Criminal Law / Crime Archives

Don’t Let Cybercriminals Haunt You this Halloween — Verify, Verify, Verify!

September 2025 | Business, Criminal Law / Crime, General Interest, Property

“If you suspect deceit, hit delete!” (Online cybersecurity slogan)

October is Cybersecurity Awareness Month, a good time to note that as cybercrime continues to grow, more and more businesses and individuals are falling victim to the dreaded “BEC” or “Business Email Compromise” fraud.

The million-dollar question: Who takes the hit?

Typically in a BEC fraud, email or other electronic communications between a creditor and debtor (often a seller and buyer, or service provider and client) are hacked by criminals, who con the debtor into paying what they owe into the fraudster’s bank account. By the time the parties realise they’ve been had, the criminals are long gone, and all that remains is the million-dollar (sometimes quite literally!) question: “Which one of us takes the hit?”

Until now we have been faced with conflicting High Court decisions on this point, but now the SCA (Supreme Court of Appeal) has settled it: The risk is the debtor’s.

A car dealership must pay twice over

It was a classic case of BEC: A dealership bought two Hyundai Nissan NP200 vehicles from another dealership for R145,000 each. The seller issued invoices showing its banking details. The buyer paid by EFT and sent proof of payment to the seller, which happily (without checking that the funds had actually landed in its account) delivered the vehicles to the buyer.

As always with these cases, one can imagine the sinking feeling that greeted the parties’ realisation that the seller’s emails and the attached invoices had been intercepted, and the banking details subtly altered. As a result, the buyer had paid the full R290,000 to the criminals’ bank account.

Long story short, a real seesaw of a legal battle ensued. The buyer said, “I’ve already paid you”. The seller retorted, “No you haven’t, you paid the criminals,” and sued the buyer for the R290k. The seller won in the Regional Court, lost on appeal to the High Court, but then turned the tables again and celebrated victory in a further appeal to the SCA.

Verify, verify, verify

The SCA’s findings amount to this:

The onus is always on you as buyer to prove, on a balance of probabilities (i.e. more likely than not), that you have paid the seller.
When you pay by EFT, you must show that the seller actually got the money. In other words, that you paid into the correct bank account.
Creditors (recipients) have no legal duty to protect debtors (payers) from the possibility of their accounts being hacked where the debtor could have taken steps to protect itself but failed to do so.
The obligation therefore is on you as debtor to ensure that the bank account details in the invoice are in fact correct and verified because “it is the debtor’s duty to seek out his creditor”. Fail to follow basic verification steps, and your payment to the wrong account does not remove your liability to pay the debt — you still have to pay your creditor.

Bottom line, the buyer in this case should have verified the banking details given in the emailed invoices before paying. It didn’t, so it couldn’t prove that it had paid into an account authorised by the seller.

It must pay the seller the R290k, with interest and doubtless substantial legal costs.

Don’t make the same mistake

These scams grow more sophisticated by the day, fuelled now by AI-perfected deep fakes, cloned websites and social engineering. Treat all emails, all electronic messages, and all electronic invoices with great suspicion — even if they appear to come from businesses you have known and trusted for decades. Verify bank account details (preferably by speaking to the creditor directly on a number you know to be correct) before paying a cent.

Property sales are particularly vulnerable

Be especially vigilant when buying or selling property because these high-value sales are a particular focus for cybercriminals worldwide. There are rich pickings in the offing, and the opportunities for baddies to intercept and falsify emails is multiplied by the range of trusted role players involved — typically several sets of attorneys, estate agents, and banks as well as the buyers and sellers themselves.

A final note on online security

Let’s end off with a note to everyone: Keep reminding your whole team (not just your accounts department) that securing your computer and email systems against bad-actor compromise is no longer a nice-to-have, it’s essential. This whole unhappy saga could all have been avoided if everyone involved had followed basic security protocols. Prevention is always better than cure.

Give us a call if you need any help.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us for specific and detailed advice.

Private Prosecution: Neighbours at War

June 2025 | Criminal Law / Crime, General Interest, Property

“I charge you by the law.” (William Shakespeare in The Merchant of Venice)

Victims of crime are entitled to see the perpetrators brought to justice. Feeling that the justice system has failed you can cause significant psychological harm and feelings of victimisation.

So, what happens if you believe that you are the victim of a crime, which you duly report to the police – only to be told that the NPA (National Prosecuting Authority) has declined to prosecute?

You could of course console yourself with the thought that “well, at least I tried” and walk away unfazed. But if you feel strongly enough about it, you are not without legal remedy – in appropriate cases you could be advised to go the private prosecution route.

A significant SCA (Supreme Court of Appeal) judgment last year provides an excellent example of just such a case.

Neighbours at war in an upmarket suburb

The scene here is Kloof Road in Cape Town’s Bantry Bay, renowned for its prime location on the Atlantic Seaboard, luxurious houses, and panoramic sea views.

The protagonists are next-door neighbours, whose acrimonious relationship and long history of disputes was founded in the one owner’s renovations, and the other’s strenuous objections to them. Who will eventually win that particular battle remains for another court to determine, but in the course of these disputes the one owner, a senior attorney, accessed his neighbour’s confidential credit records using a colleague’s login details.

This tactic backfired when the neighbour laid criminal charges against her adversary, saying that he had unlawfully and covertly accessed her personal and private information without the required authority or consent. She later added charges of fraud and defeating or obstructing the administration of justice, alleging that during the consequent investigation he had variously and falsely claimed firstly to have not accessed her data, then to have had her consent, then to have acted as her attorney, and lastly to have accessed her records inadvertently.

The media’s reporting of this high-profile spat created what the Court later described as a “public spectacle”, and the trial courts will have to wade through a web of hotly-contested and conflicting evidence in their search for the truth.

But for now, our interest lies in the fact that the NPA declined to prosecute on any of these charges. Undeterred, the neighbour initiated a private prosecution, a move hotly contested by her opponent all the way up to the SCA.

What must you prove to launch a private prosecution?

The SCA, in ultimately allowing the neighbour to proceed, set out our law on the matter.

The starting point is always the NPA issuing a certificate nolle prosequi (a fancy Latin term meaning simply that the State declines to prosecute), for it is that certificate which opens the door to you to have a go at it yourself. As a side note here, legislation specific to the SPCA, SARS and a few other specialised entities allows them to prosecute specified matters without a nolle prosequi certificate – but the rest of us need one.

Once you’ve got your nolle prosequi certificate you must prove that:

You have an interest in the issue of the trial.
Your interest is substantial and peculiar to you.
Your interest arises from some injury individually suffered by you.
Your injury was suffered as a consequence of the commission of the alleged offence.

In deciding whether or not to grant your application, the court will also consider whether private prosecution would offend public policy. If you are shown to be acting maliciously, vindictively, vexatiously, or without foundation, your application will fail.

Essentially, the Court performs a balancing act between your right to have your dispute “resolved by application of the law and decided in a fair public hearing before a court”, and the accused person’s “right not to be subjected to unfounded and vexatious private prosecution.”

In this case, the Court allowed the private prosecution to continue, commenting that the accused would now have the opportunity to vindicate his innocence at trial.

Think before you leap

Before you charge blithely down this route, bear in mind that private prosecution carries, in the Court’s words, “enormous financial risk”. So be very confident of your prospects of success and bear in mind that:

Even if you win it’s a costly exercise, because you are now paying your own legal team and a private prosecutor out of your own pocket rather than relying on state officials to do the job for you.
If you lose and the trial court finds your prosecution to be unfounded and vexatious (a real risk after the NPA declined to proceed), you risk punitive costs and compensatory orders. If the accused can prove you acted without reasonable cause and with malice, you could also be liable for damages in a separate civil claim for malicious prosecution.

Considering a private prosecution? We’ll help you weigh up the pros and cons.

Verify Banking Details Before Paying Any Invoice – You’re at Risk, Not the Creditor

March 2025 | Business, Criminal Law / Crime, General Interest

“An ounce of prevention is worth a pound of cure.” (Benjamin Franklin’s warning to fire-threatened Philadelphians in 1736)

Cases of Business Email Compromise (BEC) fraud continue to surge, and recent High Court decisions have confirmed that it’s up to you to verify that you are paying into the correct bank account.

How does BEC work and who is at risk?

BEC fraud involves cybercriminals impersonating your trusted contacts (e.g. suppliers and professional advisors) in fraudulent emails that look genuine. The idea is to trick you into making payment into the scammer’s account.

