Paying by electronic funds transfer (EFT) is convenient for making payments without having to physically go to the bank or stand in long ques but this convenience does not come without risks. Criminals are now becoming experts at intercepting emails from senders, inserting their own bank details and sending the email on so that it looks like the genuine sender’s email and address. Once your money reaches these fraudulent accounts, it gets spirited away and you still owe the person, shop or supplier that was supposed to receive the funds in the first place.
According to SAPS, Phishing and Fraud Scams are methods of deceitfully obtaining personal information such as passwords, identity numbers and credit card details by calling, sending emails or cell phone messages that look like they come from trusted sources. In the case of Fourie v Van der Spuy and De Jongh Inc, the client put the money into the attorneys’ trust account, but due to a fraudulent email, the attorneys paid over R1,7 million into an account from which the money disappeared. Criminals target attorneys because they often have large amounts in their trust accounts, and they regularly make substantial payments to new payees.
On the hand, Galactic Auto (Pty) Ltd v Venter businessman bought a Ford Ranger that he urgently needed for a new business project. He did an EFT in response to an email that he received and was expecting from the car dealership. He took delivery of the Ford Ranger, with it later emerging that the transfer had gone into a fraudulent account. The dealership then claimed the R380,000 purchase price from him. In this case, the court found that he should have verified the account number, before making the transfer and that he still owed the car dealer the money.
These two cases show that the risk of EFT fraud is real and that parties cannot merely accept bank details supplied by email, even if the email appears genuine and seems to come from the correct sender, at the expected time. Precautions must be taken to verify the bank details, before making the transfer. According to Cyber Expert,Graham Croock “It is not sufficient to rely on verification of bank account details only. While this is an added control and often relied on, the problem arises with identity theft where the details will test positive if checked against bank records.” He added that the most effective controls to prevent EFT fraud relate to awareness training of all staff and system access controls embedded in accounts payable software and bank software. Furthermore, he highlights that Cyber Risk Management is imperative for all businesses and particularly law firms who tend to rely on IT service providers for the implementation and management of cyber controls. He adds that change control procedures must incorporate specially focused attention on any system where bank details can be changed, and it is here where access controls are critically important and lastly, he emphasizes that Patch management, End Point protection and disabling of account defaults are key controls, which need constant monitoring and effectiveness assessment.
Some banks offer an Account Verification Service as part of their online banking, where the payee’s details and account number can be checked but would these measures be enough to satisfy the court, especially for attorneys who have the duty of care in safeguarding their client’s funds in a trust account? The Attorneys Fidelity Fund has issued a risk alert to attorneys, warning that cyber risks were increasing and that attorneys must take adequate risk mitigation measures. The court found that the attorneys should have taken precautions and that they were liable, especially based on their duty of care towards the client.