In Lester Connock Commemoration Fund v Brough Capital, the high court held Brough Capital liable for a breach of agreement in administering funds for the Rotary Club of Rosebank. The court found that fraudulent email transactions totalling R3.1 million occurred because Brough failed to verify the instructions it received. Brough’s negligence led to a significant loss for the Rotary Club. The court ruled in favour of the Lester Connock Commemoration Fund and ordered Brough to pay R3.1 million plus interest and costs.

Who should care about this judgment and why?

Financial service providers (especially those handling third-party funds) because they need to be resilient in guarding against business email compromises (BEC).

All organisations that use email to communicate banking details because you could receive a compromised email from a criminal.

Industry bodies and financial institutions because of the potential liability for negligence in fund administration.

What could you do about it?

The ruling highlights the legal duty to authenticate instructions you receive through email. Organisations must create an awareness programme about BECs to educate their employees on BECs and prevent this common cybercrime. Financial institutions face a higher risk of BEC when transacting online due to the nature of their business. Therefore, they must take proactive measures to safeguard their financial transactions. Here are some practical tips you can take to avoid falling victim to email-related fraud:

  • Implement two-factor authentication (2FA): Strengthen email security by requiring two-factor authentication for access. This adds an extra layer of protection, making it significantly harder for unauthorised individuals to gain access even if login credentials are compromised.
  • Train and educate your staff: Conduct regular training sessions to educate employees on recognising phishing attempts and fraudulent emails. Create awareness about the potential risks associated with email communication and emphasise the importance of verifying instructions, especially for financial transactions.
  • Verify unusual requests: Encourage a culture of skepticism when receiving unusual or unexpected requests, particularly those related to fund transfers. Employees should be trained to independently verify such requests through alternative means, such as a phone call to a known contact.
  • Regularly update security software: Keep email and cybersecurity software up to date to protect against evolving cyber threats. Regular updates ensure systems are equipped with the latest security patches, reducing vulnerabilities that malicious actors may exploit.
  • Establish clear verification protocols: Define and communicate clear protocols for verifying financial instructions received via email. Implement a secure and standardised process, such as using encrypted communication channels or confirming instructions through a secondary communication method.
  • Conduct periodic security audits: Regularly audit and assess the effectiveness of existing security measures. This includes reviewing access controls, monitoring suspicious activities, and ensuring all staff members adhere to established security protocols.

You can significantly enhance your resilience against BECs by incorporating these practical tips into your business practices.

Our insights on the judgment

As hackers become more sophisticated, businesses need to be more resilient. It is no longer a case of “if” we have an attack but rather “when“.

This judgment highlights the importance of implementing robust measures to prevent cyber fraud in financial transactions. This is a business concern, and organisations must ensure that their service providers have strict authentication processes in place to validate fund-related instructions.

Find your weakest links

Yes, hackers are clever and always looking for your weak spots. Remember to include your staff in your security processes by ensuring they know what to look out for during online transactions. Practical tips include regular reviews of transaction patterns, verification of unusual requests, and scrutiny of communication authenticity. To avoid pitfalls, financial service providers must adhere to contractual obligations to protect clients against cybercrime, exercising necessary skill, care, and diligence.

Digest

Brough Capital, an authorised financial service provider (FSP), undertook to administer funds for the Rotary Club of Rosebank. Brough Capital later paid funds over to a portfolio at Momentum. Members of the Rotary Club realised that an amount of R3,1 million was transferred from Momentum into the bank accounts of unknown persons or entities. The fraudulent transactions happened when fraudsters hacked into the Rotary Club manager’s email.

The court found Brough Capital staff to be grossly negligent because they failed to authenticate instructions. This led to the unauthorised transfer of R3.1 million. The court highlighted the duty of organisations to verify instructions they receive via email, especially in the context of cybercrime, which is increasing daily.

Order

The court ordered Brough Capital to pay the Fund R3,1 million plus interest and the taxed party and party costs of the suit. Brough also had to pay the costs of two counsel.

Details of Lester Connock Commemoration Fund v Brough Capital

  • Universal citation: ZAGPJHC 1329
  • Case number: 28646/2020
  • Full name: Lester Connock Commemoration Fund v Brough Capital (Pty) Ltd and Another

Please note: The summary of this judgment is not intended for a general audience. It is specifically drafted for the members of the MichalsonsĀ Programmes.