Everyone’s at risk, but BEC is particularly rife in transactions where large amounts of money are in play. Favourite targets are commercial operations and their customers, as well as all role-players in property sales – buyers, sellers, conveyancers and estate agents.

How do these scams work? For a snapshot of a classic BEC sting, have a look at this recent High Court case…

“But I paid you the R890k!”

Two Cape Town companies, who had been trading happily and successfully with each other for seven years, fell out over who should bear a loss of R886,726.25 after scammers stole the customer’s payment for a consignment of valves. Here’s how it went down:

The customer had always made payments to the supplier’s Standard Bank account in the past. So far, so good.
But then, enter stage left, our villain: Joe Scammer. Joe intercepts the supplier’s email correspondence and, pretending to be the supplier’s managing director, asks the customer to make all payments to an Absa bank account from now on.
The customer asks for a bank confirmation letter, which Joe (still in his guise as MD) gladly supplies.
Reassured, the customer makes payment to the Absa account. The fraud is only discovered when, three days later, the supplier emails asking for payment.
Joe is of course now long gone with his loot, leaving customer and supplier to fight it out over who must bear the loss.

Blaming the supplier won’t work – you must “seek out” your creditor

The customer, sued by the supplier for the outstanding amount, contended that the blame lay with the supplier, whose own negligence in failing to secure its IT systems against email interception caused the fraud.

That’s a defence often raised by BEC victims, and indeed our courts have stressed in the past the need for suppliers and professionals to ensure that their own computer systems are properly secured at all times. But it cut no ice in this case.

Rather, said the Court, (emphasis supplied), “it is the debtor’s obligation to ‘seek out his creditor’ and … until payment is duly effected, the debtor carries the risk that the payment may be misappropriated or mislaid.”

The real cause of the loss in this case, held the Court, was not any hacking of the supplier’s emails (if there was in fact a hack – the supplier denied it), but the customer’s failure to take the steps that a “prudent debtor” would have taken to ensure that it was paying into the correct account.

Our unfortunate customer must now pay the supplier, plus a raft of legal costs to boot.

Pick up the phone!

Our courts will have no sympathy for you if you fall victim by not protecting yourself. A factor that counted against our customer here was (emphasis supplied): “the fact, known to any persons in business and making use of computer-based methods of communication and payment, that cyber crime is rampant and that care must be taken at all times to limit its impact.”

The good news is that a few simple preventative measures can provide everyone involved with a strong layer of protection:

Put in place strong policies and procedures to ensure that your IT systems and emails are secured against breach and interception.
You, and all of your staff, must remain constantly vigilant against the techniques which the scammers use. They are particularly adept at exploiting trust-based and long-standing relationships, for instance with suppliers you have dealt with for years, and professionals like attorneys, accountants and financial advisors etc.
Most importantly, perhaps, given the current attitude of our courts, is to always verify payment details via contact with your creditor through another communication system. As our courts have pointed out, “a simple telephone call” can be enough to avoid falling victim to fraud.

If you need help reviewing your fraud prevention and payment verification procedures, please feel free to contact us.

No Means No: What the New Case on Consent Means for Victims of Sexual Violence

October 2024 | Criminal Law / Crime, General Interest

“Sexual violence is a horrific reality that continues to plague this country.” (Quoted in judgment below)

It’s often said that victims of rape and other types of sexual violence have to suffer twice – firstly at the hands of the rapist and secondly at the hands of the law.

A recent High Court ruling on the knotty question of consent could go some way towards remedying this. At the heart of the matter is the delicate balance between a victim’s right to be treated with dignity and compassion in their quest for justice, and the accused’s right to be presumed innocent until proven guilty in a fair trial.

The consent conundrum

To secure a conviction of sexual violence the State must prove – beyond reasonable doubt – the absence of consent to the accused person’s actions. Unfortunately, major injustices have resulted in the past from the fact that many perpetrators escaped conviction by simply claiming that they believed that consent had in fact been given – without having to show that their belief was in any way reasonable.

