Cybercrime was, once again, the topic under the spotlight when the court found that there was a duty on a financial service provider to protect its clients against cyberfraud which, in the case of the Rotary Club of Rosebank, was the victim of the crime.
The organisation lost R3.1 million when cybercriminals, purporting to act on instructions from the club, withdrew the millions. The money has vanished into the hands of the fraudsters.
The good news for the Rotary Club, however, is that the Gauteng High Court, Johannesburg, ordered that the financial service provider had to reimburse the club in full.
Judge Motsamai Makume found that the service provider and its officials who handled the club’s finances, were grossly negligent in not verifying the “instructions” by the club to transfer the money to various entities.
The fraudulent transactions were made possible by fraudsters having hacked into the email address of a Mr Franklin, the then-manager of the Rotary Club.
He and the club discovered the fraudulent transactions some time later. When they confronted the financial institution about the payments, the financial institution said it had believed the instructions to transfer the money had been genuine.
It later came to the knowledge of the members of the Rotary Club that R3.1m was transferred from Momentum into the bank accounts of unknown persons or entities.
The claim for the repayment of the R3.1m was brought against financial service provider Brough Capital Ltd and its director.
The Rotary Club ceded its claim against Brough to the Lester Connock Commemoration Fund, who was cited at the plaintiff in the application before court.
It is their case that the defendants breached the agreement with the club by not verifying the authenticity of the instructions in each of the five instances that resulted in the total amount paid to unknown entities.
The club asked that the financial institution be held liable for the loss incurred.
Under the investment management mandate, the Rotary Club authorised the financial institution to receive funds from the club and where applicable, withdraw money received.
The committee of the Rotary Club later decided to terminate the mandate with the defendant and had searched for a new investment fund manager.
It was shortly thereafter that it had come to the knowledge of the club members that R3.1m was transferred from Momentum into the bank account/s of unknown persons or entities.
Five transactions had taken place and on two occasions, R1m each was transferred into the fraudulent accounts.
The modus operandi used to siphon the funds was by an email from the Rotary Club, purportedly sent by Mr Franklin, addressed to the defendants who would then pass on the request to Momentum to make payment to the Rotary Club’s bank account held at Standard Bank.
When Momentum received the instructions from the financial institution that managed the club’s finances, it paid the money into the fraudulent bank account.
One email by the hackers of Franklin’s emails reads: “Please note that I shall probably have to draw some funds from my investments of about R500 000.00 for the club building project.”
Judge Makume said it was strange that in the emails, “Mr Franklin” talks about “my investment” and not the investment of the Rotary Club.
Franklin noted that the withdrawals followed an unusual pattern in respect of the amounts and the regularity. For instance, in a space of two days, R500 000 had been withdrawn and thereafter, two amounts of R1m each. Franklin said that was unusual and not how he, during his lifetime, communicated withdrawal instructions to the financial institution.
“The fact that the bank letter did not describe the Rotary Club in full, second, that it was unusual for the Rotary Club to make large withdrawals at short notice, should have raised eyebrows to a vigilant intermediary,” the judge said.
The defendants were ordered to pay back the R3.1m, with interest.
Pretoria News
zelda.venter@inl.co.za