Check All Emailed Bank Details for BEC (“Business Email Compromise”) Frauds
“…sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated.” (Extract from judgment below)
Before you make any payment to a supplier’s bank account on the basis of an emailed invoice, check that the bank account details in the invoice are genuine.
If your supplier’s or your email system have been hacked in a BEC (“Business Email Compromise”) scam, the invoice details could easily be fraudulent and if so you will be paying into a scammer’s bank account.
Property transactions are prime BEC targets, but not the only ones!
You will have seen many warnings about the global problem of conveyancing email scams, where emails are intercepted and false bank account details appear in invoices or in the mails themselves. Property sales are usually high value transactions and thus a natural target for fraudsters.
Increasingly though, other non-property related business-to-business and business-to-customer transactions are being targeted – the higher the value of the deal, the more likely it is to be subjected to online crime.
Let’s take a topical example…
It’s high-value inverter time, and the bad guys are taking note…
You decide to install a high-value inverter, courtesy of Eskom’s “no end in sight” loadshedding. Inverter installers – let’s call them “Speedy Sparkies Inverter Systems” – email you a quote for R145,000. You accept. Back comes an emailed invoice from firstname.lastname@example.org asking you to pay R100,000 upfront to cover materials. You transfer R100k to the X Bank account on the invoice and ask when they will install. The friendly return email reads “Thanks for the payment, we’ll fit you in next week Thursday. Best, Fred”.
Thursday rolls around but no Fred. You phone him. “But you haven’t paid us yet” says Fred. “Yes I have, I paid into your account last week and you emailed confirmation of receipt of payment”. “No, definitely no payment received and no email from us confirming receipt.” “That’s impossible Fred, I have your email in front of me”. At which stage you notice, with a sinking heart and rising panic, that that last email came from email@example.com – with a hyphen. “Nope, really sorry” says Fred, “there’s no hyphen in our email address and we bank with Y Bank not X Bank. You’ve been scammed. We’ll try to help you but you need to pay the R100k again before we can install”.
Denial, anger, acceptance, then off to the bank to ask for help and off to SAPS to lay charges. Your bank and the police are sympathetic but not hopeful of recovery. So what happened?
How did you just lose R100k?
Using phishing tactics, the scammers hacked into Speedy’s email system then monitored all their emails, waiting for a high value contract to pop up. They pounced, intercepted the email to you with the invoice, changed only the return email address and the bank account.
You suspected nothing – the look and feel of the email and invoice are totally genuine, the wording of the mails is Fred’s (right down to his trademark sign-off “Best, Fred”), the email address difference is so subtle you don’t notice it. Sometimes scammers can even “spoof” an email address, where the sending email address appears to be the same as the legitimate one.
It all looks 100% authentic and of course by the time you and Fred realise anything is amiss, your money is long gone.
The only winners here are the scammers and the question now is “who is the loser?”
Who takes the loss? Who pays for your inverter now? Can you sue?
Here’s the rub – you blame Speedy for allowing their system to be hacked. You accuse them of negligence and of failing in their duty to keep your data safe in compliance with POPIA (the Protection of Personal Information Act). But Speedy deny fault and say you carry the risk and anyway it’s your mistake for not noticing the falsified email address and for not phoning Fred to check the bank account details. Speedy’s insurers confirm they have no cover for this sort of fraud.
Do you have a legal claim against the business? There’s no cut-and-dried answer to that, with our case law outcomes to date tending to vary with each particular set of facts, and the courts referring to various questions of proving negligence, compliance with payment instructions, “considerations of legal and public policy”, and reference to a general rule that anyone making a payment to someone else is required to check that they are paying into the correct account.
So as a customer, it’s probably safest to work on the basis that you could well be held to be the party at risk and will almost certainly have to prove (at the very least) negligence on the part of the business in order to stand a chance of establishing any claim against it.
As a business on the other hand, your legal position is far from secure. You will be accused of negligence (and perhaps also breach of POPIA) if it is your system that was hacked. Even if it is your customer’s email account that has been hacked you are still at risk, as confirmed by the recent High Court award of R5.5m (plus interest and costs on the punitive attorney and client scale) in just such a case against a conveyancing firm on the basis of its legal duty of care towards a property purchaser, and on a finding that “but for the negligent transmission of its account details and failure to warn [the buyer] upfront of the inherent danger of BEC, she would not have suffered the loss.” In the Court’s words “sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated”.
On a strictly practical level, your reputation is at stake and those 5-star Google Reviews could be in for a knock.
Bottom line – take legal advice specific to your case. Perhaps you will both be advised to cut your losses and to share the pain 50/50. Far from ideal, but a lot better than protracted and bitter litigation.
Prevention being as always a lot better than cure, we share below some ideas on how to protect yourself from this sort of cyber fraud in the first place.
Prevention – here’s what to do
- Businesses: Most importantly, protect your systems from being hacked! Train all staff in the increasingly sophisticated nature of phishing emails, update all your software and beef up your anti-virus and anti-malware protections and protocols. Consider not putting your banking details on invoices and tell customers to phone you to check any details they are given. Consider using a secure payment portal with two-factor authentication (2FA) and protect any PDF documents you send (it’s a myth that PDFs can’t be altered). Tell customers on every email that you will never advise any change of bank details by email. Check with your insurers whether you can get cover for this risk.
- Customers: Take the same strong anti-hacking measures. Never pay anything without checking bank details direct with the business, either in person or telephonically (don’t use the phone numbers on the emails or invoices, they could easily have been faked as well). Check email addresses carefully – make sure the return address is the same as the sender’s address (some tips on how to do that here), watch for subtle changes like ‘.co.za’ becoming ‘.com’ or vice-versa, and remember that every hyphen, every letter and every number in the email address counts. Use bank-defined beneficiaries for online banking where possible. Be very suspicious of any “we’ve changed our banking details” communications.
Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.