Criminal Law / Crime - Nicole Ross

Check All Emailed Bank Details for BEC (“Business Email Compromise”) Frauds

Written by Nicole Ross Attorneys on March 28, 2023. Posted in Criminal Law / Crime, Property.

“…sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated.” (Extract from judgment below)

Before you make any payment to a supplier’s bank account on the basis of an emailed invoice, check that the bank account details in the invoice are genuine.

If your supplier’s or your email system have been hacked in a BEC (“Business Email Compromise”) scam, the invoice details could easily be fraudulent and if so you will be paying into a scammer’s bank account.

Property transactions are prime BEC targets, but not the only ones!

You will have seen many warnings about the global problem of conveyancing email scams, where emails are intercepted and false bank account details appear in invoices or in the mails themselves. Property sales are usually high value transactions and thus a natural target for fraudsters.

Increasingly though, other non-property related business-to-business and business-to-customer transactions are being targeted – the higher the value of the deal, the more likely it is to be subjected to online crime.

Let’s take a topical example…

It’s high-value inverter time, and the bad guys are taking note…

You decide to install a high-value inverter, courtesy of Eskom’s “no end in sight” loadshedding. Inverter installers – let’s call them “Speedy Sparkies Inverter Systems” – email you a quote for R145,000. You accept. Back comes an emailed invoice from fred@speedysparkies.co.za asking you to pay R100,000 upfront to cover materials. You transfer R100k to the X Bank account on the invoice and ask when they will install. The friendly return email reads “Thanks for the payment, we’ll fit you in next week Thursday. Best, Fred”.

Thursday rolls around but no Fred. You phone him. “But you haven’t paid us yet” says Fred. “Yes I have, I paid into your account last week and you emailed confirmation of receipt of payment”. “No, definitely no payment received and no email from us confirming receipt.” “That’s impossible Fred, I have your email in front of me”. At which stage you notice, with a sinking heart and rising panic, that that last email came from fred@speedy-sparkies.co.za – with a hyphen. “Nope, really sorry” says Fred, “there’s no hyphen in our email address and we bank with Y Bank not X Bank. You’ve been scammed. We’ll try to help you but you need to pay the R100k again before we can install”.

Denial, anger, acceptance, then off to the bank to ask for help and off to SAPS to lay charges. Your bank and the police are sympathetic but not hopeful of recovery. So what happened?

How did you just lose R100k?

Using phishing tactics, the scammers hacked into Speedy’s email system then monitored all their emails, waiting for a high value contract to pop up. They pounced, intercepted the email to you with the invoice, changed only the return email address and the bank account.

You suspected nothing – the look and feel of the email and invoice are totally genuine, the wording of the mails is Fred’s (right down to his trademark sign-off “Best, Fred”), the email address difference is so subtle you don’t notice it. Sometimes scammers can even “spoof” an email address, where the sending email address appears to be the same as the legitimate one.

It all looks 100% authentic and of course by the time you and Fred realise anything is amiss, your money is long gone.

The only winners here are the scammers and the question now is “who is the loser?”

Who takes the loss? Who pays for your inverter now? Can you sue?

Here’s the rub – you blame Speedy for allowing their system to be hacked. You accuse them of negligence and of failing in their duty to keep your data safe in compliance with POPIA (the Protection of Personal Information Act). But Speedy deny fault and say you carry the risk and anyway it’s your mistake for not noticing the falsified email address and for not phoning Fred to check the bank account details. Speedy’s insurers confirm they have no cover for this sort of fraud.

Do you have a legal claim against the business? There’s no cut-and-dried answer to that, with our case law outcomes to date tending to vary with each particular set of facts, and the courts referring to various questions of proving negligence, compliance with payment instructions, “considerations of legal and public policy”, and reference to a general rule that anyone making a payment to someone else is required to check that they are paying into the correct account.

So as a customer, it’s probably safest to work on the basis that you could well be held to be the party at risk and will almost certainly have to prove (at the very least) negligence on the part of the business in order to stand a chance of establishing any claim against it.

As a business on the other hand, your legal position is far from secure. You will be accused of negligence (and perhaps also breach of POPIA) if it is your system that was hacked. Even if it is your customer’s email account that has been hacked you are still at risk, as confirmed by the recent High Court award of R5.5m (plus interest and costs on the punitive attorney and client scale) in just such a case against a conveyancing firm on the basis of its legal duty of care towards a property purchaser, and on a finding that “but for the negligent transmission of its account details and failure to warn [the buyer] upfront of the inherent danger of BEC, she would not have suffered the loss.” In the Court’s words “sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated”.

On a strictly practical level, your reputation is at stake and those 5-star Google Reviews could be in for a knock.

Bottom line – take legal advice specific to your case. Perhaps you will both be advised to cut your losses and to share the pain 50/50. Far from ideal, but a lot better than protracted and bitter litigation.

Prevention being as always a lot better than cure, we share below some ideas on how to protect yourself from this sort of cyber fraud in the first place.

