“An ounce of prevention is worth a pound of cure.” (Benjamin Franklin’s warning to fire-threatened Philadelphians in 1736)
Cases of Business Email Compromise (BEC) fraud continue to surge, and recent High Court decisions have confirmed that it’s up to you to verify that you are paying into the correct bank account.
How does BEC work and who is at risk?
BEC fraud involves cybercriminals impersonating your trusted contacts (e.g. suppliers and professional advisors) in fraudulent emails that look genuine. The idea is to trick you into making payment into the scammer’s account.
Everyone’s at risk, but BEC is particularly rife in transactions where large amounts of money are in play. Favourite targets are commercial operations and their customers, as well as all role-players in property sales – buyers, sellers, conveyancers and estate agents.
How do these scams work? For a snapshot of a classic BEC sting, have a look at this recent High Court case…
“But I paid you the R890k!”
Two Cape Town companies, who had been trading happily and successfully with each other for seven years, fell out over who should bear a loss of R886,726.25 after scammers stole the customer’s payment for a consignment of valves. Here’s how it went down:
- The customer had always made payments to the supplier’s Standard Bank account in the past. So far, so good.
- But then, enter stage left, our villain: Joe Scammer. Joe intercepts the supplier’s email correspondence and, pretending to be the supplier’s managing director, asks the customer to make all payments to an Absa bank account from now on.
- The customer asks for a bank confirmation letter, which Joe (still in his guise as MD) gladly supplies.
- Reassured, the customer makes payment to the Absa account. The fraud is only discovered when, three days later, the supplier emails asking for payment.
- Joe is of course now long gone with his loot, leaving customer and supplier to fight it out over who must bear the loss.
Blaming the supplier won’t work – you must “seek out” your creditor
The customer, sued by the supplier for the outstanding amount, contended that the blame lay with the supplier, whose own negligence in failing to secure its IT systems against email interception caused the fraud.
That’s a defence often raised by BEC victims, and indeed our courts have stressed in the past the need for suppliers and professionals to ensure that their own computer systems are properly secured at all times. But it cut no ice in this case.
Rather, said the Court, (emphasis supplied), “it is the debtor’s obligation to ‘seek out his creditor’ and … until payment is duly effected, the debtor carries the risk that the payment may be misappropriated or mislaid.”
The real cause of the loss in this case, held the Court, was not any hacking of the supplier’s emails (if there was in fact a hack – the supplier denied it), but the customer’s failure to take the steps that a “prudent debtor” would have taken to ensure that it was paying into the correct account.
Our unfortunate customer must now pay the supplier, plus a raft of legal costs to boot.
Pick up the phone!
Our courts will have no sympathy for you if you fall victim by not protecting yourself. A factor that counted against our customer here was (emphasis supplied): “the fact, known to any persons in business and making use of computer-based methods of communication and payment, that cyber crime is rampant and that care must be taken at all times to limit its impact.”
The good news is that a few simple preventative measures can provide everyone involved with a strong layer of protection:
- Put in place strong policies and procedures to ensure that your IT systems and emails are secured against breach and interception.
- You, and all of your staff, must remain constantly vigilant against the techniques which the scammers use. They are particularly adept at exploiting trust-based and long-standing relationships, for instance with suppliers you have dealt with for years, and professionals like attorneys, accountants and financial advisors etc.
- Most importantly, perhaps, given the current attitude of our courts, is to always verify payment details via contact with your creditor through another communication system. As our courts have pointed out, “a simple telephone call” can be enough to avoid falling victim to fraud.
If you need help reviewing your fraud prevention and payment verification procedures, please feel free to contact us.
Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us for specific and detailed advice.
© LawDotNews
