In a September 2024 judgment concerning a business email compromise (BEC) incident affecting the sale of a motor vehicle, the claimant sought a court order to compel the motor dealer to release the vehicle they had purchased. The dispute arose after the deposit for the vehicle was paid into a fraudulent account due to a cyberattack. The court highlighted some key considerations that parties must take into account when transacting with one another.
The court had to determine four issues:
- Whether the claimant confirmed the banking details before making the deposit.
- Whether the motor dealer conducted a due diligence investigation to determine if their systems were compromised.
- Whether the dealer was liable for the misdirected deposit.
- Whether the claimant was entitled to an interim interdict for release of the vehicle.
The court found that the claimant did confirm the banking details with the dealer’s personnel before making the deposit. The dealer failed to provide evidence of a credible due diligence investigation into their own systems or personnel to determine if there was a compromise on their side.
The court emphasised the critical role of expert evidence in cases involving cybercrime. The forensic investigation conducted by the claimant’s expert revealed that the email compromise likely occurred on the side of the dealer. The expert’s report detailed the methodology used to trace the origin and path of the suspicious emails, highlighting discrepancies in email headers and authentication protocols. The court noted that expert opinion is crucial in determining where the compromise occurred, especially in the absence of direct evidence from the dealer. The court concluded that the email compromise probably occurred on the side of the dealer.
The court highlighted the legal duty of the dealer to conduct due diligence in verifying the receipt of the deposit. The dealer’s lack of timely action to detect the missing deposit and their inadequate investigation into the cyberattack were criticised. The court found that the dealer’s systems were susceptible to cyber interception and that they had not taken sufficient steps to protect against such risks.
The court proceeded to examine the contractual obligations between the parties, particularly the standard terms and conditions that stipulated that ownership of the vehicle would remain with the dealer until full payment was made. The court found that the claimant had a clear right to possess the vehicle, as they had paid the deposit and the financier had settled the balance.
Despite the above, the claimant’s request for an interim interdict was dismissed. The court found that an interdict was not the appropriate means to resolve the issue of liability for the rerouted deposit.
Organizations must implement robust cybersecurity measures to protect against email compromises and other cyber threats. The onus is on both transacting parties to conduct thorough due diligence to verify banking details and ensure their systems are secure against cyber threats especially for cash payments.
Movienet Networks (Pty) Ltd and Another v Motus Ford Culemborg and Others (13781/2024) [2024]