Protect against Business Email Compromise – or it may cost you dearly

Don’t let your business be punished for, and by cyber fraud 

As the business landscape rapidly evolves, a general awareness of security vulnerabilities is no longer enough. Cyber fraud, data and payment breach risks need to be managed urgently and strategically with the right tools, says Ryan Mer, CEO at eftsure Africa, an automated Know Your Payee™ (KYP) platform provider.  

South African companies are facing a surge in Business Email Compromise (BEC) and other cyberattacks, exposing gaps in organisations’ payment systems with serious financial, reputational, and legal consequences. In January 2023, leading South African law firm, Edward Nathan Sonnenbergs (ENS) was ordered by the High Court in Johannesburg to pay R5.5 million including interest to a property buyer, Mrs. Judith Harwarden.

Evidence in the trial showed that ENS attached a PDF letter to an email addressed to Hawarden, containing its bank account details. However, the email was intercepted by criminals and bank details were changed before it reached Harwarden. Harwarden then paid R5.5 million into what she believed to be ENS’s bank account, which in fact was a separate account controlled by criminals.  

Mark Heyink, an attorney at Michalsons, who provided expert evidence at the trial explains: “The basis of the court’s judgement is that ENS owed a general duty of care to Harwarden. ENS was aware of the risk of Business Email Compromise and was in the best position to prevent the loss. The court found ENS information security was deficient and its staff poorly trained. ENS relied on the defence that the use of email and PDFs was a common practice by conveyancers, however, the court found that this did not excuse ENS from its duty of care to Harwarden.”

Conveyancing firms, their clients, and other organisations handling many large non-recurring type transactions are particularly vulnerable to BEC fraud. “All too aware of large deposits made to and from conveyancing firms, criminals target and intercept email accounts and scam victims into making payments into the incorrect account,” says Mer.  

Mer adds that with strong case precedence for South African firms being liable for payments that do not reach the intended account as a result of fraudulent interference, organisations need to handle email correspondence containing bank details and personal information with care. “Most threats can be avoided with the correct operational and financial controls as well as server, IT, and email monitoring processes. It’s important to acknowledge the fact that employee email accounts are gateways to sensitive information and attacks, and organisations should therefore enforce policies restricting what information can be kept in email inboxes prior to secure archiving. To help minimise the risk of BEC attacks, firms should re-evaluate their manual email-based processes and consider software solutions to digitise, automate and safeguard these processes, as well as the financial controls in place when it comes to payments by considering the use of independent real-time verification systems that cross-reference payments an organisation is about to release with independently verified bank account details,” he says.  

Business Email Compromise is a significant threat to any organisation and its clients. In circumstances where organisations are unable to meet their financial obligations as a result of a BEC attack, third parties may seek compensation for disrupted business operations and other losses. Heyink says that the Protection of Personal Information Act requires businesses to safeguard personal information appropriately. “While the ENS case relates to a conveyancing transaction, the principle applies to all businesses. If a business processes or communicates personal or sensitive business information, it must safeguard the information appropriately,” notes Heyink.