Two shocking acquittals

The Court referred to two practical examples of grave injustice rooted in the current wording of the Criminal Laws (Sexual Offences and Related Matters) Amendment Act:

A woman had agreed to oral sex only, but her then-boyfriend proceeded to perform full penetrative sex. He claimed that her body language gave tacit consent to penetration and that he misconstrued her request to him to stop as a request to pause momentarily. He was acquitted on the basis that his version was “reasonable and possibly true, although his explanation was improbable”. The complainant had not objectively consented, but the State had not proved beyond reasonable doubt that his version that he genuinely believed that there was at least tacit consent, was false. The court considered itself bound to acquit “unless it is satisfied not only that the explanation is improbable but that beyond any reasonable doubt it is false.”
In the second case, a woman was raped by a man she met through an online dating site. He had invited her to his home for a “party” at which she turned out to be the only guest. The perpetrator was acquitted on the basis that, although the victim had not objectively consented to the penetration, “she neither physically resisted nor loudly protested. The State did not exclude the possibility that the accused did not hear her say ‘no’ and did not prove beyond reasonable doubt that he was aware that she was not consenting. Put differently, the court accepted that he had subjectively believed that there was consent.”

Enter a welcome new limit to the consent defence

The courts in question had no choice but to acquit given the Act’s present wording, and as the High Court put it: “Currently … an unreasonable belief in the presence of consent is a defence. The State bears the extraordinarily high burden to prove that the accused’s claim that he [it could of course have been a “she”] was under the impression that consent had been given is not reasonably possibly true.”

It accordingly held the relevant sections of the Act to be unconstitutional and invalid and ordered that they be read such that “…it is not a valid defence for that accused person to rely on a subjective belief that the complainant was consenting to the conduct in question, unless the accused took objectively reasonable steps to ascertain that the complainant consented to [the] sexual conduct in question.” (Emphasis supplied).

How will our courts interpret this in practice?

Based on the Act’s current wording, our courts have previously held that, “where there was no express rejection of the sexual act … consent has the following requirements: (a) the consent itself must be recognised by law; (b) it must be real consent; and (c) it must be given by a person capable of consent.”

Assuming the Constitutional Court upholds the High Court’s declaration of invalidity, we can only guess how our criminal courts will ultimately interpret whatever new wording it and parliament (which has 18 months to amend the Act) finally settle on. But something like the five-point common sense definition of consent given in Amnesty International’s article “Let’s Talk About Consent” may well form the basis of judicial interpretation down the line.

The article further suggests that “Consent is not about signing a contract! It’s about communication and about making sure all sexual activities happen with mutual consent.” Which seems like a fair and practical way of looking at it.

The bottom line?

One would hope that our courts will ultimately decide that only a genuine, unequivocal, unpressured, informed, specific and un-retracted “Yes” will be enough to escape conviction.

As a final thought, remember that this new law only comes into force if and when the Constitutional Court confirms it.

How Does the New Corruption Reporting Law Affect Your Business?

September 2024 | Business, Criminal Law / Crime

“In defence of Madiba’s legacy, we will continue to wage a relentless war on corruption…” (President Cyril Ramaphosa)

You may have seen mention of the new amendment to the Prevention and Combatting of Corrupt Activities (POCCA) Act that imposes severe penalties for any failure to report corruption. If you did see it, you quite possibly thought “Doesn’t apply to me, I’m just a small business”.

Wrong! Let’s have a look at who the new law applies to, what it requires of you, the risk you run if you don’t pay it due attention, and how you should manage this new risk.

Who does the new reporting requirement apply to?

Not just big companies and multinational businesses. It applies not only to all members of “incorporated state-owned entities” but also to all persons and entities in the private sector. The definition here is very broad indeed, and it includes all types and sizes of businesses from sole trader up, all types of entity large and small, all companies, every “body of persons” and every “other legal person”.

In short, it applies to you!

What does it require of you?

Simply put, you must report any corruption or attempt at corruption. Of course, we all know what the common-sense definition of “corruption” is. If you need an exhaustive legal definition, we can certainly help you with that.

But in practice just be aware that it applies to any agreement or offer by an “associated” person (including employees, independent contractors and the like) to give anyone else any unlawful “gratification”. What’s more, “gratification” is so widely defined as to include every possible form of monetary or non-monetary advantage (or avoidance of disadvantage) you can think of. Naturally the agreement or offer in question must relate to an attempt to either obtain or retain a business advantage of some sort.

