In November the Western Cape High Court found, on the evidence, that the person who had paid money into the wrong bank account because of responding to a false email bore the loss of R866,726.25. The judgment is based on the law that the debtor bears the risk in making a payment to ensure that the payment reaches the creditor.
A crooked third party was able to intercept or gain access to the email correspondence between the debtor and the creditor on a purchase and sale agreement and, more particularly, the emails that pertained to the extended payment arrangement. The initial email calling for a change of the banking details came from the correct email address max@gripper.co.za. The email giving the new bank account details came from max@griper.co.za. The debtor alleged that their own IT system had not been compromised and therefore it must have been the creditor’s IT system that was compromised.
The court found that the debtor had to pay for a second time, this time to the correct creditor, because:
- It is known to any persons in business and making use of computer-based methods of communication and payment, that cybercrime is rampant and that care must be taken at all times to limit its impact. The debtor must have been aware of this.
- The parties had been doing business for seven years with payments routinely made into the same Standard Bank account.
- The amount of the invoice was significant, so much so that it gave rise to a bespoke payment agreement as opposed to the usual cash on delivery.
- The first fraudulent email referred to a need to “update our Absa banking details with you,” suggesting that the creditor had already provided Absa banking details whereas the debtor had only ever paid into a Standard Bank account.
- The debtor started getting emails requesting proof of payment over a ten day period when the payment when not yet due under the payment arrangement. The inference is that the fraudster was putting on sustained pressure to pay what was not yet due, which should have raised some concerns given what seems to have been a co-operative business arrangement.
- On examination, the emails came from different email addresses and griper.co.za was clearly false.
The court held that the debtor had failed to take the sort of steps that a prudent debtor would have taken to ensure that its payment was effected properly. It was this failure, rather than anything the creditor did, that was the proximate cause of the payment being made to the wrong account.
This case was decided on its particular facts but it gives a good indication of the kind of vigilance that anyone paying a debt consequent on electronic communications should exercise.