EMILE MYBURGH: Beware the danger of your business emails being compromised
23 January 2023 - 05:03
byEmile Myburgh
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Edward Nathan Sonnenbergs (ENS) is one of SA’s, and Africa’s, largest and leading law firms, with offices spread throughout the continent.
The firm came about in 2006 through the merger of Cape Town law firm Sonnenberg Hoffman Galombik and Johannesburg firm Edward Nathan Friedland. For more than a century these firms had been at the forefront of the development of SA law.
On January 16 they continued this proud tradition, albeit not so much as attorneys representing a client as the defendant in a case they lost. The case involved a business email compromise, the scourge of modern electronic communications.
The facts of Hawarden v ENS are simple and chilling. In 2019, Judith Hawarden bought a house marketed by Pam Golding Properties. As is the custom, the seller appointed the conveyancing attorney, in this case ENS. Hawarden subsequently received an email from ENS’s conveyancing team with its trust bank account details, into which she was required to pay the balance of the purchase price of R5.5m.
However, unbeknown to her, her email account had been hacked, and some fraudster substituted ENS’s email (which ends with @ENSAfrica.com) with a lookalike ending in @ENSAfirca, switching the “i” and the “r”, an almost imperceptible change for the average person to pick up.
The fraudulent email contained different bank account details, into which the unwitting Hawarden paid the R5.5m. When she discovered the fraud she maintained that ENS was liable for the loss on the basis that the firm did not warn her of the possibility and risks of business emails being compromised.
Three years later and after a trial of 12 days, Hawarden prevailed, a David v Goliath victory. Justice Phanuel Mudau of the high court in Johannesburg ordered ENS to pay Hawarden’s R5.5m plus her costs on the scale between attorney and client. The punitive cost order was incurred because of ENS’s reprehensible conduct — in the view of the judge — during the trial, when the firm included in the trial bundles highly personal and sensitive, but irrelevant, information concerning Hawarden.
During the trial ENS made much of the fact that it had policies in place to warn people of the risks of business emails becoming compromised, that Pam Golding Properties had also warned Hawarden, and that her bank (Standard Bank) often sent her emails warning of the risks, all in an attempt to lay the blame for the erroneous payment on her. None of that swayed the judge, who was severely critical of ENS’s witnesses.
The judge pointed out various deficiencies in ENS’s policies and the manner in which they handled the Hawarden matter. The court ruled that ENS owed a duty of care to Hawarden to ensure she did not fall victim to such a scam, a duty it had failed to perform and was the direct cause of her loss. It thus had to pay for it.
Several experts testified for both parties about the risks of cybercrime, how it is constantly evolving, and what steps businesses can take to mitigate the risks of business emails being compromised. They also demonstrated to the court how easy it is to change PDF files, the format most businesses use to send out unsecured invoices and bank details.
Hawarden testified that she had no knowledge of the risks involved and that ENS did not advise her of these at the time she made the electronic funds transfer to ENS’s trust account.
She was actually in her Standard Bank branch at the time she was about to make the EFT, and on the phone with ENS. ENS did not warn her of the risks involved in using EFTs and did not ask her to confirm the bank account details she was about to use, something the court felt it should and could easily have done. Hawarden added that she “assumed [ENS] would take care of anything that was not safe”. The court found that ENS failed in its duty to protect Hawarden.
One colleague of mine described this decision as “frightening”, because notwithstanding all the warnings a creditor may send out about the danger of business email compromises, the effect of this court decision is that any business that sends its bank details in an unsecured manner to a debtor may be held liable for that debtor’s losses if the debtor falls victim to such fraud.
Two factor authentications and secure portals
However, expert witnesses in the trial testified about the various straightforward and secure possibilities available to avoid business email compromise events, such as two factor authentications and secure portals to exchange information. They also testified about readily available tools that can prevent the unauthorised use of a sender’s email domain, such as sender policy frameworks; domain keys identified mail; and domain-based message authentication, reporting & conformance protocol; tools ENS did not use in Hawarden’s case.
These come at a cost of R2,000-R8,000 a month, according to the witnesses, small fry for a firm such as ENS but likely a significant additional expense for small businesses. However, with the proliferation of cyber criminals and the increasing sophistication of their tactics, this may well be an expense businesses can ill afford to dodge, especially in view of this court decision.
Another possibility is to have banks save your bank details as a preloaded beneficiary, without the need for clients to have to type the bank account number when they make electronic payments. Several banks now offer this solution, and it may be the most sensible and cost-effective solution.
The reality of life for businesses in a post Hawarden v ENS world is that if you send out your banking details in unprotected formats (PDF, Word), without taking additional steps to ensure your emails are not compromised, you are likely acting negligently and could be on the hook for damages your clients may suffer if they pay money into fraudulent accounts.
Emails and disclaimers alerting clients to the dangers of business emails being compromised and other cyber fraud will not be enough to ward off liability. Businesses will have to assume their clients are not aware of the risks.
• Myburgh is an attorney practising in Johannesburg and São Paulo.
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
EMILE MYBURGH: Beware the danger of your business emails being compromised
Edward Nathan Sonnenbergs (ENS) is one of SA’s, and Africa’s, largest and leading law firms, with offices spread throughout the continent.
The firm came about in 2006 through the merger of Cape Town law firm Sonnenberg Hoffman Galombik and Johannesburg firm Edward Nathan Friedland. For more than a century these firms had been at the forefront of the development of SA law.
