When Trust Becomes a Target - Understanding Business Email Compromise

By Zandrie Rademeyer | SchoemanLaw Inc

Category: Technology Law

Introduction

In today’s digital business environment, email remains one of the most important communication tools for organisations.

However, its widespread use has also made it a prime target for cybercriminals.

One of the fastest-growing and most financially dangerous cyber threats is Business Email Compromise (BEC), a form of fraud that relies on deception and social engineering rather than malicious software.

By impersonating trusted individuals or organisations, attackers manipulate victims into transferring money, disclosing confidential information, or granting access to sensitive systems.

As BEC incidents continue to rise globally and in South Africa, businesses and individuals must understand how these scams operate, the legal implications of such attacks, and practical steps to reduce their risk of becoming victims.

What Is Business Email Compromise?

BEC is a sophisticated cybercrime that uses social engineering rather than technical attacks to deceive individuals into transferring funds, disclosing sensitive information or providing access credentials.

Attackers often impersonate trusted individuals, such as executives or business partners, by hijacking email accounts, creating lookalike domains, or using stolen credentials.

Once they gain access to or imitate legitimate email communications, cybercriminals study communication patterns, writing styles, and ongoing business activities to make their requests appear authentic.

These requests commonly involve changing payment details, transferring money or sharing confidential information.

BEC is considered one of the most costly forms of cybercrime because it exploits trust in email communications.

Victims are often convinced they are responding to legitimate requests from trusted sources, resulting in significant financial losses.

Common examples include fraudulent invoices from suppliers, fake instructions from company executives, and altered payment details in property transactions, all designed to redirect funds to criminal-controlled accounts.

Edward Nathan Sonnenberg Inc v Hawarden

The key South African authority on business email compromise (BEC) is Edward Nathan Sonnenberg Inc v Hawarden 2024 (5) SA 9 (SCA).

Ms Hawarden bought a property from a client of the law firm ENS and chose to pay the purchase balance into ENS’s trust account.

ENS emailed its banking details to her, but her email account was compromised, and a fraudster substituted the attachment with false banking details.

As a result, she paid about R5.5 million into the fraudster’s account.

After discovering the fraud, Ms Hawarden paid the money into the correct trust account and then sued ENS for damages, arguing that the firm owed her a duty of care and should have warned her about the risk of BEC.

Although the High Court held the law firm liable for failing to warn her about BEC risks, the SCA disagreed.

It found the firm did not owe her a legal duty to protect her from third-party fraud, especially because she had already been warned about cybercrime risks and could have verified the account details with her bank.

The Constitutional Court is still considering whether to overturn that ruling, and a reversal could create a new category of civil liability for BEC-related losses in South Africa.

Protect Yourself

To reduce the risk of falling victim to cybercrime, avoid oversharing personal information on social media or other online platforms.

Details such as your date of birth, family connections, schools attended, or pet names can be used by criminals to guess passwords or answer security questions.

Be cautious of unexpected emails or text messages that ask you to confirm, update or provide account information.

Instead of using the contact details provided in the message, independently find the organisation’s official contact information and verify whether the request is genuine.

Always inspect email addresses, website URL’s, and spelling carefully, as scammers often use subtle variations to impersonate legitimate individuals or organisations.

Similarly, avoid opening attachments or downloading files from unknown senders, and exercise caution even when attachments appear to come from someone you know.

Strengthen account security by enabling multi-factor authentication wherever possible and keeping it activated.

Before making payments or approving financial transactions, independently verify the request through a trusted communication channel, especially when banking details or payment instructions have changed.

Finally, be alert to messages that create a sense of urgency or pressure you to act immediately.

Urgent demands are a common tactic used by fraudsters to prevent victims from taking the time to verify the legitimacy of a request.

Conclusion

BEC represents a significant cybersecurity threat because it exploits human trust rather than technological vulnerabilities.

The South African case of Edward Nathan Sonnenberg Inc v Hawarden highlights the serious financial consequences that can result from these attacks, as well as the evolving legal questions surrounding liability for BEC-related losses.

As cybercriminals continue to develop increasingly convincing methods of deception, organisations and individuals must remain vigilant.

By implementing strong security measures, verifying payment instructions independently, and maintaining awareness of common fraud tactics, businesses can significantly reduce their exposure to BEC and protect themselves from potentially devastating financial and reputational harm.

For further assistance, consult an attorney at SchoemanLaw.

Zandrie Rademeyer | SchoemanLaw Inc

Attorney: Technology Law

https://schoemanlaw.co.za/category/tech-law/