The recent case of Fortein NO v Iprop Trading CC highlights critical responsibilities and risks for organisations when dealing with electronic communications and payments. The core issue revolved around a business email compromise (BEC) that led to the payment being made into a fraudulent bank account.
This post breaks down what this case means for organisations and the practical actions you should take.
Case summary
- The appellant, Ms Fortein—acting as trustee of an insolvent estate—sold property to the respondent, Iprop Trading, an auction house.
- Iprop Trading was supposed to pay ZAR58,250 into the bank account details received via email from the appellant. However, the email was intercepted, and the payment was made into a different, fraudulent account.
- The initial court ruling dismissed the claim against the respondent, stating that there was no proven negligence.
- On appeal, the court ruled that the purchaser has a duty to ensure the correctness of bank account details and making a payment to an incorrect account does not absolve the purchaser from their debt obligation.
Key legal findings
- Duty of care: Organisations must verify bank account details before making payments. Simply relying on email communications, which can be intercepted, is not sufficient.
- Negligence: Failure to confirm the banking details can be deemed negligent, making the payer liable for the payment even if it is made to a fraudulent account.
- Obligation persistence: Paying into an incorrect account does not extinguish the payer’s obligation to the creditor.
Practical actions for organisations
To mitigate risks similar to those highlighted in this case, you should implement the following measures:
Verify payment details
- Double verification: Always confirm payment details through a secondary method. For instance, if account details are received via email, confirm them via a phone call to a known contact at the recipient organisation.
- Authorised contact list: Maintain an up-to-date list of authorised contacts and their communication channels to ensure that verification calls are made to legitimate personnel.
Implement robust cybersecurity measures
- Email security: Use secure email services with advanced encryption to minimise the risk of interception.
- Two-factor authentication (2FA): Implement 2FA for email accounts to add an extra layer of security.
- Regular audits: Conduct regular cybersecurity audits to identify and mitigate vulnerabilities in your email and IT systems.
Educate and train employees
- Awareness programmes: Conduct regular training sessions on the risks of cybercrime, specifically BEC scams, and the importance of verifying payment details.
- Phishing simulations: Run phishing simulation exercises to help employees recognise and appropriately respond to suspicious emails.
Develop and enforce policies
- Payment verification policy: Establish a clear policy that mandates the verification of banking details before any payment is made.
- Incident reporting procedure: Create a procedure for reporting and responding to suspected cyber incidents promptly.
Legal and compliance measures
- Contractual clauses: Include specific clauses in contracts that outline the responsibility for verifying payment details and the procedures to follow if a cybercrime is suspected.
- Insurance: Consider cyber liability insurance to cover potential losses from cybercrimes, including BEC.
Read the case
Access the case via Saflii.