From CompliNEWS | Financial Service Intelligence Watch
Contract law: Gerber v PSG Wealth (Cyber fraud, hacked email account, cybercrime, business email compromise)
Gauteng High Court (Johannesburg)
The following matter was handed down by the Gauteng High Court (Johannesburg) on 24 March 2023:
- Jan Jacobus Gerber (Mr Gerber) and PSG Wealth Financial Planning (Pty) Ltd – (case number: 36447/2021)
Contract Law – Breach of Contract – Hacked email account – Cybercrime / ‘Business email compromise’– Payment to bank account despite internal verification failure – FSP obligation under General Code of Conduct, s 11 – FSP’s contractual obligation to prevent cybercrime – Alleged tacit term to prevent hacking – Estoppel.
Mr Gerber’s share portfolio had been managed by PSG Wealth Financial Planning (Pty) Ltd (‘PSG’) in terms of a written contract for over a decade. Between 3 October and 5 November 2019 ostensible email communications from Mr Gerber occurred as a result of Business Email Compromise (‘BEC’), and resulted in electronic transfers totalling R800 000,00 being made by PSG from Gerber’s investment portfolio to a fraudulent FNB bank account. Mr Gerber instituted action against PSG based on breach of contract, claiming the amount transferred and commission and fees charged by PSG. PSG claimed a tacit term which excluded liability if Mr Gerber did not take reasonable steps to prevent his computer system from being hacked. In the alternative, PSG relied on estoppel on the bases that Gerber failed to protect his system from being hacked and when a PSG personal assistant telephonically contacted him to confirm payment would be made to his account, he failed to question the statement.
- A tacit term existed in terms of which PSG’s liability was excluded under circumstances where Mr Gerber’s computer system was hacked due to his negligence.
- PSG had breached the contract.
- Estoppel operated against Mr Gerber as a result of his failure to protect his system from being hacked and because he failed to question the statement by the
PSG employee who called and informed him that money would be paid into his account.
Facts of the matter
Mr Gerber’s share portfolio was managed by PSG through its representative, Mr Fisher. As at September 2019 the investments held by Mr Gerber was R855 413 in total. The amount was held in shares and cash and these amounts could be liquidated and paid out in cash to the Mr Gerber on his request. The aim was however that the investment serve as retirement fund for Mr Gerber and his wife – who also held a portfolio in her own name. The account was a discretionary account, meaning that Mr Gerber put funds at the disposal of Mr Fisher who could operate on the account as he saw fit as far as the reinvestment of dividends and the usual buying and selling of shares was concerned.
Personal contact between Mr Gerber and Mr Fisher was rare. On 3 October 2019, there was an unusual request which appeared to emanate from Mr Gerber: He sought the liquidation and payment of more than a quarter of his portfolio (R250 000,00). This was something that he had never sought. A change of bank details from Mr Gerber’s Nedbank account which had been on record for years to an account at First National Bank (‘FNB’). Mr Fisher, by return email, said all was in order with the withdrawal and that it would take three days for the funds to be made available. He noted pertinently in the return email that the bank account mentioned was different from that which PSG had on record for Mr Gerber and asked that a current FNB statement be sent showing the new details.
Presumably this was an attempt to verify that the account was not fraudulent. Mr Fisher’s email was carbon copied to his personal assistant – Ms van Stavel. The emailed response to Mr Fisher’s request contained a letter dated 30 September – ostensibly from FNB, appearing to bear an official bank stamp reflecting that date. It purports to provide details of a bank account held in the name of Mr Gerber and reflected that the bank account was opened in 2002 which would make it 17 years old. It stated that, if the reader had any queries, the writer could be contacted at a mobile telephone number provided. Ms van Stavel was again copied in this response.
As part of the PSG franchise arrangement, a franchisee is afforded the use of central client services provided by the main PSG entity. The central services include bank account verification checks and account control and payments. This facility has, as a main function, the protection against BEC fraud. On 4 October 2019 Ms van Stavel, instructed by Mr Fisher, sent an email to central client services asking that Mr Gerber’s ‘new account’ be verified and loaded so that payment could be made thereto. A document indicated as being from the Bank Verification Panel of PSG shows that the search failed. Details of the verification check disclosed to Mr Fisher and Ms van Stavel informed that:
- The identity attached to the account did not match the client details
- The account was not more than three months old
- Neither the phone number nor email address attached to the account was ‘valid’.
