Conveyancing attorneys are becoming increasingly popular targets for cyber criminals both because of the attractively large sums of money involved in property transactions, and the trending increase in the use of electronic communications exchanged between client and attorneys in carrying out and completing certain sensitive transactions.
The recent High Court case of Fourie v Van der Spuy and De Jongh Inc. demonstrates that cybercrime is fast becoming a threat to legal professionals, and a threat that should not be ignored or underestimated.
In the above mentioned case Fourie used a law firm, Van der Spuy and De Jongh Inc. as his appointed conveyancers in a property transaction. In doing so, Fourie instructed the firm to hold approximately four million rand in an investment account on his behalf.
An attorney of the firm records that she received an email purportedly from Fourie’s email address wherein he provided the firm with new banking details, and thereafter requested the transfer of certain sums of money into this new account. The attorney actioned these requests.
It later transpired during a telephonic conversation between the conveyancing attorney and Fourie that he had never supplied new banking details and that he had never requested the transfer of the funds. Of course, by the time the attorney realised that Fourie’s emails had been hacked the firm had already made payment to the unknown hacker and the money had disappeared.
The issue to be decided by the High Court was which party, the attorney or Fourie, should take the knock in relation to the loss suffered.
The attorney contended that they were not negligent as it was Fourie’s email account that was hacked and not theirs.
The Court found that the attorney was negligent in that she failed to exercise the requisite skill, knowledge and diligence expected of an average practicing attorney, and thus failed to discharge the fiduciary duty owed to Fourie when transacting via email, whilst being fully aware of the fact that fraud is prevalent in the legal profession.
The court went on to state that the fraud simply would not have occurred if the attorney had verified the banking details that were supplied. In such situation’s firms should never accept any purported changes to their client’s banking details without confirming it directly with the client. Ultimately as no verification processes were followed the firm was held liable for their client’s loss, together with interest and costs.
This judgement makes it abundantly clear that the Courts are not sympathetic to practitioners who have not taken adequate risk management steps to guard against the risks of cybercrime.
Furthermore, for purposes of the negligence test it is irrelevant whose email account is hacked. In this matter the attorney was an innocent victim as the client's email account was hacked but the court still held that the attorney was negligent, in that reasonable precautions were not taken to avoid the cybercrime. We would strongly advise practitioners to have uniform and formal internal policies in place to verify any change of bank account details. A good precautionary measure may for example be to phone the client, make a note of the conversation and to confirm the telephonic conversation in an email.
It must also be noted that the Legal Practitioners Insurance Indemnity Fund (LPIIF) does not cover damages arising from cybercrime as it is excluded in terms of an exclusion clause. We advise practitioners and brokers to carefully check their top-up policies in order to ensure that there is sufficient cover for damages arising from cybercrime.
Cyber related risks are on the increase as online criminals are becoming more and more sophisticated in the way scams are engineered and carried out. It is imperative that professionals, not just legal professionals, adopt robust pre-emptive measures to counteract the schemes of cyber criminals.