Reprinted from Mondaq.com, by Mtho Maphumulo – 2024-10-22
Cybercrime remains rife, despite the efforts to combat it. In a recent court case, the court reaffirmed the legal position as to who bears responsibility for payment…
Cybercrime remains rife, despite the efforts to combat it. In a recent court case, the court reaffirmed the legal position as to who bears responsibility for payment where a third-party accesses an email system, changes the banking details, and payment is made into an incorrect account.
In brief, the facts of the matter under discussion are as follows:
Dealer 1 bought a car from Dealer 2. These dealers are dealers of the same car brand. Dealer 2 sent confirmation of banking details to Dealer 1 via email. Unbeknown to Dealer 2, its email system had been accessed by a third-party, who changed the banking details. Dealer 1 proceeded to make payment without taking any steps to verify the account details. It later transpired that the payment was made into the incorrect bank account. Subsequently, Dealer 2 instituted action against Dealer 1 for non-payment of the purchase price.
In this case, it was important that, a few years before the incident, there was a notification to all the dealerships of this car brand warning them of the fraudulent activity of spoofing – whereby criminals access email systems and change banking account details. To guard against such activities, the dealers had a protocol in place which required them to take steps to verify the banking details before making a payment. A principal at each dealership had to approve the payment requests. Therefore, salespersons could not make a payment without getting the principals’ approval. In this case, the salesperson of Dealer 1 did not verify the banking details. Additionally, the principal of Dealer 1, before approving the payment, had asked the salesperson whether she had verified the banking details, who responded affirmatively.
Dealer 1 raised the defence of estoppel* at court and argued that it (Dealer 1) used the banking details received from Dealer 2. After considering a plethora of cases, the court dismissed the defence of estoppel and found in favour of Dealer 2. In arriving at its conclusion, the court considered that all dealerships of this car brand are aware of the ongoing fraudulent activities of this nature. The salesperson who had lied to her principal by saying that she had verified the banking details when she had, in fact, not done so. Dealer 1’s argument that Dealer 2 should have implemented measures to prevent third parties from accessing its email system could not succeed because it (Dealer 1) did not tender any evidence that there were no measures to prevent such activities and/or evidence showing what Dealer 2 should have done to avoid such incidents.
It is apparent that cybercrime will always be part of our lives and our approach, to combat it, will always be reactive. Whilst there are insurance policies purported to cater for such incidents, there are no guarantees that the policy will pay out for the loss suffered. Different insurance policies provide different types of coverage. For example, some only assist with the investigation costs, some specifically exclude coverage for losses resulting from hacking incidents, whereas some only cover a certain percentage of the losses suffered. Potential policyholders need to assess their risks, with the assistance of an underwriter/broker, and take out appropriate cover.
From the above, it is evident that the debtor bears the ultimate responsibility of verifying banking details before making a payment. One pragmatic step of doing this is to make a telephone call to verify the banking details. Potential policyholders must implement and adhere to protocols intended to guard against cybercrime. Continuous awareness and training of staff members is necessary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
*Estoppel is a legal principle that prevents someone from arguing something or asserting a right that contradicts what they previously agreed to or said
Let SD Law help
If you have questions about cybercrime, the Cybercrimes Act, or any other legal matter, give Cape Town attorney Simon Dippenaar a call on 086 099 5146 or email sdippenaar@sdlaw.co.za.
Further reading:
- Cyber extortion
- How a crypto scam cost a finance boss £300,000 (c.R7m)
- Cybercrimes Act 2020
- Cybercrimes Act 2020 and data messages
The information on this website is provided to assist the reader with a general understanding of the law. While we believe the information to be factually accurate, and have taken care in our preparation of these pages, these articles cannot and do not take individual circumstances into account and are not a substitute for personal legal advice. If you have a legal matter that concerns you, please consult a qualified attorney. Simon Dippenaar & Associates takes no responsibility for any action you may take as a result of reading the information contained herein (or the consequences thereof), in the absence of professional legal advice.