With online fraud being widespread, now more than ever, where does the responsibility lie if a payment is made to a fraudulent account after the payer received new bank details via email prior to paying and did not confirm the different details, nor check whether the recipient had received the funds?
It is a settled principle of our law that a debtor has an obligation to seek out its creditor and that until such time that a debtor duly pays its debt to a creditor, it bears the risk of payment being misappropriated or mislaid. The South African Law Report has recently reported the case of Gripper & Co (Pty) Ltd v Ganedhi Trading Enterprises CC 2025 (3) SA 279 (WCC), where the Western Cape Division of the High Court reaffirmed this principle in the context of cybercrime.
Pertinent facts in Gripper & Co
The respondent (Ganedhi) and the applicant (Gripper) had been dealing with each other since 2014. Throughout this period, Gripper had always received payments from the Ganedhi into a specific Standard Bank account. In October 2021, Gripper sold and subsequently delivered valves to Ganedhi for an amount of R886 726.25. On 29 April 2021, Gripper issued an invoice and the delivery note signed by Ganedhi reflected Gripper’s long-standing Standard Bank banking details.
Ganedhi attempted to settle this invoice in May 2021, but was unfortunately the victim of a sophisticated fraud perpetrated by an unknown third party. This led to the amount of R866 726.25 being paid into a different Absa Bank account which belonged to the third party. The third party orchestrated this sophisticated fraud by sending an email to Ganedhi, where it unduly presented itself as Gripper’s representative, informing Ganedhi that Gripper had changed its Standard Bank account to an Absa Bank account and would accept payments in the latter account going forward. Ganedhi did not contact Gripper to confirm the change of banking details but relied solely on this intercepted email in effecting payment.
Ganedhi discovered after three days when Gripper requested payment that it had made payment into an unauthorised account. As a result, Gripper approached the court for, amongst others, payment of R866 726.25. The premise of Gripper’s application was that the payment of R866 726.25 remained due and payable to it because Ganedhi never paid it in the first place. In its defence, Ganedhi argued that Gripper’s conduct of wrongfully and negligently failing to secure its IT systems resulted in the fraudulent communication being dispatched to it. In support of this, Ganedhi filed an expert report which stated that there was no record of its systems being compromised.
Court’s decision
The court noted that the interception of the email was not the proximate cause of the payment being made into the incorrect account, but the decision to make payment after being wrongly satisfied that the bank account details had been verified was the proximate reason. In essence, Ganedhi (as a debtor) had the obligation to verify Gripper’s bank account as its creditor before making payment and failure to do so did not extinguish Ganedhi’s obligation to pay its debt. Relying on the judgment of Mosselbaai Boeredienste (Pty) Limited v OKB Motors CC 2024 JDR 1348 (FB), the court noted that a sufficient verification of a bank account does not require a great deal of effort, a simple phone call may well suffice. In conclusion, Ganedhi’s failure to efficiently verify Gripper’s bank account, as opposed to anything done by Gripper, was found by the court as the proximate cause of the payment being wrongly made, and Ganedhi was ordered to, inter alia, make payment to Gripper in the amount of R866 762.25.
Remarks
In a world where electronic payments are made daily, this judgment does not only remind us of the obligations and risks associated with these types of payments, but it also cautions debtors on their obligation to effectively seek out their creditors and verify the veracity of their creditors’ banking details prior to effecting payment.
