News
OPINION | Buying a property? Beware of scammers intercepting the payment
A recent court case highlights the minefield facing those targeted by criminals who make a point of intercepting the transfer of funds between purchasers and the businesses representing them, writes Michele van Eck. In this case, a law firm paid dearly when emails between it and a purchaser were intercepted by fraudsters – and the buyer’s funds, intended to pay for the property, were stolen.
Buying property is a big deal.
Not only does it cost a lot of money to buy a property, but the process is expensive,
complicated (even a little daunting for the first-time property buyer) and
needs an attorney to help with the transfer and registration of the property.
This, together with the
increased use of digital platforms, has made buying property the ideal hunting
ground for scammers, fraudsters and degenerate criminal activities.
Recently, the high court highlighted
in Hawarden v Edward Nathan Sonnenbergs that both buyers and attorneys
are at risk of ‘business email compromise’ (BEC) scams, fraud and cyber risks
in property transactions.
However, in a major plot
twist, the court held that the law firm (who was appointed for the transfer and
registration of the property) was also responsible for damages the buyer
suffered as a result of third party BEC fraudulent activities wherein the buyer
was scammed out of millions of rands.
Hawarden (the buyer of
the property) had, on 23 May 2019, signed a written offer to purchase the
property and paid a deposit to the estate agent, with the agreement that a bank
loan would secure the remainder of the purchase price.
As the buyer, Hawarden
was not a client of the law firm, but Hawarden and the law firm did interact on
several occasions to arrange for the payment of the remainder of the purchase
price.
For example, on 21 August
2019, the law firm contacted Hawarden advising that they required two
guarantees to be paid into different bank accounts. On another occasion and
after a phone call with the law firm’s secretary, Hawarden received another
email confirming the banking details in which payment was to be made.
Unbeknown to the parties at the time, fraudsters had intercepted these emails and had altered the account details. Needless to say, the outstanding purchase price was paid into the incorrect account, and by the time the fraud was discovered, the money had already been withdrawn.
So who bears the risk of
the lost money in this scenario? The law firm argued that the loss and risk were
the responsibility of Hawarden. After all, they maintained that Hawarden should
have confirmed the banking details of the law firm before transferring the
money.
Also, they said that Hawarden
should have been aware of these cyber-related risks as a BEC warning had been
included in the 23 May 2019 correspondence from the estate agent, and her bank
had provided several general warnings regarding the risk of cybercrime and
related activities.
On the other hand, Hawarden
argued that the risk and loss sat with the law firm whose email accounts had
been compromised. She maintained that nothing in the intercepted emails
indicated something was wrong, and she was unaware of the higher risk
associated with such direct money transfers as she argued that the law firm did
not inform her of these risks.
Ultimately, Hawarden said
that she had trusted the law firm and assumed that the law firm would take care
of everything unsafe for her in the property transaction.
Despite not being a
client, the court found that the law firm had a duty of care towards Hawarden, which
started the moment when the law firm accepted to act as a conveyancer in the
property transaction.
The rationale was that
Hawarden had been placed in the law firm’s care for the property transfer and
registration. Also, as email correspondence is particularly risky (especially
in high-stake transactions), the court found that the law firm had chosen to
communicate its banking details in an insecure manner by using emails and not
using other protective communication measures (such as multi-factor
authentication processes).
The court believed that the
law firm had a duty to warn Hawarden of the risks and that the law firm was in
the best position to protect against BEC-related risks.
It is not the first time that
cybercriminals have targeted law firms and property buyers; it certainly will
not be the last. Business email compromise is quite common in these types of property
transactions and, as the name suggests, this type of criminal activity creates
an impression that an email (which is spoofed) is a legitimate email which tricks
a person into giving either sensitive information or money.
There are ways to mitigate
the risk against these types of fraud, such as using secure portals and
two-factor authentication. However, even this still requires the vigilance of
users to appreciate the dangers and risks associated with high-stake
transactions and the possible shortcomings of such protective tools.
Despite the technology
behind the BEC, the preventative tools available and the possible consequence
of this judgement for law firms and attorneys, there will also be an indirect
impact on property buyers.
In the wake of this
judgement, we can expect a significant increase in disclaimer notices from
attorneys (which may include exemption clauses, indemnities and waivers). Although
disclaimer notices are not necessarily a bad thing (as they highlight risks),
they will have far-reaching consequences for property buyers. Disclaimer
notices generally have several functions.
The first is to highlight
that there is a risk or a possibility of damage or loss occurring. The second
is to shift the risk from one person (in this case the law firm) to the
recipient (being the property buyer), which rolls into the third function.
Once the risk is shifted,
the liability for the loss or damage is transferred to the property buyer. Depending
on the wording of the disclaimer, the risk will generally shift to the property
buyer making the property buyer responsible for any damages or loss.
Despite the far-reaching
consequences of disclaimers, many individuals have a tendency of ignoring
disclaimer notices, which is often to their detriment.
Knowledge is the best
defence against cyber-related risks. Disclaimers may function as a tool to
bring such knowledge to a property buyer’s attention.
However, to adapt the
words of Uncle Ben in the movie Spiderman, with great knowledge
comes great responsibility. Disclaimers may provide the necessary knowledge to property
buyers about BEC and other cyber-related risks, but that means that property
buyers are then expected to take responsibility for those risks and associated
loss and damage.
Therefore, receiving a disclaimer
notice is serious business and should not be ignored especially in the digital
world we live in. Reading and taking such disclaimers seriously is one of the tools
to avoid becoming a victim of fraud in property transactions.
Professor Michele van Eck
is an associate professor and head of the Department of Private Law at the
University of Johannesburg. She writes in her personal
capacity. News24 encourages freedom of speech and the expression of diverse views. The views of columnists published on News24 are therefore their own and do not necessarily represent the views of News24.