The session featured a mock trial led by Caroline Theodosiou, Partner; Erwyn Durman, Senior Associate; and Jodi Hardy, Associate, from Webber Wentzel. The event provided an in-depth analysis of a Supreme Court of Appeal case, examining the legal and practical aspects of cybercrime.
Case overview
The mock trial centered on a case involving Ms Hawarden, who, after her email was compromised, mistakenly transferred the purchase price of a property to a fraudster’s bank account instead of the intended trust account of ENS, the conveyancing attorney. Although Ms. Hawarden initially won her case in the lower court, the Supreme Court of Appeal overturned this decision. The court found that ENS was not obligated to warn Ms. Hawarden about the risks of Business Email Compromise (BEC) or cybercrime.
Theodosiou explained that this case was chosen for the mock trial due to its relevance in illustrating the challenges of establishing legal duty and liability in cases of cyber fraud. The court’s decision clarifies the extent of responsibility professionals have when transmitting banking details and underscores the difficulty of recovering losses from untraceable fraudsters.
Defining cyber and impersonation fraud
Durman discussed that cyber fraud involves a range of illegal activities conducted through digital means, targeting individuals or organisations for financial gain or sensitive information.
Impersonation fraud, on the other hand, involves deceiving others by pretending to be someone else, often through social engineering or fake identities. Both types of fraud can lead to significant financial losses, operational disruptions, and reputational damage.
Recent trends and legal considerations
Hardy highlighted recent trends in cybercrime, such as targeting vulnerable individuals like the elderly and sophisticated frauds involving fake initial coin offerings and phishing attacks on cryptocurrency wallets.
Legal challenges in such cases often revolve around proving “wrongfulness” in delictual claims for pure economic loss. This requires assessing whether it is reasonable to impose liability based on public and legal policy, which is complex in the context of cybercrime.
Managing risk and liability
Theodosiou elaborated on the concepts of “risk of indeterminate liability” and “vulnerability to risk”. The potential for widespread and unpredictable losses poses a challenge in determining liability, while a plaintiff’s vulnerability and failure to take preventative measures are critical in establishing duty of care.
Durman recommended several steps businesses can take to mitigate risks, including implementing robust cybersecurity measures such as firewalls, antivirus protection, and encryption. Additionally, companies should adopt multi-factor authentication, enforce password policies, and provide regular training on recognising phishing and other fraud schemes.
Hardy provided practical strategies for organisations to safeguard against cyber and impersonation fraud. This includes enhancing authentication and access controls, improving employee awareness, and developing effective incident response procedures. Verifying sensitive transactions through additional means, such as telephone confirmation, can also help prevent fraud.
The mock trial suggested that plaintiffs could have taken several steps to protect themselves, such as obtaining a bank guarantee instead of making an EFT payment, confirming banking details via telephone, or asking their bank to verify the details on their system.
Key takeaways
The session concluded with Theodosiou emphasising that cybercrime, particularly Business Email Compromise, poses a growing threat to both businesses and individuals. Effective protection against these threats requires strong systems, comprehensive policies, and vigilant practices. The case underscores that courts are unlikely to award damages for pure economic loss if plaintiffs have not taken reasonable preventative measures.
The CPD session provided valuable insights into the complexities of navigating cyber and impersonation fraud, highlighting the importance of proactive measures in the digital age.