Who is held responsible for payments lost due to cybercrime?

This is exactly what happened in Fourie v Van der Spuy and De Jongh Inc. and others. The First Respondent was a law firm and the Second and Third Respondents were practising Attorneys. The Applicant claimed payment of R1 744 599.45 from the Respondents. The First Respondent had a mandate to deal with money paid into Trust by the Applicant. The Second Respondent, upon receiving instructions to make payments via email, paid the money into a banking account belonging to an unknown third party who fraudulently hacked the email server of the Applicant and sent emails to the First Respondent containing the wrong instructions and the wrong banking details.  

The Court held that the nature of a trust account imposes very strict obligations on the Trust Attorney and a very high degree of care and skill is required from Attorneys dealing with a client’s Trust account.  The Attorneys could have easily avoided the situation if they acted diligently and verified the banking details before transferring money out of the Trust account. The Court held that they failed to act with the required skill and diligence and were therefore held liable to pay the Applicant.  

In another matter, a sales agreement was concluded between the Respondent and a car Dealership. The Respondent transferred the funds for a motor vehicle into a fraudulent account and sent proof of payment to the Dealership. He collected the vehicle soon thereafter. Neither the Applicant nor the Dealership checked that the proof of payment reflected the correct bank account number. The mistake was discovered when the funds did not reflect in the Dealership’s bank account.  

The Respondent raised the defence of estoppel. He held that the Dealership’s normal procedure was to release the motor vehicle after receipt of money and not just receipt of the proof of payment. He further held that the Dealership was negligent in that they failed to check that the proof of payment contained the correct banking details, which resulted in a delay that would otherwise have been flagged by the bank and the transaction blocked. Again, the Court decided in favour of the Dealership and held that a Debtor (The Respondent in this case) always bears the duty and risk when payment is due to the creditor.  

The new Cybercrimes Act (the Act) might bring some relief to the parties involved. The Act aims to criminalise unlawful access, use and distribution of data and data messages. It will also regulate the power to investigate and adjudicate cybercrimes. Section 8 in particular relates to the above-mentioned cases, where it aims to create statutory offences of Unlawful Access (hacking) and Cyber Fraud. It reads:  

“Any person who unlawfully and with the intention to defraud makes a misrepresentation by means of a data or computer program or interference with a data or computer program is guilty of an offence.”  

 A fine and/or imprisonment of up to 5 years for a conviction of Unlawful Access is possible, and for “Cyber Fraud” the Courts have the discretion to impose a penalty appropriate for convictions under S 276 of the Criminal Procedure Act 51 of 1977.  

From the above cases and the many others not mentioned in this article, it is clear that the courts will not be in favour of a party that was deemed to be negligent. It is of paramount importance, when dealing with invoices and payments from an online source, to be vigilant and always have checks in place to reduce the chances of being a victim of cybercrime.  

This article is a general information sheet and should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)