Skip to main content

The High Court of South Africa’s Western Cape Division recently witnessed a tale of business relationships, digital fraud, and judicial reckoning. The case of Gripper & Company (Pty) Ltd v Ganedhi Trading Enterprises CC is a stark lesson on cybersecurity risks and the responsibility that comes with managing electronic payments in the era of cybercrime—a lesson with far-reaching implications, especially for ITLawCo clients who operate in similarly vulnerable environments.

The facts: A deceptive payment

The story began with a simple order for industrial valves.

Ganedhi Trading Enterprises, having done business with Gripper & Company since 2014, placed an order totalling R866,726.25. This was no impulsive transaction; the companies had a trusted history, with payments always directed to Gripper’s Standard Bank account. But this time, Ganedhi’s payment never reached its intended destination. Unknown to them, an imposter—masquerading as Gripper’s managing director, Max Hafen—had intercepted their email communications. The fraudster, using a nearly identical email address with a minor typo, advised Ganedhi of a supposed banking detail update, instructing them to send funds to an Absa account.

The ruse worked. Ganedhi, without confirming this change through a phone call or other verification, wired the payment to the fraudulent account on 24 May 2021. It wasn’t until three days later, when Gripper requested payment, that Ganedhi discovered they’d been conned. They tried to argue that the scam was Gripper’s fault, insisting that their email system must have been hacked and that Gripper’s lack of security was the true culprit.

The legal battle: Who bears the risk?

As the case unfolded, the courtroom transformed into a battleground of cybersecurity blame. Gripper, represented by counsel, contended that their systems were secure and that the fault lay with Ganedhi for failing to exercise caution. Ganedhi, on the other hand, attempted to shift responsibility back to Gripper, claiming that the applicant’s alleged negligence allowed the fraud to happen.

The judge, Janisch AJ, highlighted critical case law principles, notably the notion that the “debtor must seek out his creditor”. South African courts have traditionally held that the burden is on the payer to confirm account details, a principle upheld in similar cases such as Mosselbaai Boeredienste (Pty) Ltd v OKB Motors CC. The Court reaffirmed that this standard holds even in digital payments: if an unauthorised third party redirects funds, it is the payer who bears the risk unless they took adequate measures to verify the account details. The Court chastised Ganedhi’s failure to act prudently, noting several red flags they ignored, including:

  • An unexplained switch to a new account after seven years of business;
  • Persistent “proof of payment” requests from the fake email address; and
  • And an email domain that didn’t precisely match Gripper’s actual address.

These oversights were all critical lapses. As Janisch AJ pointed out, even a quick phone call would have revealed the fraud before the funds were lost.

The ruling: A win for Gripper, a loss for digital vigilance

The judgment was clear: Ganedhi was ordered to pay the outstanding R866,726.25, along with interest. The court deemed that the responsibility lay squarely with Ganedhi to confirm payment details, especially given the high incidence of similar fraud schemes in today’s digital age. Ganedhi’s failure to take preventive steps made them liable, with no valid defense in law or fact against Gripper’s claim. The judge also declined to award any extra costs for legal counsel, finding the case relatively straightforward, despite its technological dimensions.

Our criticism of the judgment

We find the court’s decision to be a thought-provoking, yet incomplete approach to cyberfraud liability. The court’s reliance on the old rule that “the debtor must seek out the creditor” doesn’t fully account for today’s digital fraud complexities. By assigning sole responsibility to Ganedhi for not verifying the bank details, the judgment misses a key opportunity to consider shared responsibility—where both parties might reasonably confirm new payment information.

Moreover, we question whether Gripper & Company could have done more on their end to secure communications, as cyber threats today are highly sophisticated. A more comprehensive approach could have explored whether Gripper’s security standards met reasonable expectations for financial transactions in the digital age.

In our view, this case underscores the need for evolving legal principles that address modern cybercrime risks with a balanced eye on both debtor and creditor responsibilities. We believe the judiciary has a chance to set a new standard, one that encourages best practices in cybersecurity for all parties involved in high-stakes digital transactions.

Impact on ITLawCo clients: Lessons in cybersecurity and transactional vigilance

For ITLawCo’s clientele, this case underscores a crucial reality: the digital frontier is fraught with vulnerabilities that demand vigilance, particularly in payment and communication processes. Clients should take the following lessons to heart:

  1. Strengthen cybersecurity protocols: ITLawCo clients in finance, retail, or any sector handling frequent transactions must bolster email and cybersecurity practices. Employing tools like multi-factor authentication, end-to-end email encryption, and regular phishing training for employees can mitigate risks.
  2. Verify changes with a secondary confirmation channel: This case reinforces that clients should always confirm payment detail changes through an alternative method, such as a direct phone call, before remitting funds. This step is essential in guarding against “lookalike” email scams.
  3. Legal and contractual implications: ITLawCo’s clients should consider including clauses in contracts that specify the payment verification steps required by both parties to prevent fraud disputes. This approach can ensure that both parties share responsibility for verification and establish a clear framework for resolving any payment discrepancies.
  4. Risk awareness training for staff: Routine training on identifying fraud indicators is invaluable. A vigilant approach by staff members can stop many scams before they succeed. Training should include spotting suspicious emails, understanding payment redirection tactics, and following up directly with vendors when something seems amiss.

For ITLawCo, this case offers a powerful example to showcase the importance of digital vigilance and the preventative role of legal guidance in an age of escalating cyber threats. This is a reminder for businesses that, while innovation and technology continue to evolve, so too must their risk management and cybersecurity practices. For more insights, contact us today.

Read the case

Gripper & Company (Pty) Ltd v Ganedhi Trading Enterprises CC [2024] ZAWCHC 352