This information notwithstanding, the bank details were loaded. Client services also conveyed that, when asked, FNB was not willing to confirm telephonically that the account belonged to Mr Gerber. It was made clear that client services had identified a risk attached to the account and that consequently it would not accept any liability which arose from payment into the account. It therefore required confirmation from Ms van Stavel that payment could indeed be made into the account at the risk of PSG. Ms van Stavel, instructed by Mr Fisher, was undeterred. She next sent an email to Mr Gerber’s email address asking for his confirmation that the account was indeed his and that payment could be made into his account. The response from the hijacked email account was that the payment should indeed be made into the nominated account.
The first personal communication between the parties occurred on 8 October 2019. Ms van Stavel telephoned Mr Gerber on his mobile phone. He was driving at the time and she merely informed him that the money would be paid into his account that day. He responded ‘goed so’ (‘that’s fine’) – although he did not know what she was referring to. Later that day an email was sent from the hijacked email account requesting proof of payment. On 15 October 2019, an email was sent from Mr Gerber’s hijacked email account to Ms van Stavel thanking her for the previous successful transaction and requesting an additional payment to the FNB account. The email was copied to Mr Fisher. Ms van Stavel confirmed by return email that this would be done. On 18 October 2019 there was a communication from Mr Gerber’s email address asking when payment would be made and Ms van Stavel replied that it would be forthcoming that same day. Payment was again duly made into the fraudulent account, thus wiping out most of Mr Gerber’s investment. The hacker thereafter sought a further source of payment and asked Ms van Stavel for a statement for all Mr Gerber’s investments. This was duly forwarded. Ms van Stavel, trying to be helpful, inquired if Mr Gerber wanted a statement relating to his wife’s portfolio as well. The answer came back in the affirmative. A request for a withdrawal of R400 000 from Mrs Gerber’s investment account followed. On 5 November 2019, an email was sent with a letter purporting to be confirmation of details of a banking account for payment to Mrs Gerber. It had a similar get-up to the previous letter, but Ms van Stavel testified that the email of 5 November 2019 ‘didn’t look right’. She indicated that the language and syntax of the covering email was not grammatically correct in Afrikaans, which she spoke fluently. She thus approached Mr Fisher, who called Mrs Gerber and asked her about the liquidation of the R400 000 investment of her portfolio. She indicated that she knew nothing about it and referred Mr Fisher to her husband.
In the meantime, telephonic contact had been made with Mr Gerber and he had confirmed that he too knew nothing of the requested transaction. It finally dawned on all concerned that they had been duped. A subsequent investigation conducted by Mr Gerber revealed that Mr Gerber’s Microsoft Outlook email account had been hacked. The emails to and from PSG were diverted by the hacker to a separate file on the account and thus did not feature in the inbox and outbox files. In this way the selected correspondence remained hidden. Mr Gerber instituted action against PSG based on breach of contract, for the total paid by PSG into the FNB account (R800 000) and commission and fees charged by PSG in the amount of R11 488,98 and interest on such amounts at the prescribed rate.
Mr Gerber claimed that:
- PSG was obliged to exercise the necessary skill, care and diligence to ensure that the monies held by it in trust did not fall prey to fraud, that it breached the obligation and that such breach led to his loss.
It was a term of the agreements that Mr Gerber was obliged to provide all instructions to PSG in writing via email or fax. PSG admitted liability to protect against fraud, except fraud perpetrated by means of cybercrime where Mr Gerber failed to take reasonable steps to protect his computer system from being hacked – thus, seeking to import a tacit term into the contract. It also denied breaching the terms of the agreement. PSG pleaded an alternative claim of estoppel.
The Court considered:
• The ‘Advice Agreement’ and ‘Product Agreement’ entered into between Mr Gerber and PSG.
• PSG was contractually obliged, under the express terms of the agreements, to protect Mr Gerber against gross negligence and fraud.
• The General Code of Conduct for Financial Service Providers and Representatives (‘the Code’) was expressly imported into the contractual relationship.
Under s 11 of the Code, PSG was obliged to ‘at all times have and effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that clients, product suppliers and other providers or representatives will suffer financial loss through theft, fraud, other dishonest acts, poor administration, negligence, professional misconduct or culpable omissions.’
• Mr Fisher and Ms van Stavel testified that verification reports were often unreliable and that thus that they were not regarded as conclusive evidence of a fraudulent account.
• Ms van Stavel testified that the call made to Mr Gerber on 3 October 2023 was a ‘courtesy call’ to let him know that the money had been paid.
• Mr Fisher testified that by 5 November 2019, he had had a conversation with a colleague in the same brokerage field who had related that hacking had taken
place in relation to one of his clients in a similar way.
The Court held:
- To import the alleged tacit term (that if a client does not take reasonable steps to make his computer system inviolable to hacking, the protection will not apply) is counter-intuitive. The protection against technological fraud would be meaningless if the client had to assume an obligation to prevent hacking of its system. After all, PSG is paid handsomely for the services provided, which include the providing of fraud protection.
- As regards the officious bystander test (concerning tacit terms) it is difficult, in the absence of an expert understanding of the technicalities of hacking, to determine precisely what needs to be done to protect the system. This difficulty is exacerbated by the fact that it is notorious that cyber-criminals develop their technologies and tactics to meet preventative measures as they evolve.
- PSG has not established the tacit term contended for. In any event, there is no evidence that Mr Gerber did anything or failed to do anything to protect his system from hacking. He testified that his system was password protected and that he had an effective virus protection software installed.
- The discrepancy in Mr and Mrs Gerber’s evidence about the physical accessibility of the passwords, is not material, and is irrelevant. It is not in dispute that this was a virtual hacking.
- It is not beyond the realm of possibility or even probability that Mr Gerber’s email was sourced from a hacking of PSG’s system and that the process started there. As was testified to by Mr Fisher, his colleague alerted him to similar fraudulent activity in relation to one of his client’s portfolios.
- Without firm evidence that either one or the other of the parties allowed the infiltration of one or the other of their systems, hacking must be regarded as an inevitable and intractable scourge. It is also not irrelevant that the contracts dictated that the manner in which the instructions had to be given was via email.
On the facts, PSG did not comply with the express terms of the contract:
- The deficiencies in the checking process were clear. PSG ignored its own protocols.
- The checking machinery yielded the result that the account was not verified as being legitimate. PSG however took the decision to override this
information. This was notwithstanding that PSG client services pertinently pointed out that it had identified a risk that the account was not that of Mr Gerber and that it would not bear this risk.
- At the very least, one would expect that the information relating to the bank account which was conveyed by client services would have triggered a further and more careful scrutiny of the letter provided as verification of the account – more so because Mr Fisher’s own request for a bank statement was not complied with. A bank statement would have afforded greater detail as to the veracity of the account. The fact that it was not provided should have raised a concern in the first place.
- Responsible and careful attention to the purported letter as against the bank account check would have revealed that the account was less than three months old whereas the letter states that the account in question was opened in 2002 – i.e. that it had been held by Mr Gerber for more than fifteen years. This is a glaring anomaly.
- The fact that the account was newly opened would be an indicator that it may have been opened for a nefarious purpose. The bank account verification process was specifically directed at whether the account was less than three months old.
- The fact that the discrepancy was not picked up shows that there was a lack of attention to the purported proof of the new account as being that of Mr Gerber.
- The letter was simply taken at face value. This does not amount to the taking of steps to protect the investment against fraud.
Regarding PSG’s reliance on estoppel in that Mr Gerber, through his negligence allowed the misrepresentations to be made, i.e. facilitated the fraud:
- fraudulent intervention of a third party is an important factor in determining whether the conduct of the person sought to be estopped proximately
caused the other’s mistaken belief and resultant loss, and whether this result was reasonably foreseeable.
- PSG has not established that anything the Mr Gerber did or failed to do resulted in the hacking and it is just as probable that the details of the email addresses of clients were obtained from PSG’s system.
- Mr Gerber had no duty to protect his email system. On the contrary, Mr Gerber was protected by a contract which put the duty to prevent fraud of this nature on PSG. Even if it had been shown by PSG that Mr Gerber was negligent, this does not absolve PSG of its admitted contractual obligations.
- The proximate cause of the loss was not the hacking, it was the failure to employ the necessary and contractually prescribed vigilance when monies held in trust were sought to be paid into a different account.
Regarding PSG’s reliance on estoppel in that Mr Gerber, when telephoned by Ms van Stavel failed to question the statement that monies were to be paid into his account thus creating the impression that he had sought such payment:
- Mr Gerber’s confirmation on a query from his financial service provider that money could be paid into his account cannot be construed as a representation.
- The situation would be different if the telephone communication was directed at confirming Mr Gerber’s new bank account details.
- It was PSG’s onus to show that the representation was clear and unequivocal and that Ms van Stavel reasonably understood the representation to
mean that payment of the Mr Gerber’s monies held by PSG could be made into a new bank account. The test for representation by conduct is whether the representor should reasonably have expected that the representee may be misled and whether the representee acted reasonably in construing the representation.
- PSG failed to establish these aspects on the facts. On Ms van Stavel’s evidence, the call was merely a courtesy call. Mr Gerber was simply informed that payment would be made to him by his financial service provider. He had no reason to question this information.
- PSG has not established the estoppel defences raised.
- The contractual obligation of PSG to its clients was to have and effectively employ the resources, procedures and appropriate technological systems that
can reasonably be expected to eliminate as far as reasonably possible, the risk that the clients will suffer financial loss through theft or fraud.
- PSG has not established that it complied with its contractual obligations to protect Mr Gerber against cybercrime.
Conclusion and Order
PSG must pay Mr Gerber R811 488,98. PSG is liable for interest on such amount at the statutorily prescribe rate on the amount of R250 000,00 from October 2019 (being the date of the first payment) and on the amount of R561 488,98 (which comprises the second payment of R550 000,00 and the commission and fees of R11 488,96 charged by PSG) from 18 October 2019 (being the date of the second payment). PSG must pay the costs of suit.
- General Code of Conduct for Financial Service Providers and Representatives, s 11
- Alfred McAlpine & Son (Pty) Ltd Transvaal Provincial Administration 1977(4) SA 310 T
- Airways Inc v SA Fire and Accident Insurance Co Ltd 1965(3) SA 150 (A) 175 C
- Concor Holdings (Pty)Ltd t/a Concor Technicrete v Potgieter 2004 (6) SA 491 (SCA)
- Desai and Others v Greyridge Investments (Pty) Ltd 1974 (1) SA 509 (A)
- Fourie v Van der Spuy and De jongh Inc. and others  JOL 45848 (GP)
- Grosvenor Motors (Potchefstroom) Ltd v Douglas 1956 (3) SA 420 (A)
- Harwarden v ENS (13849/2020) GHC (Jhb) (16 January 2023
- Jurgens and Another v Volschenk (4067/18) ECHC(PE) (27 June 2019)
- Lillicrap, Wassenaar and Partners v Pilkington Brothers (SA) (Pty) Ltd 1985 (1) SA 475 (A)
- Maartens v Pope 1992 (4) SA 883 (N)
- Mosselbaai Boeredienste (Pty) Ltd v OKB Motors CC t/a Bultfontein Toyota (A43/2021)  FSHC(Bftn) (18 November 2021)
- O K Bazaars (1929) Ltd v Universal Stores Ltd 1973 (2) SA 281 (C)
- Reigate v Union Manufacturing Co (Ramsbottom) Ltd and Elton Cap Dyeing Co Ltd  1 KB 592 (CA) (118 LT 479
- South African Mutual Aid Society v Cape Town Chamber of Commerce 1962 (1) SA 598 (A)
- Southern Life Association ltd v Beyleveld NO 1989(1) SA 496 (A).
- Techni-Pak Sales (Pty) Ltd v Hall 1968 (3) SA 231 (W)
- Union Government v National Bank of South Africa Ltd 1921 AD 121
- Wilkins NO v Voges 1994 (3) SA 130 (A).