top of page
King-Essack & Associates

Home Buyer loses R5,5m in Phishing Scam – Don’t Make the Same Mistake!


phishing, fishing hook

'[The buyer] must in the circumstances take responsibility for her failure to protect herself against a known risk' (extract from judgment below)


Cybercriminals absolutely love targeting property transactions because they provide the perfect mix of large money deposits, heavy reliance on email communication from trusted parties like attorneys, banks and estate agencies, and deadlines creating a sense of urgency and lack of attention to detail.


Let’s consider just one recent example of a high-value BEC (Business Email Compromise) attack on the purchase of a house.


A textbook case costs a pensioner R5,5m


  • A woman describing herself as 'an elderly divorced pensioner without the knowledge, experience or resources to protect herself against sophisticated cybercrime of which she had no knowledge or experience' purchased a house for R6m.

  • She paid a R500k deposit to the estate agents and then after an exchange of emails with her appointed conveyancers, she paid the balance of R5,5m into what she believed to be the conveyancing firm’s account.

  • In fact, her email system had been hacked and the criminals were intercepting and altering both her incoming and outgoing emails. In a typically sophisticated operation, they ensured that the mails and attachments looked genuine, deceived the buyer into paying the R5,5m into their fraudulent account, and then, via a further chain of back-and-forth emails, delayed detection of the fraud for long enough to give them time to withdraw the funds and disappear.

  • The buyer sued the conveyancers for her R5,5m loss, arguing that they had a legal duty to protect her from the BEC. The High Court agreed and ordered the firm to pay her back but that was reversed on appeal to the SCA (Supreme Court of Appeal).

  • Critically, the SCA held that in cases of 'pure economic loss', creditors have no general legal duty to protect their debtors from the interception of payments and there is no inference of 'wrongfulness'. So, it is up to the client in such a claim to prove not only negligence by the business but also wrongfulness.

  • In this particular case the Court found that the buyer had 'ample means to protect herself'. It was not the conveyancers but the compromise of her email account that enabled the criminals to intercept her emails. She could have paid by bank guarantee but chose to pay in cash. Moreover, she had been warned by the estate agency about this very risk and had heeded the warning and verified the agency’s banking details before paying in the deposit. She could, and should, have taken the same precaution before paying the conveyancers.

  • Bottom line – the buyer 'must in the circumstances take responsibility for her failure to protect herself against a known risk' and must bear her R5,5m loss herself.


How to protect yourself – 5 steps to take immediately


  1. Whether you are business or client, protect your systems from being hacked. Constantly update all your software and anti-virus/anti-malware programs. Use 2FA (two factor authentication) on your accounts. If it is your email system that is hacked and causes the loss, you have a problem! As a business you could also be in trouble for breaching POPIA (the Protection of Personal Information Act).

  2. Constantly warn everyone about the risks of email interception and fraud and remind them never to accept any change of banking details notifications without checking.

  3. Protect all attachments from alteration (including PDFs!).

  4. Before making deposits, phone to confirm all banking details you are given via email. Make sure to phone a number you have confirmed to be genuine – criminals regularly provide fake contact numbers in intercepted emails and documents.

  5. Carefully check all email addresses as scammers often make subtle changes – in this case for example the buyer failed to notice that the word 'africa' in an email had been changed to 'afirca'. Other common dodges are changing numerals or adding/removing hyphens.


Above all, treat all email communications as inherently unsafe and don’t let your guard down for a second!


12 views
bottom of page