Priya Naidoo (not her real name) had worked with the same construction supplier for 11 years. She knew the account manager, his preferred sign-off and the way he wrote subject lines. Priya was the financial controller of a mid-sized property development company in Joburg. Meticulous to the point of being annoying, she ran a tight payment process.
On a Thursday afternoon in September, she received an email from her supplier’s account manager confirming their upcoming R2.3m progress payment and notifying her of a change in banking details. New bank. New account. “Please update your records before the payment run on Friday.”
The email came from the right address. It carried the right signature block, correct cellphone number, correct title and correct company logo. The language was his. The timing made sense, since the payment run was already scheduled.
Priya followed her own process. She sent a confirmation email to the same address. The reply came within the hour, on the letterhead, with a signed bank confirmation letter attached. She updated the beneficiary, and processed the payment the next morning.
She discovered the fraud eight days later. The account manager had called to ask about the overdue invoice.
What happened to Priya is called business email compromise (BEC), and it is, by measured financial loss, the most damaging form of fraud on the planet. It does not require a phishing kit or a spoofed bank number. It requires patience, research and access to an email thread.
Careful execution
The operation had begun weeks before the email arrived. Someone had compromised the supplier’s email server and been reading the correspondence. They knew the payment was coming. They knew the amount. They knew Priya’s name and her process. They knew she would ask for confirmation before updating banking details, so they built the confirmation into the attack before she could request it. The signed letter, the letterhead, the logo – the fraudsters had assembled all of it from documents already in the email chain.
The email address was not the real one. It was one character different, a substitution invisible in most email client displays. Priya’s confirmation request went to the fraudulent address. The fraudulent address replied.
This is the mechanism that makes BEC categorically different from fraud targeting individuals. It does not exploit panic or urgency. It exploits the process, turning the victim’s own verification procedure into the attack vector. Priya asked for confirmation. Confirmation was provided.
Corporations carry a specific exposure here. Standard payment processes inside a company, such as approval chains, beneficiary update procedures and dual-authorisation requirements, are designed to catch internal errors and internal fraud. But an external party who has read enough correspondence to understand exactly how those processes work and to design an attack can pass through these controls cleanly.
The supplier relationship is the particular vulnerability. Eleven years of correspondence, regular payment cadences, established trust, every element that makes a business relationship efficient makes it vulnerable. In the wrong hands, it is a guide.
Priya’s company had cyber-insurance, but the insurer disputed the claim on the grounds that the payment had been authorised by an employee in accordance with established procedure. The money has not been recovered.
Who is liable?
According to FBI data, between October 2013 and December 2023, BEC generated confirmed cumulative losses of $55.5bn globally across more than 305,000 reported incidents – making it the single most financially damaging cybercrime category for seven consecutive years.
Globally, courts have grappled with determining where the loss should sit in cases like this. In South Africa, the leading authority is the judgment of the Supreme Court of Appeal (SCA) in a 2024 case involving law firm Edward Nathan Sonnenbergs (ENS) and Judith Mary Hawarden.
Hawarden had purchased a property through an ENS client and, having been cautioned about cybercrime risks, elected to pay R5.5m into the ENS trust account.
ENS emailed her the banking details. What she received, after her email account was hacked, was a letter with the fraudster’s account substituted for ENS’s. She paid the fraudster. She then paid ENS again to complete the purchase – and sued ENS for her losses, arguing ENS owed her a duty of care and should have warned her more explicitly about BEC risks.
The high court found in her favour. The SCA overturned it. It held that because no mandate existed between ENS and Hawarden, extending ENS’s duty of care to encompass risks to a third party would be overreach. She had been warned by the estate agent. She could have verified the banking details independently. And she could have asked her bank to confirm ENS’s account at the point of payment.
The SCA also accepted ENS’s argument that a finding of liability would have profound implications not just for attorneys but for any creditor who communicates banking details by email.
Hawarden has since applied to the Constitutional Court to overturn the SCA’s findings. If it rules in her favour, it will create a new category of delictual liability in South African law.
No trace
The structural observation that runs through Priya’s case and through Hawarden’s is the same one that runs through every BEC dispute. The fraud does not leave a trace in the systems that process payments. The bank sees a valid instruction. The service provider sees a confirmed request. The email chain appears to be a legitimate conversation in every respect. What none of those records contains is the compromised mailbox, the weeks of silent reading, the one-character substitution, or the fabricated confirmation letter.
The system records the authorisation. It does not record what produced it. And in that gap, every subsequent question of liability is forced to operate without the evidence it actually needs.
BEC has cost more than ransomware, more than phishing, more than any other category of cybercrime. It costs more precisely because it is not technical. It is relational. And relationships, by design, do not come with a verification layer.
Dirk de Vos is the CEO of Venture Labs and director of QED Solutions. Patrick le Roux is the founder of Venture Labs and CEO of OSINT SA. Venture Labs develops infrastructure to turn digital events into cryptographically provable, replayable truth.
ALSO READ:
- Inside a vishing call: 41 minutes, R340,000 gone
- South Africa’s next big scam: APP fraud
- How AI is reshaping financial crime in South Africa
Top image collage: Rawpixel; Currency.
Sign up to Currency’s weekly newsletters to receive your own bulletin of weekday news and weekend treats. Register here.
