault. We are all so busy trying to do our business that we miss small things like an error in the email address.

I had a case where a client's email address was hacked and i was receiving emails from his CORRECT address, but it was from a cybercrook. We were very fortunate that someone at the asset manager called the client and the money wasn't transferred. A very big lesson was learnt that day! It is very scary that this can be done to a company the size of ENS.
Would your PI even cover this?
Report Abuse
Added by Cynical Simon, 17 Feb 2023
I never thought I would see the day that honest hard working business people would be held accountable for the criminal acts of street scum.
What has happened to , and where was the causal connection ; the uninterrupted chain of events?
I have it on good authority that this verdict will turn in the SCA, AND so it should.
Report Abuse

Comment on this post

Name*
Email Address*
Comment
Security Check *
   
Quick Polls

QUESTION

The shocking crime and motor vehicle accident statistics shared during a recent SHA presentation suggests that group personal accident and personal accident cover are a no-brainer. Do you agree?

ANSWER

Yes
No
Not sure
fanews magazine
FAnews April 2024 Get the latest issue of FAnews

This month's headlines

FAIS Ombud lashes broker for multiple compliance blunders
TCF… a regulatory misfit initiative?
The impact of NHI on medical malpractice insurance
Fixed versus variable: can you have your cake and eat it too?
The future world of work
Subscribe now