Ms Hawarden purchased a property from the Davidge Pitts Family Trust for R6 million in May 2019. ENS was appointed as conveyancer for the seller. In August 2019, cybercriminals hacked Ms Hawarden's email account and intercepted email communications between her and ENS. On 21 August 2019, Ms Hawarden received a fraudulent email purporting to be from ENS's employee, Ms Maninakis, containing altered banking details (the fraudster used [email protected] instead of @ensafrica.com). On 22 August 2019, Ms Hawarden elected to pay the balance of the purchase price (R5.5 million) by electronic fund transfer instead of by bank guarantee. While at her bank (Standard Bank) with the assistance of bank employee Ms Shabalala, she made the transfer using the fraudulent banking details, believing she was paying ENS. She did not verify the banking details telephonically with ENS before making the transfer, despite having been previously warned by the estate agent PGP about cybercrime risks and having verified PGP's banking details earlier. The fraud was discovered on 29 August 2019 but the funds had already been withdrawn and could not be recovered. Ms Hawarden sued ENS for R5.5 million for pure economic loss caused by omission, alleging ENS had a duty to warn her about BEC fraud and implement various security measures.
The appeal was upheld with costs, including costs of two counsel. The order of the High Court was set aside and substituted with an order dismissing the plaintiff's claim with costs, including costs of two counsel.
In a delictual claim for pure economic loss caused by omission: (1) Conduct causing pure economic loss is not prima facie wrongful and wrongfulness must be established through public and legal policy considerations. (2) A negligent omission will only be wrongful and actionable if policy considerations require that such omissions should attract legal liability. (3) Where a plaintiff has taken, or could reasonably have taken, steps to protect itself from loss suffered, this is an important factor counting against a finding of wrongfulness in pure economic loss cases - the plaintiff is not 'vulnerable to risk' and there is no pressing need for delict law to protect the plaintiff. (4) The criterion of vulnerability to risk will ordinarily only be satisfied where the plaintiff could not reasonably have avoided the risk by other means. (5) The risk of indeterminate liability is a main policy consideration militating against recognition of liability for pure economic loss. (6) Where a plaintiff was warned of a risk, had previously taken steps to protect against that risk, and had ample readily available means to verify information but failed to do so, the plaintiff must take responsibility for the loss and no legal duty should be imposed on the defendant.
The court noted that Ms Hawarden's loss occurred when there was no attorney-client relationship between her and ENS - she was not ENS's client at the relevant time. The court observed that the loss occurred not due to any failing in ENS's systems but because hackers had infiltrated Ms Hawarden's email account. The court commented that any warning by ENS about BEC fraud would have been meaningless in the circumstances because by the time such warning would have been given, the cybercriminal was already embedded in Ms Hawarden's email account and the risk had already materialized. The court made the broader observation that the effect of the high court's judgment would be to require all creditors to protect their debtors against the risk of interception of payments, which is untenable. The court noted that both Mr Carrim and Ms Maninakis would no doubt have taken comfort from the fact that Ms Hawarden was at her bank and in professional hands, suggesting they had no reason to believe additional warnings were necessary. The court observed that Ms Hawarden was unable to explain why she did not verify the banking details when she had verified PGP's details three months earlier in response to a similar warning.
This case is significant in South African delictual law as it clarifies the limits of liability for pure economic loss caused by omission in the context of cyber fraud. It reinforces that: (1) wrongfulness is not established where a plaintiff could reasonably have protected themselves against a known risk (the 'vulnerability to risk' criterion); (2) the law will not impose a duty on defendants to protect plaintiffs from pure economic loss where plaintiffs have reasonable means to protect themselves; (3) courts must consider the risk of indeterminate liability when determining whether to extend delictual liability for pure economic loss; and (4) in the digital age, parties who are warned about cyber fraud risks bear responsibility for taking reasonable verification steps. The judgment prevents an unworkable extension of liability that would have required all creditors to protect their debtors against email hacking risks. It places the onus on parties making electronic payments to verify banking details, particularly where they have been warned of such risks and have readily available means to verify account details. The case demonstrates the application of established pure economic loss principles to modern cyber fraud scenarios.
Explore 2 related cases • Click to navigate