The High Court in Johannesburg. (Photo: Christel Cornelissen)
Deur Tania Broughton, GroundUp
The Johannesburg High Court has ordered a financial services company to pay a client more than R800 000 plus interest after hackers defrauded the company and their client out of his money.
Judge Denise Fisher ruled in favor of Jan Jacobus Gerber after he sued PSG Wealth Financial Planning for the loss he suffered due to the illegal electronic transfer of money intended for his retirement.
The money was invested at PSG Wealth Financial Planning when hackers got their hands on the money through an email.
Fisher said in her ruling that it is common knowledge that business is conducted by email. It is happening more and more that hackers gain access to those emails and thus intercept money.
“The question is who should bear the losses,” she said.
At the time of the cyber attack, Gerber had a share portfolio at PSG Wealth which had been managed for more than a decade by Jonathan Fisher, a representative of PSG. This portfolio consisted of investments totaling R855 413 as of September 2019 and could be liquidated and paid out at Gerber’s request.
The court then heard that Gerber and Fisher had little contact and the only communication between the two was the monthly statement that Fisher sent to Gerber by e-mail.
In October 2019, Fisher received a “somewhat unusual request” by email, believed to be from Gerber. Gerber asked in this e-mail that R250 000 be liquidated. The email also provided details of a new bank account with FNB.
Fisher responded to the email and asked for confirmation of the new account. He then received an e-mail, apparently from Gerber, with a letter, apparently from FNB. The letter appeared to have an official bank stamp and reflected that the account was opened in 2002.
PSG’s branches are managed on a franchise system and as part of that agreement are granted access to a central customer service that can verify bank account details.
The FNB account details have therefore been sent for verification. Fisher was then able to establish by means of a verification report that the identity attached to the FNB account did not match Gerber’s details.
Moreover, the report showed that the account had in fact been opened less than three months earlier. The phone number and email address were also not valid.
However, according to Fisher (of PSG), these verification reports are often unreliable.
His personal assistant Jocelyn van Stavel therefore sent an email to Gerber to confirm that it was indeed his account.
“It is not surprising that the response to the hijacked email was that the payment should be made into the fraudulent account,” Judge Fisher said in her ruling.
When Van Stavel made a “courtesy call” to Gerber to let him know the money had been paid out, Gerber replied “fine”. However, Gerber was behind the wheel of his car at that stage and did not know what she was referring to.
A second email from the hacker followed soon after in which he or she asked for more money. The money was paid out and Gerber’s investment was finally drained.
The hacker then informed Van Stavel by e-mail that Gerber’s wife also had an investment account and asked that R400 000 of the investment be paid out.
It is then that Van Stavel suspects mischief. “Something didn’t seem right,” she later explained to the court.
Fisher then contacted his clients, who both confirmed that they had not asked to withdraw any funds.
An investigation then revealed that Gerber’s e-mail had been hacked and that all the e-mails to and from PSG had been redirected to a separate file that did not appear in his inbox or outbox.
PSG argued that although it was their duty to protect Gerber’s money, the financial services company could not be held liable for loss under circumstances in which its computer system was hijacked in terms of a “tacit provision” in their agreement with Gerber.
But Judge Fisher said introducing such a term would be counterintuitive. “The protection against technological fraud would be meaningless if the customer had to accept the obligation to prevent hacking.
“After all, PSG is well paid for the services provided, including the provision of fraud protection,” Judge Fisher pointed out.
Judge Fisher also pointed out that there was no evidence that Gerber failed to protect its email system from hackers. He testified that his system is password protected and that he has installed an effective virus protection.
Judge Fisher said the contracts stipulated that instructions were to be given by email, meaning that PSG probably accepted the risk of using this communication system.
Judge Fisher also pointed out that a “courtesy call” was made to Gerber and that this call was not made to confirm that the money should be paid out.
According to Judge Fisher, PSG could not prove that it fulfilled its contractual obligations to protect Gerber from cybercrime.
She consequently ordered that the company pay R811 488.98 plus interest to Gerber. PSG was also ordered to bear the costs of the court application.
- This post originally appeared on GroundUp appears and is posted here with permission.
