Protecting yourself against business email compromise

Daniel Puchert

Daniel Puchert

Journalist
Staff member
Joined
Mar 6, 2024
Messages
2,998
Reaction score
2,850
After her email account was compromised, Hawarden had incorrectly paid the amount into what she believed to be ENS’s bank account.

She initially won a case against the law firm in the Gauteng High Court in Johannesburg in 2023, which found that ENS had a legal duty of care to its clients.
Click to expand...

I don't understand the logic how the law firm had a legal duty of care to her hacked account.
the law firm hacked her account?
 
DreamKing said:
I don't understand the logic how the law firm had a legal duty of care to her hacked account.
the law firm hacked her account?
Click to expand...
I wonder the same thing. How is it the service providers responsibility to secure their customers email account?

Have can understand that if you are making payments via credit card/debit card or debit order that the service provider is held accountable for any leaks of customer data.
 
IamNoone said:
I wonder the same thing. How is it the service providers responsibility to secure their customers email account?

Have can understand that if you are making payments via credit card/debit card or debit order that the service provider is held accountable for any leaks of customer data.
Click to expand...

exactly,I really don't understand how those stupid people can be the "judges" of south africa.

RIP.
 
IamNoone said:
I wonder the same thing. How is it the service providers responsibility to secure their customers email account?

Have can understand that if you are making payments via credit card/debit card or debit order that the service provider is held accountable for any leaks of customer data.
Click to expand...
I don't think the duty of care was to her email account, but rather to the transaction. If as a law firm you're aware that there are email related fraud cases around transfers, you could enhance your process and make sure you don't just rely on email. I'd expect them to provide clients with written, physical proof of banking details.

The client was ultimately at fault here for not better securing their email, but clients generally perform one such transaction whereas a legal firm handles hundreds or thousands per year. There is scope for legal firms to improve upon the security of the property transfer process
 
Last edited:
sjm said:
I don't think the duty of care was to get account, but rather to the transaction. If as a law firm you're aware that there are email related fraud cases around transfers, you could enhance your process and make sure you don't just rely on email. I'd expect them to provide clients with written, physical proof of banking details.

The client was ultimately at fault here for not better securing their email, but clients generally perform one such transaction whereas a legal firm handles hundreds or thousands per year. There is scope for legal firms to improve upon the security of the property transfer process
Click to expand...
Well argued! I agree that that is a reasonable expectation of a firm undertaking such large volumes of transactions such as these. Could be an interesting product offering from banks if they caught a wake up but oh well.

Ultimately though they can't be held liable in such cases else everything would fall apart.
 
I know of a front end dev who would pay R5,5 million for a parcel he didn’t order.
 
This is why when i purchased my home, i confirmed in person the bank details before making the transfer.
Who blindly transfers 5.5million off of an email no matter how secure. Mine was chump change compared and i still put the proper effort in.
 
Zuner said:
This is why when i purchased my home, i confirmed in person the bank details before making the transfer.
Who blindly transfers 5.5million off of an email no matter how secure. Mine was chump change compared and i still put the proper effort in.
Click to expand...
Same here, I went to the conveyancer's offices and got them to provide me with printed, written bank account details and proof of account from the bank. That's what I used when making the transfer.
 
Last house I bought the conveyancer had registered as a preloaded beneficiary with the bank. No need to enter account numbers. If a conveyancer does not take this precaution these days one wonders if they might be seen as not having taken sufficient precautions.
 
The problem is that this kind of fraud is more prevalent than one might think, I've heard of similar cases before, but they didn't make it to the media.

The modus operandi is quite simple:
  1. Gain access to a lot of email accounts
  2. Setup rules to forward emails containing "invoice" and similar key words to an account for monitoring
  3. Once a large enough invoice is found, delete the original, register a fake domain and email an altered invoice
  4. Withdraw or launder the money
Simple measures like the email provider requiring 2FA (esp. for new devices) and not re-using passwords would make this so much more difficult. Likewise, companies can confirm banking details via WhatsApp or SMS for new clients.

Lastly, if fraudsters can so easily open and empty bank accounts, one would wonder what the heck FICA helps for...
 
Tip when paying a new recipient large amount:
  1. Setup the recipient.
  2. Pay a token amount eg R1.23
  3. Confirm via verified telephone if recipient received your payment.
  4. Ask recipient to confirm the amount - check that response matches your token.
  5. If (3) and (4) confirmed, then proceed to pay full amount.
On FNB (not sure about other banks) there is also an option to verify the owner of the recipient account.
The verification requires the company number and a few other details.
Make use of this verification for any major payments.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter