Member Article

The question of who bears the loss suffered as a result of a business email compromise was answered by the Western Cape division of the High Court in the recent judgment ofGripper & Company (Pty) Ltd v Ganedhi Trading Enterprises CC.

Background Facts

Gripper & Company (Pty) Limited (“Gripper”) and Ganedhi Trading Enterprises CC (“Ganedhi”) have been dealing with each other since 2014. Throughout their dealings, Gripper received payments from Ganedhi in a specified Standard bank account. Gripper sold valves to Ganedhi for an amount of ZAR886 726.25 (“thesale price”). Gripper duly delivered the valves to Ganedhi in April 2021, and the parties agreed on a payment arrangement in terms of which Ganedhi was liable to make payment on 27 May 2021.

Before payment was made, a third party intercepted the email correspondence between Gripper and Ganedhi. The third-party, writing under the guise of Gripper’s managing director, advised Ganedhi that Gripper needs to update its “Absa banking details”, and all payments should be made into Gripper’s Absa bank account, as opposed to their Standard bank account. Ganedhi contended that on 24 May 2021, it requested a bank confirmation letter from the third party, who was still acting under the guise of Gripper’s managing director, which it received. Ganedhi then proceeded to make payment into the Absa account. The fraudulent conduct of the third party was only discovered three days later when Gripper sent an email to Ganedhi requesting payment.

Consequently, Gripper never received the payment, which resulted in Gripper instituting this application in which it claimed payment from Ganedhi.

Legal Principles

Ganedhi’s primary contention, based on the expert report it submitted, was that Gripper’s email system was hacked and therefore it was Gripper’s own negligence that allowed the fraud to be perpetrated. This contention was disputed by Gripper, who argued that there was no record of the alleged fraudulent email on its server. The court held that the expert report was not relevant.

The court relied quoted with approval the recent judgment ofMosselbaai Boeredienste(Pty) Limited v OKB Motors CCwhich recognised the general principle in our law that “until payment is duly effected, the debtor carries the risk that the payment may be misappropriated or mislaid”. InMosselbaai Boeredienstethe court held that:

“Central to the appellant’s case is that a person who sends an electronic mail is generally unaware of any fraudulent access to his or her electronic mail account and is unaware that the electronic mail which is received by the recipient has been intercepted, hacked and changed. The golden threat (sic – thread) in the judgments referred to supra places an obligation on the purchaser to ensure that the bank account details contained in the invoice is in fact correct/verified and that payment is made to the seller and not to an unknown third party. Failure to do so, and where payment is made into an incorrect bank account, such incorrect payment does not extinguish the purchaser’s obligation and liability to pay the debt”.

The court found that Ganedhi failed to take the steps that a prudent debtor would have taken to ensure that payment was effected properly. In this regard:

1. Any business person who makes use of electronic payment methods is aware that cybercrime is prevalent and that proper care must be exercised to limit its impact.
2. Payments have been made to the Standard bank account for seven years.
3. The first fraudulent email speaks about the need to “update” Gripper’s Absa banking details, thus suggesting that Gripper had already provided Ganedhi with the Absa banking details when this was not true.
4. Ganedhi started receiving emails requesting proof of payments between 13 and 24 May 2021, when payment was not yet due. This therefore should have raised concerns.
5. The emails appear to have come from a different email address (griper.co.za instead of gripper.co.za).

The court found that Ganedhi’s failure to take the steps that a prudent debtor would have taken was the proximate cause of the payment being made into the fraudulent account. Therefore, it was held that Ganedhi failed to put up a competent defence against Gripper’s claim and the court concluded that Gripper was entitled to the payment of the purchase price.

Conclusion

Debtors must take careful steps to verify new bank account details provided by a creditor, especially when received via email. This could be done by for example calling the CFO or Financial Manager of the creditor to verify the bank account details or by using the functionality on electronic banking to verify that the bank account details match the name of the creditor, or by transferring a nominal amount (for example ZAR1) and calling the creditor to check if it had been received. When calling the creditor, the debtor should avoid using the contact details stipulated on the email which records the new bank account details. Instead, they should utilise the details that appear in previous correspondence.

 

Aslam Moosajee

Executive Dispute Resolution

[email protected]

 

Shenaaz Munga

Executive Dispute Resolution

[email protected]

 

Olonathando Nxumalo

Candidate Legal Practitioner Dispute Resolution

[email protected]