On January 16 they continued this proud tradition, albeit not so much as attorneys representing a client as the defendant in a case they lost. The case involved a business email compromise, the scourge of modern electronic communications.
The facts of Hawarden v ENS are simple and chilling. In 2019, Judith Hawarden bought a house marketed by Pam Golding Properties. As is the custom, the seller appointed the conveyancing attorney, in this case ENS. Hawarden subsequently received an email from ENS’s conveyancing team with its trust bank account details, into which she was required to pay the balance of the purchase price of R5.5m.
However, unbeknown to her, her email account had been hacked, and some fraudster substituted ENS’s email (which ends with @ENSAfrica.com) with a lookalike ending in @ENSAfirca, switching the “i” and the “r”, an almost imperceptible change for the average person to pick up.
The fraudulent email contained different bank account details, into which the unwitting Hawarden paid the R5.5m. When she discovered the fraud she maintained that ENS was liable for the loss on the basis that the firm did not warn her of the possibility and risks of business emails being compromised.
Three years later and after a trial of 12 days, Hawarden prevailed, a David v Goliath victory. Justice Phanuel Mudau of the high court in Johannesburg ordered ENS to pay Hawarden’s R5.5m plus her costs on the scale between attorney and client. The punitive cost order was incurred because of ENS’s reprehensible conduct — in the view of the judge — during the trial, when the firm included in the trial bundles highly personal and sensitive, but irrelevant, information concerning Hawarden.
During the trial ENS made much of the fact that it had policies in place to warn people of the risks of business emails becoming compromised, that Pam Golding Properties had also warned Hawarden, and that her bank (Standard Bank) often sent her emails warning of the risks, all in an attempt to lay the blame for the erroneous payment on her. None of that swayed the judge, who was severely critical of ENS’s witnesses.
The judge pointed out various deficiencies in ENS’s policies and the manner in which they handled the Hawarden matter. The court ruled that ENS owed a duty of care to Hawarden to ensure she did not fall victim to such a scam, a duty it had failed to perform and was the direct cause of her loss. It thus had to pay for it.
Several experts testified for both parties about the risks of cybercrime, how it is constantly evolving, and what steps businesses can take to mitigate the risks of business emails being compromised. They also demonstrated to the court how easy it is to change PDF files, the format most businesses use to send out unsecured invoices and bank details.
Hawarden testified that she had no knowledge of the risks involved and that ENS did not advise her of these at the time she made the electronic funds transfer to ENS’s trust account.
She was actually in her Standard Bank branch at the time she was about to make the EFT, and on the phone with ENS. ENS did not warn her of the risks involved in using EFTs and did not ask her to confirm the bank account details she was about to use, something the court felt it should and could easily have done. Hawarden added that she “assumed [ENS] would take care of anything that was not safe”. The court found that ENS failed in its duty to protect Hawarden.
One colleague of mine described this decision as “frightening”, because notwithstanding all the warnings a creditor may send out about the danger of business email compromises, the effect of this court decision is that any business that sends its bank details in an unsecured manner to a debtor may be held liable for that debtor’s losses if the debtor falls victim to such fraud.
Two factor authentications and secure portals
However, expert witnesses in the trial testified about the various straightforward and secure possibilities available to avoid business email compromise events, such as two factor authentications and secure portals to exchange information. They also testified about readily available tools that can prevent the unauthorised use of a sender’s email domain, such as sender policy frameworks; domain keys identified mail; and domain-based message authentication, reporting & conformance protocol; tools ENS did not use in Hawarden’s case.
These come at a cost of R2,000-R8,000 a month, according to the witnesses, small fry for a firm such as ENS but likely a significant additional expense for small businesses. However, with the proliferation of cyber criminals and the increasing sophistication of their tactics, this may well be an expense businesses can ill afford to dodge, especially in view of this court decision.
Another possibility is to have banks save your bank details as a preloaded beneficiary, without the need for clients to have to type the bank account number when they make electronic payments. Several banks now offer this solution, and it may be the most sensible and cost-effective solution.
The reality of life for businesses in a post Hawarden v ENS world is that if you send out your banking details in unprotected formats (PDF, Word), without taking additional steps to ensure your emails are not compromised, you are likely acting negligently and could be on the hook for damages your clients may suffer if they pay money into fraudulent accounts.
Emails and disclaimers alerting clients to the dangers of business emails being compromised and other cyber fraud will not be enough to ward off liability. Businesses will have to assume their clients are not aware of the risks.
• Myburgh is an attorney practising in Johannesburg and São Paulo.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Most Read
Related Articles
MOSS GONDWE: The public sector needs to do more against cybercrime
VILLE SKINNARI: Finland aims to be part of SA’s innovation economy
GUY GOLAN: As in aviation’s gripe sheet, focus should be on cybersafety, not ...
The harsh truths about rising cyber risk in SA
MOHAMMED AMIN: Collaboration crucial for delivery of a digital-first economy
JOHAN STEYN: Cyber threats are here to stay and will get worse
KHAYA SITHOLE: The media need protection from Facebook-Google cannibalisation
NEWS FROM THE FUTURE: Hacking the eye in the sky
GUGU LOURIE: SA’s Cybercrime Act needs to be supported and clarified
Published by Arena Holdings and distributed with the Financial Mail on the last Thursday of every month except December and January.