Prevention – here’s what to do

Businesses: Most importantly, protect your systems from being hacked! Train all staff in the increasingly sophisticated nature of phishing emails, update all your software and beef up your anti-virus and anti-malware protections and protocols. Consider not putting your banking details on invoices and tell customers to phone you to check any details they are given. Consider using a secure payment portal with two-factor authentication (2FA) and protect any PDF documents you send (it’s a myth that PDFs can’t be altered). Tell customers on every email that you will never advise any change of bank details by email. Check with your insurers whether you can get cover for this risk.
Customers: Take the same strong anti-hacking measures. Never pay anything without checking bank details direct with the business, either in person or telephonically (don’t use the phone numbers on the emails or invoices, they could easily have been faked as well). Check email addresses carefully – make sure the return address is the same as the sender’s address (some tips on how to do that here), watch for subtle changes like ‘.co.za’ becoming ‘.com’ or vice-versa, and remember that every hyphen, every letter and every number in the email address counts. Use bank-defined beneficiaries for online banking where possible. Be very suspicious of any “we’ve changed our banking details” communications.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

“Double Jeopardy” for Tax Evasion – Penalties plus Prosecution

Written by Nicole Ross Attorneys on March 28, 2023. Posted in Criminal Law / Crime, Tax.

“Administrative penalties and criminal proceedings do not serve the same purpose. The [one] is aimed at strengthening internal controls of the administrative authority and to promote compliance while the other is aimed at correcting a behaviour that caused harm to the society.” (Extract from judgment below)

SARS has announced major crackdowns on tax defaulters, and a recent High Court decision highlights the dangers of being caught out for “intentional tax evasion”.

R1.3m prejudice to SARS

A close corporation (CC) registered for both income tax and VAT (value added tax) rendered “nil” returns to SARS over a four-year period, indicating that no income had been generated and no expenses incurred.
After a tax audit, SARS determined (and the CC admitted) that the returns were false and that SARS had in consequence suffered prejudice of R819,607 on VAT and R493,600 on Income Tax.
SARS levied 10% late payment penalties and further imposed a 150% understatement penalty on both Income Tax and VAT. The 150% was imposed for “intentional tax evasion”.
Both the CC and the member were then also charged criminally for intentional tax evasion.

Both penalties and prosecution – is that “Double Jeopardy”?

They applied to the High Court for a declaration that the relevant sections of the Tax Administration Act are invalid, arguing that it is inconsistent with the constitution to “criminally punish the taxpayer twice for the same criminal offence of intentional tax evasion.”

Which raised the question of whether or not this was a case of “double jeopardy” – the legal rule that “no one may be punished for the same offence twice.” You cannot, in other words, be repeatedly prosecuted for the same offence.

But, held the Court, “nothing precludes civil administrative proceedings and criminal proceedings from the single act”. Double jeopardy does not apply in a case such as this where “calling the taxpayer to account for the wrongdoing before an administrative body as well as the criminal are two distinct processes”.

In other words, both the CC and the member, having been subjected already to hefty administrative penalties (that 150% understatement penalty must hurt particularly badly!) now face criminal prosecution as well. Criminal records, substantial fines and direct imprisonment are all on the table.

Using the New Cybercrimes Act to Protect Yourself

Written by Nicole Ross Attorneys on January 26, 2022. Posted in Criminal Law / Crime, General Interest.

“…cybercrime has increased by over 300% during the COVID-19 pandemic – making it one of the biggest threats to businesses around the globe.” (Property 24 report)

The Cybercrimes Act, which has been years in the making, is now (with effect from 1 December 2021) at last largely in force. Although some provisions still remain on hold (most notably some of those relating specifically to “revenge porn” and the granting of protection orders), a whole range of unlawful cyber-related activity has now been specifically criminalized.

The police have also been given wide powers of investigation, search, access and seizure, and the penalties for contraventions are substantial.

The pandemic-forced shift to a “work from home, shop and communicate online” culture has reportedly seen cybercrime rocketing by 300%. As always our best protection from online criminals is prevention, but for anyone unfortunate enough to fall victim to them at least the new Act now provides us all with a layer of legal protection we haven’t had before – but only if we actually use it and report cybercrime.

The new crime categories

The Act’s provisions are detailed and complex, so this is of necessity just a very brief summary. But for most practical purposes what you need to know is that both individuals and organisations now face prosecution for any –

Unlawful access to a “computer system” or “computer data storage medium” (i.e. “hacking”).
Unlawful interception of or interference with data, computer programs, data storage mediums and systems.
Unlawful acquisition, possession, provision or use of passwords, access codes and the like (PINs, access cards and devices included).
Cyber fraud, forgery, extortion and theft.
“Malicious communications” (which would by definition include messages sent by email or via Social Media channels, WhatsApp and the like) to the general public, individuals or groups that –
- Incite damage to property or violence to a person or persons,
- Threaten a person or persons with damage to property or violence,
- Disclose a “data message of an intimate image of a person” without that person’s consent, and regardless of whether the victim is identifiable in the image itself or only from a description or other related information. Moreover the image can be “real or simulated”.

A particular warning to Social Media users

Posting or sharing anything prohibited by the Act – perhaps particularly any of the types of “malicious communication” referred to above – could land you in some extremely hot water. Think before you post!

