More thoughts on business email compromise

by Marianne Mokken | July 9, 2024

In January 2023 the Gauteng High Court awarded an amount of R5.5 million plus interest to a purchaser of a property of which Edward Nathan Sonnenbergs Inc. (“ENS”) handled the transfer. This was based on a claim where the purchaser fell victim to cybercrime and paid over the aforesaid amount into the account of the fraudsters instead of ENS1. I wrote about this case and another relating to business email compromise (“BEC”) in my article “The duty to warn our clients”.

Judge Mudau then decided that the conveyancer ENS owed the purchaser a legal duty and accordingly had to warn the purchaser of any possible risks associated with the electronic transfer of money, one of them being the possibility of BEC. They were also expected to provide a more secure platform for communication with customers.

The Supreme Court of Appeal (“SCA”), however upheld an appeal brought by ENS in June this year, focusing on the question of whether the actions of ENS was wrongful.

Traditionally the courts will, in the case of an omission, ask the question of whether a legal duty rested on a defendant and was breached. The question is answered by considering the legal convictions of the community. Several factors have over time been identified by the courts that would indicate that a legal duty did in fact rest on a defendant. Examples of these would include the Van Eeden case2 that discussed control over a dangerous object, situation or person, and the Ewels case3 that discussed, amongst others, a special relationship between parties. A mix of the different factors can be present in any given situation.

In the ENS case the SCA specifically referred to the Country Cloud4 case where the court highlighted the risk of indeterminate liability and the vulnerability to risk as possible factors indicating a legal duty rested on someone to act positively. The SCA pointed out that the consequence of acknowledging that a legal duty existed in the case of ENS could translate into any creditor who sends their bank details by email having to protect their debtors against a possible attack cannot be justified and amounts to indeterminate liability. The SCA further stated that the defendant had reasonable means at her disposal to avoid the risk posed by either verifying the bank account details (as she was previously informed to do) or by using a bank issued guarantee.

It is also worth mentioning that the SCA in this instance refers to a new approach to determining wrongfulness of an omission as stated in Le Roux v Dey5 rather than the traditional approach of determining whether a legal duty existed in terms of legal convictions of the community:

“In the context of the law of delict: (a) the criterion of wrongfulness ultimately depends on a judicial determination of whether – assuming all the other elements of delictual liability to be present – it would be reasonable to impose liability on a defendant for the damages flowing from specific conduct; and (b) the judicial determination of that reasonableness would in turn depend on considerations of public and legal policy and in accordance with constitutional norms.”

This point of view has been criticized6, but the courts seem to have reconciled this approach with the traditional approach, and continue to use the new approach as evidenced from the recent ENS case.

Even though the outcome in the ENS case is quite different from the original one, the lessons we can learn from this stays the same:

  1. Training of staff remains important. This case is not the only reason why you should revisit your training program. If the different enforcement notices from the Information Regulator are analysed, training is an issue that pops up over and over again.
  2. Implement processes with appropriate checks in place to avoid BEC.
  3. Warn your clients of the risks of BEC. A common factor in recent case law was that the clients were hacked. Informing your client of these risk and how to avoid them can also serve them well in their dealings with other businesses.

If you need help with your compliances, reach out to us. Contact Dale Petersen on 021 819 7802 or at to connect with us.



  1. Hawarden v Edward Nathan Sonnenbergs Inc. (13849/2020) [2023] ZAGPJHC 17
  2. Van Eeden v Minister of Safety and Security (Women’s Legal Centre Trust, as amicus curiae) 2003 1 SA 389 (SCA) 400
  3. Minister van Polisie v Ewels 1975 3 SA 590 (A)
  4. Country Cloud Trading CC v MEC, Department of Infrastructure Development, Gauteng [2014] ZACC 28
  5. 2011 3 SA 274 (CC) 315
  6. Neethling, J. Potgieter, JM. 2020 Law of Delict 8th ed. Johannesburg: Lexis Nexis p. 94


Submit a Comment

Your email address will not be published. Required fields are marked *