[Column] Ryan Mer: BEC Attacks - Who is legally responsible?
Business Email Compromise (BEC) and cyber attacks are on the increase worldwide. Conveyancing firms, their clients, and other organisations effecting many large non-recurring type transactions are particularly vulnerable to BEC fraud. Ryan Mer, Managing Director, eftsure Africa, a Know Your Payee™ (KYP) platform provider says gaps in organisations’ payment systems not only pose massive financial and reputational risks, but can have serious legal implications as well.
According to a global survey conducted by Mimecast Cyber Security Services in 2020, six out of ten companies globally were infected with ransomware and there was a 64% increase in email threats. An Accenture report from May 2020 confirms South Africa had the third most cybercrime victims globally, resulting in losses topping R2.2 billion.
All too aware of large deposits made to and from conveyancing firms, criminals target and intercept email accounts and scam victims into making payments into the incorrect account. While legislation like the Financial Intelligence Centre Act (FICA) and Protection of Personal Information Act legally requires attorneys and estate agents to responsibly gather and scrutinise an individual’s information, Business Email Compromise remains a threat to any organisation and its clients. In South Africa there is case precedence for firms being held liable for payments that did not reach the intended recipient; a situation that demands email correspondence containing bank details and personal information be handled with caution.
In circumstances where organisations are unable to meet their financial obligations as a result of a BEC attack, third parties may seek compensation for disrupted business operations and other losses, particularly where a firm is found to be in breach of its duty to take adequate measures to mitigate the risks of BEC attacks. It’s critical that attorneys and clients should take additional care in verifying account details before making payments and should be made immediately aware of sudden changes in email addresses and bank details.
Most threats can be avoided with the correct financial controls as well as server, IT and email monitoring processes together with the following measures:
- Be Informed, keep up to date with the latest scams and ensure your employees, colleagues and trading partners are aware of how they work in practice.
- Review your company practices in relation to password and security controls. Never share passwords across multiple sites or permit weak password.
- Acknowledge the fact that employee email accounts are gateways to sensitive information and attacks and enforce policies restricting what information can be kept in email inboxes prior to secure archiving. eftsure’s secure, digitised payee onboarding platform can assist with the collection and management of payee information.
- Re-evaluate your financial procedures for approving payment release. A platform like eftsure can help limit the risks of BEC attacks by cross-referencing the payments an organisation is about to release with a database of verified bank account details. eftsure’s fully integrated platform will clearly alert to any suspect payments, at point of payment, allowing an organisation to deal with it before making payment i.e.: before the flow of funds have occurred.