What about “revenge porn”?

As noted above, some of the Act’s provisions relating specifically to “revenge porn” are not yet in effect, but there are already prohibitions against it in other legislation, plus the offences mentioned above relating to disclosure of “intimate images” should at least partially assist victims in the interim.

Arrest and a Criminal Record for Not Wearing a Mask?

Written by Nicole Ross Attorneys on January 27, 2021. Posted in Criminal Law / Crime, General Interest.

“7,000 people have already been arrested for not wearing masks and most of them now have criminal records” (Police Minister Bheki Cele in mid-January)

We all know that wearing a face mask is the right and the safe thing to do, but it is also a legal requirement – and it’s one that you really don’t want to breach.

Firstly, can you be arrested for not wearing a mask?

The short answer is yes, the amended Disaster Management Act Regulations providing that –

Everyone (except children under six) must always wear a face mask (covering nose as well as mouth!) when in a public place.
It is a criminal offence not to comply with a verbal instruction to wear a face mask by an “enforcement officer” (defined to include SAPS and SANDF members, “peace officers” such as magistrates, Justices of the Peace, correctional services officers, municipal law enforcement officers and other designated officials). There are also reports of arrests without such an instruction being given beforehand, and as the police appear to be using their interpretation of the Regulations to conduct these “arrests without warning”, rather be safe than sorry – assume that if you have no mask you risk immediate arrest and prosecution.
You are liable on conviction to “a fine or a period of imprisonment not exceeding six months, or to both such fine and imprisonment.”
You need not wear a mask while undertaking “vigorous exercise” (not defined in the Regulations but presumably including fast running, cycling and the like – err on the side of caution here) provided that you continually maintain a distance of one and a half meters from any other person.

You could end up with a criminal record, and that’s real trouble

You can of course elect to go to court to fight the charge, but often you will also be given the alternative of paying an “admission of guilt” fine.

It will be a tempting offer at the time but be careful – paying a fine is one thing but if you end up with a criminal record (an entry in the SAPS Criminal Record Centre database) you will regret it. Imagine for example a scenario where you apply for a job, or a travel visa, or a firearms licence, or for credit (such as a home loan). And suddenly up pops your long-forgotten criminal record, a nasty surprise at the worst possible time.

Plans to change the law so that only some admission of guilt fines will result in a criminal record have so far come to nought. So as the law stands you will end up with a “deemed” conviction and sentence – and thus a record – if you are arrested and your fingerprints are taken. Which is exactly what the Minister says will happen to you.

And once you have a criminal record, it’s not at all easy to get rid of it.

Three ways you can try to remove your criminal record

Firstly, you can apply for “expungement” of the record to remove it from the CRC database, but that option is only available to you after 10 years and for certain “minor offences”. It will also take a long time to process – “20 – 28 weeks” per SAPS. Note that some specified minor convictions fall away automatically after 10 years – ask for specific advice.
Secondly, you could ask a court to set aside your conviction and sentence – costly, not an immediate fix, and not guaranteed to succeed.
Thirdly, you could hope that planned amendments to our criminal procedure laws will retrospectively come to your aid – speculative for now.

The bottom line – wear your mask, and don’t admit guilt without legal advice!

Lockdown “Admission of Guilt” Fines – The Criminal Record Risk

Written by Nicole Ross Attorneys on July 28, 2020. Posted in Criminal Law / Crime, General Interest.

Breaking any of our lockdown laws can be an expensive business, risking heavy penalties.

If you are accused of a contravention and offered the option of paying an “admission of guilt” fine to avoid a court appearance, beware! It may seem like the easy way out to pay up and put the whole thing behind you but it could land you with a criminal record.

You really don’t want to have a criminal record!

Having a criminal record comes with serious and lifelong negative consequences. Even an old and long-forgotten minor offence can hang around in the background until it suddenly pops up at the worst possible times – such as when you apply for a travel visa or a new job.

When are you most at risk?

The general rule is that you will acquire a criminal record if you are arrested, if the police open a docket and take fingerprints, and if you are thereafter convicted of a crime.

The problem with admission of guilt fines is that they may well leave you with a “deemed” conviction and sentence which will end up in the CRC (SAPS Criminal Record Centre) database. Although there was talk in the past of the CRC capturing convictions with just your name and I.D. number the main risk seems to still be in having your fingerprints taken.

It’s not easy to get rid of a criminal record

And once you have a criminal record, it’s not easy to get rid of it.

Firstly, you can apply for “expungement” of the record to remove it from the CRC database, but that option is only available to you after 10 years and for certain “minor offences”. It will also take a long time to process – “20 – 28 weeks” per SAPS. Note that some specified minor convictions fall away automatically after 10 years – ask for specific advice.
Secondly, you could ask a court to set aside your conviction and sentence – costly, not quick and not guaranteed to succeed.
Thirdly, you could hope that planned amendments to our criminal procedure laws will retrospectively come to your aid – speculative and not yet in the pipeline.

The bottom line – if you are offered the option of paying an admission of guilt fine, ask for advice before you accept!