Payment data sent via online media is increasingly the target of fraudulent activities. In Namibia, manipulation of electronic payment transactions is therefore highly topical from a legal perspective. Based on the existing risks and new trends in case law, this article aims to provide a brief overview of the legal situation in the event of a transfer to a fraudster’s account and how one can protect oneself against such fraudulent actions.
What is electronic payment fraud and where does it occur?
Opportunities for fraud in electronic payment transactions arise in particular when payment data is sent electronically, for example by e-mail. Fraudsters intercept e-mails with corresponding invoice data and change the details on the invoice in their own favor. If, as a result, a transfer is made to such an account after a fraudster has intervened in the correspondence between two people, the chances of recovering the money paid or successfully pursuing criminal proceedings are very slim. Despite high FICA requirements for opening a bank account, it is currently almost impossible to identify the person behind a bank account.
What is the legal situation in Namibia?
Since the chances of success of legal action against the fraudsters are to be considered low due to the hurdles that exist with regard to factual aspects, the question of whether the creditor can continue to demand payment even after the debtor has transferred the money to the fraudster’s account must be examined from a legal perspective. The question therefore arises as to when a debtor’s liability can be considered to have been settled. Furthermore, from a legal perspective, it is problematic which duties of care a professionally acting creditor or trustee has towards the client with regard to fraudulent actions in electronic payment transactions. New trends in case law will be discussed in this context.
Regarding the question of when a debt can be considered to have been settled by the debtor, the case law to date has followed a clear course. Based on the case of Galactic Auto (Pty) Ltd v Venter (4052/2017) (2019) ZALMPPHC 27 (14 June 2019), for example, the debtor remains liable until the payment is credited to the creditor’s bank account. The debtor must reassure the creditor of the payment information regarding the account details in advance of the payment, for example by telephone. It is sufficient for the creditor to prove that they have provided the debtor with the correct bank details.
The question of the duties of care of attorneys is of particular legal relevance in this context. According to the case Fourie v Van der Spuy and De Jongh Inc. and Others (65609/2019) (2019) ZAGPPHC 449; 2020 (1) SA 560 (GP) (August 30, 2019), high duties of care should already apply to law firms acting in a fiduciary capacity. According to this decision, the practising lawyers and the law firm were sentenced to joint and several liability for breach of these fiduciary duties. These had consisted in the fact that the lawyers had made payments to a fraudulent account without first checking the account details with the payee and had acted in full knowledge of the risks involved.
An enormous extension of liability risks for law firms was established by the recent judgment of the High Court of South Africa (Hawarden v Edward Nathan Sonnenbergs Inc (13849/2020) (2023) ZAGPJHC 14; (2023) 1 All SA 675 (GJ); 2023 (4) SA 152 (GJ) (16 January 2023)), which is currently still pending on appeal. Hawarden (who brought the legal action) and a secretary in the conveyancing department of the law firm had been emailing back and forth about a property that Hawarden was purchasing. ENS was representing the seller of the property. To finalise the transaction, Hawarden had to EFT a large sum of money (R5.5 million) into the ENS’s attorney trust account. Unfortunately, Hawarden’s email inbox was compromised by cybercriminals. The cybercriminals impersonated the ENS legal secretary by creating an email address that was exactly the same as the ENS legal secretary’s but for the word ‘africa’, which was replaced with ‘afirca’. The cybercriminals attached a PDF with the details of a bank account which was supposedly ENS’s attorney trust account.
Consequently, Hawarden paid the amount she owed on the property into the wrong bank account. By the time the mistake was detected, the cybercriminals had already drained the funds from the bank account they had set up. Hawarden then claimed that ENS owed her a duty to exercise sufficient care in the conduct of the transaction, to warn her of the dangers of Business Email Compromise (‘BEC’), and to communicate its banking details to her in a safe manner. Because ENS had failed in this duty of care, Hawarden claimed the defendant was liable to her in delict for the pure economic loss she had suffered.
The law firm was ordered to pay damages after it negligently failed to inform the debtor of known risks of fraudulent practices in electronic payment transactions and to take the necessary security precautions vis-à-vis the debtor. In this case, the court affirmed delictual liability in the amount of the payment made by the plaintiff to the fraudster plus the interest incurred and the court costs. The court also affirmed the required causal link on the basis that the failure to exercise due diligence was so closely linked to the quantifiable loss that it was reasonably foreseeable.
Based on this far-reaching decision, increased duties of care with regard to warning clients of risks in electronic payment transactions should exist if professional actors were aware of the risks materializing in advance of the fraud. In addition, a lawyer has a duty of care regarding the way in which the account data is transmitted if this determines the way in which the account data is transmitted. The liability risks for the lawyer in the event of fraud are particularly high if the invoice data is transmitted as a PDF attachment in an e-mail or in the body text of the e-mail itself and no additional multi-level authentication takes place via a telephone call or a personal conversation to compare the transmitted data.
We think the court’s requirements with which law firms must comply to avoid a claim for delictual liability for when its internal security safeguards fail, are simply unreasonable and burdensome. In our view, it was the Plaintiff’s security safeguards that failed, because it was her inbox that was compromised, not those of ENS.
How can you protect yourself?
In view of the recent trends in case law, it is particularly important for lawyers and banks to comprehensively inform debtors of the risks of fraudulent actions. It is also relevant to carry out a two-step authentication of the payment details, especially in the event that the manner in which the transaction details are transmitted is determined by the trustee. The information transmitted electronically should therefore also be checked again separately via a second transmission channel, such as by telephone or in a face-to-face meeting.
In addition, law firms could obtain a prior indemnification (with a general disclaimer) from their clients which would hold them harmless from the losses that can be suffered as a result of such electronic fraud. This exclusion of liability should also be pointed out in detail in the further course of the mandate.
Finally, it is advisable to take out suitable cyber insurance to cover your own and third-party losses.
Author: Ulrich Etzold, lawyer, in cooperation with Dr. Richard Schulz (trainee lawyer at the Munich Higher Regional Court (Oberlandesgericht München), currently working as an intern at the law firm Etzold-Duvenhage)
Disclaimer of liability
Please note that the above information is not intended as legal advice. This article is for information purposes only and neither Etzold-Duvenhage nor its employees shall be liable for any direct or indirect loss arising from reliance on the contents of this article. This article is limited to matters of current Namibian law. In the event that the contents of this document are relevant to a reader, we advise the reader to contact their lawyer for legal advice.