On another warning note, POCCA penalises not just active knowledge of corruption and wrongdoing, but also brings in concepts of “should have known” and “turned a blind eye”.

Put simply, you must report any form of “corruption”. Full stop.

What penalties apply?

In theory, the sky’s the limit here – unlimited fines and life imprisonment! In practice, courts will of course tailor the punishment to fit the crime. The bottom line: there are very clear indications that the authorities mean business, so beware.

How should you protect yourself?

The new law pulls no punches. But fortunately there’s a solid defence included in the new provision: to escape liability you only need to show that you “had in place adequate procedures designed to prevent” the corruption. There’s no definition of what this might entail, so it’s up to you to use common sense based on your particular business and circumstances. Local experts suggest that to be safe we follow the UK’s “Six Principles” – proportionality (procedures tailored to the level of your risk), top-level commitment, risk assessment, due diligence, communication, and monitoring and review.

Need help with drafting a corruption prevention protocol? Shout if we can help.

Home Buyer loses R5.5m in Phishing Scam – Don’t Make the Same Mistake!

June 2024 | Criminal Law / Crime, Property

“[The buyer] must in the circumstances take responsibility for her failure to protect herself against a known risk” (extract from judgment below)

Cybercriminals absolutely love targeting property transactions because they provide the perfect mix of large money deposits, heavy reliance on email communication from trusted parties like attorneys, banks and estate agencies, and deadlines creating a sense of urgency and lack of attention to detail.

Let’s consider just one recent example of a high-value BEC (Business Email Compromise) attack on the purchase of a house.

A textbook case costs a pensioner R5.5m

A woman describing herself as “an elderly divorced pensioner without the knowledge, experience or resources to protect herself against sophisticated cybercrime of which she had no knowledge or experience” purchased a house for R6m.
She paid a R500k deposit to the estate agents, and then after an exchange of emails with her appointed conveyancers, she paid the balance of R5.5m into what she believed to be the conveyancing firm’s account.
In fact, her email system had been hacked and the criminals were intercepting and altering both her incoming and outgoing emails. In a typically sophisticated operation, they ensured that the mails and attachments looked genuine, deceived the buyer into paying the R5.5m into their fraudulent account, and then, via a further chain of back-and-forth emails, delayed detection of the fraud for long enough to give them time to withdraw the funds and disappear.
The buyer sued the conveyancers for her R5.5m loss, arguing that they had a legal duty to protect her from the BEC. The High Court agreed and ordered the firm to pay her back, but that was reversed on appeal to the SCA (Supreme Court of Appeal).
Critically, the SCA held that in cases of “pure economic loss”, creditors have no general legal duty to protect their debtors from the interception of payments, and there is no inference of “wrongfulness”. So, it is up to the client in such a claim to prove not only negligence by the business, but also wrongfulness.
In this particular case the Court found that the buyer had “ample means to protect herself”. It was not the conveyancers but the compromise of her email account that enabled the criminals to intercept her emails. She could have paid by bank guarantee but chose to pay in cash. Moreover, she had been warned by the estate agency about this very risk and had heeded the warning and verified the agency’s banking details before paying in the deposit. She could, and should, have taken the same precaution before paying the conveyancers.
Bottom line – the buyer “must in the circumstances take responsibility for her failure to protect herself against a known risk” and must bear her R5.5m loss herself.

How to protect yourself – 5 steps to take immediately

Whether you are business or client, protect your systems from being hacked. Constantly update all your software and anti-virus/anti-malware programs. Use 2FA (two factor authentication) on your accounts. If it is your email system that is hacked and causes the loss, you have a problem! As a business you could also be in trouble for breaching POPIA (the Protection of Personal Information Act).
Constantly warn everyone about the risks of email interception and fraud and remind them never to accept any change of banking details notifications without checking.
Protect all attachments from alteration (including PDFs!).
Before making deposits, phone to confirm all banking details you are given via email. Make sure to phone a number you have confirmed to be genuine – criminals regularly provide fake contact numbers in intercepted emails and documents.
Carefully check all email addresses as scammers often make subtle changes – in this case for example the buyer failed to notice that the word “africa” in an email had been changed to “afirca”. Other common dodges are changing numerals or adding/removing hyphens.

Above all, treat all email communications as inherently unsafe and don’t let your guard down for a second!

« Older Entries