“…sending bank details by email is inherently dangerous.” (Extract from court judgment)
Before you make any payment to a supplier’s bank account on the basis of an emailed invoice, check that the bank account details in the invoice are genuine.
If your supplier’s or your own email system has been hacked, the invoice details could easily be fraudulent. And no one wants to transfer funds to a scammer’s bank account.
Property transactions are by no means the only targets
Let’s take a topical example… You decide to install a high-value inverter, courtesy of Eskom’s “no end in sight” load-shedding. “Speedy Sparkies Inverter Systems” email you a quote for R145,000. You accept. Back comes an emailed invoice from [email protected] asking you to pay R100,000 upfront to cover materials. You transfer R100k to the bank account on the invoice and ask when they will install. The friendly return email reads “Thanks for the payment, we’ll fit you in next week Thursday. Best, Fred”.
Thursday rolls around but no Fred. After some heated back-and-forth it transpires that you’ve been scammed. Denial, anger, acceptance, then off to the bank to ask for help and off to SAPS to lay charges. Fred, your bank and the police are all sympathetic but not hopeful of recovery. So what happened?
How did you just lose R100k?
Using phishing tactics, the scammers hacked into Speedy’s email system and waited for a high value contract to pop up. They pounced, intercepting the email to you and changing only the return email address (by inserting a hyphen) and the bank account details.
You suspected nothing – the look and feel of the email and invoice were totally genuine, the wording of the mails was Fred’s, and the change to the email address was so subtle you didn’t notice it.
Who takes the loss? Who pays for your inverter now? Can you sue?
You blame Speedy for allowing their system to be hacked. You accuse them of negligence and of failing in their duty to keep your data safe in compliance with POPIA (the Protection of Personal Information Act). But Speedy deny fault and say it’s your mistake for not noticing the falsified email address and for not phoning Fred to check the bank account details. Speedy’s insurers confirm they have no cover for this sort of fraud.
Do you have a legal claim against the business? There’s no cut-and-dried answer to that, as case law outcomes to date have tended to vary with each particular set of facts. Judgments do often stipulate, however, that anyone making a payment to someone else is required to check that they are paying into the correct account.
As a customer, it’s probably safest to work on the basis that you could very well be held responsible and will almost certainly have to prove (at the very least) negligence on the part of the business in order to stand a chance of establishing any claim against it.
Prevention is always better than cure
As is always the case, it’s much easier and less stressful to prevent this kind of thing from happening in the first place. Follow these four tips to avoid calamity…
- Take the same strong anti-hacking measures. Never pay anything without checking bank details direct with the business, either in person or telephonically (don’t use the phone numbers on the emails or invoices, they could easily have been faked as well).
- Check email addresses carefully – make sure the return address is the same as the sender’s address, watch for subtle changes like ‘.co.za’ becoming ‘.com’ or vice-versa, and remember that every hyphen, every letter and every number in the email address counts.
- Use bank-defined beneficiaries for online banking where possible.
- Be very suspicious of any “we’ve changed our banking details” communications
Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.