You are currently viewing our desktop site, do you want to visit our Mobile web app instead?

Joburg advisor on the hook after client email hacked

Takes R800 000 punch as court rules it paid funds into fraudulent accounts based on fake ‘signature’.
A hacker successfully diverted money into three FNB accounts in what has proven to be an expensive lesson for the local investment advisor. Image: Shutterstock

An investment company has been ordered by the Supreme Court of Appeal to pay back its client’s money after it released his funds based on instructions from hacked emails.

Global & Local Investment Advisors paid out R804 000 of Nickolaus Ludick Fouché’s funds to three third-party accounts after receiving emails requesting it to do so.

It all started in November 2015, when Fouché, a mining consultant, gave a written mandate to Global & Local to act as his agent and invest money with Investec Bank on his behalf.

In the written agreement, it was stipulated that: “All instructions must be sent by fax or by email with Fouché’s signature.”

According to the contract, the money was to be invested in a Corporate Cash Manager (CCM) account in the name Fouché.

Global & Local opened the CCM account for Fouché at Investec and managed the accounts for a fee expressed as a percentage of the funds invested.

Instructions

However, come August 2016, Fouché realised that his Gmail account had been hacked by fraudsters who used his email address to send three emails to Global & Local – on August 15, 18 and 24 – requesting that the funds be transferred into the accounts of named third parties at First National Bank (FNB).

Two of the three emails ended with the words: ‘Regards, Nick’ while the third ended with ‘Thanks, Nick’.

Responding to the instructions as per the three emails sent – which had no attachments – the financial services provider based in Johannesburg paid out R 804 000 from Fouché’s account over three days in August 2016.

Once Fouché became aware of this he notified Global & Local that the emails had not been sent by him.

According to the Supreme Court of Appeal: “Fouché claimed payment of the amounts transferred to third party accounts on the basis that Global had paid out contrary to the written mandate.”

‘Nick’ is not a signature

In its defence Global & Local said it had acted within the terms of the mandate on instructions that originated from Fouché’s legitimate email address and that the typewritten name ‘Nick’ at the foot of the emails satisfied the signature requirement.

It said this is in consideration of 13(3) of the Electronic Communications and Transactions (ECT) Act 25 of 2002.

The act says that when an electronic signature is required by the parties to an electronic transaction and the parties have not agreed on the type of electronic signature to be used, that requirement is met in relation to a data message if:

  • A method is used to identify the person as to indicate the person’s approval of the information communication; and
  • Having regard to all the relevant circumstances at the time the method was used, the method was as reliable as was appropriate for the purposes for which the information was communicated.

Fouché however submitted to the court that the instructions did not bear his signature, whether manuscript or electronic.

The court dismissed Global & Local’s appeal, as per a previous High Court judgment that ruled in favour of Fouché.

Read: Are your investments safe from hackers?

It said the mandate “specifically required” Fouché’s signature for a valid instruction and not merely an email or fax message purporting to be sent to Global & Local.

Client specified an actual signature

The High Court stated that this is not a case where the parties agreed to accept an electronic signature as envisaged by the act.

It had elaborated by saying that this was “a case where the parties required a signature. No more and no less”.

“A simple mechanism to achieve that requirement would simply be to reduce the request to writing, to sign it and to forward it by email or fax to the defendant as the recipient.”

The High Court said the agreed mechanism is in line with a purpose and practical interpretation of the provisions of the mandate in line with the probable common intention of the parties and was aimed at avoiding precisely the unlawful activity that caused the damage to Fouché.

“It is common cause that no signed instruction has been given to the defendant [Global & Local] empowering it to transfer the amounts totalling R804 000 from the plaintiff’s [Fouchés] CCM account,” the High Court noted.

It found that the transfer was made unlawfully, conflicting with the terms of the mandate that required an instruction bearing Fouché’s signature.

On Wednesday, the Supreme Court of Appeal dismissed Global & Local’s appeal with costs, saying “in the commercial and legal world signatures serve established purposes”.

“Signatures are used as a basis to determine authority and can be checked for authenticity. When money is paid out on a cheque it is done on the basis of an authorised signatory whose signature can be verified.”

Get access to Moneyweb's financial intelligence and support quality journalism for only
R63/month or R630/year.
Sign up here, cancel at any time.

AUTHOR PROFILE

COMMENTS   8

You must be signed in to comment.

SIGN IN SIGN UP

This is exactly why you should never sign a financial institution’s fax and email indemnity form without insisting there is a built-in independent confirmation method like a phone call with verification. Bank indemnities are one-sided and absolve them of all blame when acting on email instructions. Beware! The small print becomes very important when there’s a dispute, which you will lose if you sign one of these indemnities.

Excuse me, did they pay out money to a third party account without additional verification? Arguing about the signature is pretty pointless, where is the FIC investigation?

Exactly. Paying out to any account that is not the account on record should at the very least require a proof of account and, if it is to a third party, copy of ID and proof of residence of that third party

Usually these types of IFA’s just pay off the FSCA or whoever does the investigation. Thanks Nick for not letting it go and highlighting this FSP’s unethical practices that have gone on for years. Thanks to Melitta for writing and publishing the article.

Sounds like an inside job.

I think so and then the company just says not their problem.

Sending ANY signature (scanned & pasted) within an email is extremely “dangerous”. Even sending a Word document with a signature pasted in it is “dangerous”. Both of these methods allow anyone to simply right-click and copy/save the signature (which is an image) and re-use it wherever they choose. I prefer sending an encrypted PDF document that contains a signature that cannot simply be copied and pasted. The argument that the typed name “Nick” satisfied their requirements/interpretation of a signature is staggeringly ridiculous! Furthermore, most companies require official proof of bank details if they are requested to pay funds into any account other than that on record for their client/s. It’s a simple FICA requirement. Dismal failure of compliance by this institution.

Not even flattened pdf is safe. Anything that you can see with eyes can be lifted electronically. Computer cameras and phone cameras and even printers have resolution capability several times more refined than the human eye.

The legal concept of a visible signature is unfortunately dead, expired, obsolete and proves nothing.

Separately and independently registered e-signatures are safe, as these are registered with a third party for each use and are independently verified for each use.

End of comments.

LATEST CURRENCIES  

USD / ZAR
GBP / ZAR
EUR / ZAR

Podcasts

NEWSLETTERS WEB APP SHOP PORTFOLIO TOOL TRENDING CPD HUB

Follow us:

Search Articles:Advanced Search
Click a Company: