Appeal court overturns cyber crime ruling

This is a clear message to verify bank account details before paying

By Tania Broughton

10 June 2024

Photo of SCA

The Supreme Court of Appeal has overturned a High Court ruling finding that leading law firm Edward Nathan Sonnenbergs was liable to pay a woman R5.5-million stolen by fraudsters who manipulated emails sent from the firm. Photo: Ben Bezuidenhout via Wikimedia (CC BY-SA 4.0)

The Supreme Court of Appeal (SCA) has overturned a High Court ruling that had found leading law firm Edward Nathan Sonnenbergs (ENS) liable to pay a woman R5.5-million stolen by fraudsters who manipulated emails sent from the firm.

In an unanimous decision, the appeal court said the liability finding by Gauteng High Court Judge Phanuel Mudau in the case brought by Judith Hawarden would have “profound implications”, not just for the attorney’s profession, but all creditors who send their bank details by email to their debtors.

Acting Judge Fathima Dawood, who penned the judgment, said the High Court’s reasoning that all creditors in the position of ENS owed a legal duty to their debtors to protect them from the possibility of their accounts being hacked, was untenable.

Read the SCA judgment
Read the GroundUp report on the High Court ruling

Because Hawarden’s case rested on pure economic loss, extending liability created a real danger of unpredictable, indeterminate liability.

Judge Dawood said Hawarden could have avoided the risk by verifying ENS’s account details, because she had previously been made aware of the risks of Business Email Compromise (BEC) fraud by the estate agency handling her property deal.

She had also elected to not pay ENS through a bank guarantee but through a cash transfer.

“She must in the circumstances take responsibility to protect herself against a known risk,” Judge Dawood said, upholding the appeal by ENS.

The court also set aside a punitive cost order against the law firm and instead ordered Hawarden to pay ENS’s costs.

The case centred around an email Hawarden received from what she thought was the law firm. The email contained details of the account into which she then paid R5.5-million. This was the balance of money owed for the purchase of a property in Forest Town, Johannesburg.

ENS had been appointed by the seller as the conveyancer.

But it emerged that the email had been sent by fraudsters, who then stole the money. Hawarden did not notice that the email had come from ensafirca.com, not ensafrica.com.

In her arguments, Hawarden claimed that ENS owed her a duty of care, and that in corresponding with her, it also had a legal duty to warn her of the danger of BEC, that this was on the increase and that it was already prevalent.

ENS denied liability, claiming that Hawarden herself had been negligent in using an electronic transfer without ensuring that the bank details were correct.

In the High Court, Judge Madau said while Hawarden was not a client of ENS, it owed her a general duty of care. He said ENS conveyed its bank account details to her through an unprotected email which was easily manipulated.

Hawarden, he said, could not be faulted for placing her trust in the firm and the risk of Hawardeen’s loss was “highly foreseeable” by the law firm.

But SCA Judge Dawood said Hawarden’s loss was not caused by ENS or a failure of their systems, but by hackers who infiltrated her email account and fraudulently diverted her payment for ENS into their own account.

Hawarden had been warned by the estate agent, Pam Golding Properties, about this very risk.

She had previously verified Pam Golding’s bank account details and she had not explained why she did not verify ENS’s bank account details.

“Moreover, any warning by ENS of the risk of BEC would have been meaningless, in the circumstances of this case, because by that time the cyber criminal was already embedded in her email account.”

Judge Dawood said there was no reason to shift responsibility for her loss to ENS, and the appeal must succeed.

In the High Court, Judge Madau awarded punitive costs against ENS for breaching Hawarden’s privacy by including irrelevant documents about her divorce and other investments in the court papers.

The SCA has also set this aside, and ordered that Hawarden pay ENS’s costs on a normal scale.