Caught in the cyber crosshairs: ENS v Hawarden

13th June 2024

Caught in the cyber crosshairs: ENS v Hawarden

The legal profession (and no doubt, all creditors who provide their bank details via email to a debtor) have been eagerly anticipating the appeal judgment of Edward Nathan Sonnenberg Inc (ENS) v Judith Hawarden.

A collective sigh of relief can be sensed following the judgment handed down by the Supreme Court of Appeal in which ENS's appeal was upheld with costs and the order of the Gauteng High Court was set aside and substituted with an order that Hawarden's claim was dismissed with costs. 

Gauteng High Court: Hawarden v ENS

In 2023, Judge Mudau handed down judgment in the matter of Hawarden v ENS, which found ENS liable for the loss suffered by Hawarden and ordered ENS to pay the sum of ZAR 5, 5 million to Hawarden. The facts before the court a quo may be summarised as follows:

In 2019, Hawarden purchased a property, and ENS acted as the appointed conveyancer for the seller. ENS sent an email to Hawarden containing its bank details (attached as a PDF document) for her to make payment. 

The plaintiff's email account was hacked by an unknown third party (the hacker). The hacker accessed and altered the banking details received from ENS and released the details to Hawarden as if they were emanating from ENS when in fact the details were fraudulent. This is commonly known as the man-in-the-middle attack, as depicted below.

ENS and Hawarden were duped into believing that they were communicating with each other, when in fact, they were both communicating with the hacker. 

As a result of the interception, Hawarden made a ZAR 5,5 million payment into the fraudulent account. By the time the theft was discovered, the funds had been withdrawn and could not be recovered. Hawarden sought to recover the funds from ENS on the basis that ENS should have employed more secure means to communicate with her and that ENS omitted to protect her by failing to warn or advise her about the risks of business email compromise. 

As a result of ENS's omission, Hawarden claimed that she suffered pure economic loss. ENS argued that the court should decline to extend liability for pure economic loss because it will, in the words of the Constitutional Court, create "liability in an indeterminate amount for an indeterminate time to an indeterminate class". 

It was common cause that Hawarden's email account, as opposed to that of ENS, was the one that was hacked, leading to the fraud and that ENS had processes in place to protect itself against this type of fraud. Hawarden did not have similar protections.

Judge Mudau handed down judgment in favour of Hawarden and in doing so, held as follows: 

Hawarden (an elderly divorced pensioner) was not sophisticated enough to know how to protect herself from the risk of business email compromise. On the contrary, ENS was aware of the risks associated with business email compromise.

Despite ENS being aware of the risks, it failed to safely communicate its bank details, using technical safety measures or multichannel verifications.

Notwithstanding the near-universal practice for conveyancers, and indeed for other businesses, of sending their banking details to others by email, ENS knew better and should have taken precautions against the loss. 

Despite the fact that Hawarden was warned by Pam Golding of the risk of this type of fraud just three months prior to making the payment to ENS, she was entitled to ignore that warning whilst dealing with ENS having regard to ENS's reputation and size.

Notwithstanding that there is no contractual relationship between ENS and Hawarden, ENS owed a general duty of care to Hawarden.

The judgment had far-reaching consequences for all creditors who dispatched invoices by way of email. 

ENS appealed the judgment handed down by the Gauteng Division of the High Court. 

The Supreme Court of Appeal's decision

The SCA confined itself to determining whether Hawarden established the wrongfulness element for a delictual claim arising out of an omission causing pure economic loss and held as follows:

In our law, it is an established principle that persons cannot generally be held liable in delict for losses caused to others by omission. 

Ms Hawarden was not a client of ENS and there was no contractual relationship between Ms Hawarden and ENS. There was no attorney-client relationship between them.

Hawarden's own email account had been compromised, and this ultimately led to her loss. 

Hawarden was previously warned of the risk of business email compromise by Pam Golding just three months prior. 

It would have been "fairly easy" for Hawarden to avoid the risk of business email compromise. She could have verified ENS's bank account details by inquiring with the attorneys at ENS whom she had telephone calls with whilst at the bank (she had previously telephonically verified the bank details of Pam Golding). 

She enlisted the services of Standard Bank to assist her with the transaction and did so at the desk and computer of an individual who worked at Standard Bank. She could have easily asked the Standard Bank employee to verify the bank details of ENS. Further, Hawarden was faced with the option of furnishing a guarantee versus an electronic transfer to ENS. She elected to forego a bank guarantee for a cash transfer. 

In the words of the Supreme Court, "she had ample means to protect herself [and]…she must in the circumstances take responsibility for her failure to protect herself against a known risk". 

ENS cannot be held responsible for Hawarden's loss.

In any event, the Supreme Court held that any warning by ENS would have been meaningless, in the circumstances of this case, because by that time the hacker was already embedded in Hawarden’s email account, consequently the risk had already materialised.

In upholding the appeal, the court significantly held that:

"[21] In this case, a finding that ENS’ failure to warn Ms Hawarden attracts liability would have profound implications not just for the attorneys’ profession, but all creditors who send their bank details by email to their debtors. The ratio of the high court judgment that all creditors in the position of ENS owe a legal duty to their debtors to protect them from the possibility of their accounts being hacked is untenable. The effect of the judgment of the high court is to require creditors to protect their debtors against the risk of interception of their payments. The high court should have declined to extend liability in this case because of the real danger of indeterminate liability." 

The appeal judgment serves as a cautionary tale for both creditors and debtors in all businesses, emphasising the importance of vigilance, secure payments and multi-verification payment processes. The appeal judgment also serves as a reminder that the person making the payment bears a responsibility to ensure that the payment is made into the correct account. Whilst we are pleased with the judgment, one must be mindful that every case is fact-dependent and the conduct of both parties will be considered in deciding where liability lies.

Written by Victoria Campos, Partner & Micaela Pather, Associate at Webber Wentzel