Conveyancers: who is legally responsible for Business Email Compromise attacks?

Business Email Compromise (BEC) and cyberattacks are on the increase. Conveyancing firms, their clients, and other organisations effecting many large non-recurring type transactions are vulnerable to BEC fraud says Ryan Mer, Managing Director of eftsure Africa.

Mer says gaps in organisations’ payment systems not only pose massive financial and reputational risks, but they can have serious legal implications too.

According to a global survey conducted by Mimecast Cyber Security Services in 2020, six out of ten companies were infected with ransomware and there was a 64% increase in email threats. An Accenture report from May 2020 confirms South Africa had the third most cybercrime victims globally, resulting in losses topping R2.2 billion.

All too aware of deposits made to and from conveyancing firms, criminals target and intercept email accounts and scam victims into making payments into the incorrect account. While legislation like the Financial Intelligence Centre Act (FICA) and Protection of Personal Information Act (POPI) legally requires attorneys and estate agents to responsibly gather and scrutinise an individual’s information, Business Email Compromise remains a threat to any organisation and its clients.

In South Africa, there is a case precedence for firms being held liable for payments that did not reach the intended recipient; a situation that demands email correspondence containing bank details and personal information to be handled with caution.

In circumstances where organisations are unable to meet their financial obligations due to a BEC attack, third parties may seek compensation for disrupted business operations and other losses, particularly where a firm is found to be in breach of its duty to take adequate measures to mitigate the risks of BEC attacks. It is critical that attorneys and clients take additional care in verifying account details before making payments and they should be made immediately aware of sudden changes in email address and bank details.

Most threats can be avoided with the correct financial controls as well as server, IT, and email monitoring processes together with the following measures:

  • Be informed. Keep up to date with the latest scams and ensure your employees, colleagues and trading partners are aware of how they work in practice.
  • Review your company practices in relation to password and security controls. Never share passwords across multiple sites or permit weak password. 
  • Acknowledge the fact that employee email accounts are gateways to sensitive information and attacks and enforce policies restricting what information can be kept in email inboxes prior to secure archiving.
  • Re-evaluate your financial procedures for approving payment release.

Source: |

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.