The digital age has ushered in remarkable advances in communication, but with those advances comes a darker reality: cybercrime is now a persistent and evolving threat. As organisations become more reliant on digital tools, particularly email, cybercriminals have found increasingly sophisticated ways to exploit vulnerabilities and no one is immune, not even law firms.

A Major Firm Caught in the Crosshairs

In a widely discussed case, Hawarden v Edward Nathan Sonnenbergs Inc (ENS)., the Gauteng Division of the High Court of South Africa held ENS, a law firm, liable for R5.5 million in damages. The case stemmed from a classic instance of Business Email Compromise (BEC), where hackers manipulated email communication between a secretary at ENS and Ms. Hawarden, a property purchaser.

The fraudsters intercepted and modified emails containing ENS’s banking details, substituting their own account information. Believing she was paying ENS, Ms. Hawarden transferred the purchase funds, only to later discover they had landed in a criminal’s account. ENS denied responsibility, but the court disagreed.

Was ENS Legally at Fault?

On appeal, the Supreme Court of Appeal (SCA) explored whether ENS owed a legal duty to Ms. Hawarden, a party with whom they had no contractual relationship. The SCA emphasised that in claims for pure economic loss (loss not caused by physical harm), wrongfulness is not presumed. It must be specifically established based on legal policy considerations and the factual matrix of each case.

The Court underscored that Ms. Hawarden’s loss was primarily due to her email being compromised, not because ENS’s systems had failed. Furthermore, the absence of a direct contractual duty between the parties weighed heavily against imposing liability.

The Vulnerability Test and Its Consequences

A key question in the judgment was whether the plaintiff was “vulnerable” in a legal sense, that is, unable to reasonably protect herself from the harm. The court found that Ms. Hawarden had, in fact, confirmed banking details before making a smaller deposit earlier in the transaction and could have done so again for the R5.5 million transfer. The court concluded that she had the means to independently verify the bank details but failed to exercise that caution.

Lessons for Legal and Financial Institutions

This case serves as a stark warning to professionals handling sensitive transactions:

1. Email alone is not secure. Cybercriminals often exploit email systems to insert themselves into trusted communications.
2. Verification protocols are essential. Firms should implement mandatory call-back procedures for confirming bank details on large transactions.
3. Clear disclaimers should be standard. Emails should include prominent warnings about the risks of BEC and urge recipients to independently verify payment instructions.
4. Cybersecurity training is non-negotiable. Employees, especially those in finance and client-facing roles, must be well-versed in recognising phishing attempts and other social engineering tactics.

Shared Responsibility in the Digital Era

While firms must put robust safeguards in place, clients too bear a measure of responsibility. Verifying payment instructions is no longer a best practice, it’s a legal safeguard. When it comes to large financial transfers, picking up the phone could make the difference between a successful transaction and a costly loss.