January 29, 2024
You Can (and Should) Both Discipline and Prosecute Thieving Employees
“It’s the profile of the most trusted individual, in a position of trust, like an accountant or bookkeeper. They usually never take leave, and someone who never allows anyone access to their system would go to the length of taking their laptops with them while they are on holiday so that they can continue working. They are usually caught in the moment of forced absence from work.” (Specialised Commercial Crimes Court as reported by News24)
Our courts report a surge in serious cases of theft from employers by their most trusted employees – often bookkeepers and accountants. The greater the trust placed in these dishonest individuals, the more they steal and the longer they get away with it.
Particularly in more serious cases, employers should lay criminal charges as well as instituting disciplinary proceedings. Criminal courts are imposing hefty deterrent sentences, and the Labour Court has confirmed that laying charges does not prejudice the simultaneous disciplinary process.
Minimum sentences apply
Firstly, minimum sentencing provisions apply when large amounts have been stolen. Even first offenders must be sentenced to a minimum of 15 years’ imprisonment for any fraud or theft involving more than R500,000 (R100,000 for persons acting together or R10,000 for law enforcement officers) unless “substantial and compelling circumstances exist which justify the imposition of a lesser sentence”.
Let’s look at some recent cases –
- 50 years for a R537m theft: Over some two decades of employment in a position of trust as an accountant, an employee admitted to 336 counts relating to thefts totalling an astonishing R537m. She had tried to cover up with fraudulent VAT claims and although her lavish lifestyle (she spent R5m on one specific day) attracted attention, it seems that it was only an anonymous tip off that eventually led to her detection and arrest. She was sentenced by a Specialised Commercial Crimes Court (SCCC) to 50 years behind bars.
- 10 years for a R13.4m fraud: A creditor’s clerk, once again in a position of trust, pleaded guilty to 972 counts of fraud totalling over R13.4m and stretching over 9 years, only discovered when she went on sick leave. The mitigating factors in her case (she has health issues and is 65 years old) led the High Court to reduce her 15-year sentence to a below-the-minimum 10 years.
- 18 years for a R14m theft: A financial manager stole over R14m, leaving the couple who had trusted him with their finances without their life savings (including a cancer diagnosis payout) and on their knees financially and emotionally. The Court’s sentence of 3 years more than the minimum reflected its finding that the aggravating factors justified removing the manager from society, despite his gambling addiction and previous clean record.
- 15 to 30 years for a R52m fraud? A trusted store accountant “viewed as a brother” by its traumatised owners (one of whom even contemplated suicide), admitted to two counts of fraud totalling R52m as a result of his gambling addiction. He will only be sentenced in March, but it seems from media reports that he is unlikely to receive less than the minimum 15 years’ imprisonment per count, possibly to run concurrently.
The Labour Court confirms you can do both
A municipal manager with 15 years’ service was criminally charged with very serious frauds. He asked the Labour Court to stop his employer’s disciplinary process against him, arguing that in defending himself at the disciplinary hearing he might have to give self-incriminating evidence.
The Labour Court disagreed, finding that the employee had several layers of protection available to him in the criminal trial, and clearing the employer to proceed with the disciplinary hearing simultaneously. In fact, said the Court, “It is tantamount to an abuse of court process by a person holding a managerial position using court processes to prevent his employer from subjecting him to a disciplinary process under the guise of protecting his constitutional rights.” It accordingly ordered him to pay all costs on the punitive attorney and client scale – a very unusual censure in labour law matters where both sides are normally left to cover their own costs.
Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.
© LawDotNews
March 3, 2023
Check All Emailed Bank Details for BEC (“Business Email Compromise”) Frauds
“…sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated.” (Extract from judgment below)
Before you make any payment to a supplier’s bank account on the basis of an emailed invoice, check that the bank account details in the invoice are genuine.
If your supplier’s or your email system have been hacked in a BEC (“Business Email Compromise”) scam, the invoice details could easily be fraudulent and if so you will be paying into a scammer’s bank account.
Property transactions are prime BEC targets, but not the only ones!
You will have seen many warnings about the global problem of conveyancing email scams, where emails are intercepted and false bank account details appear in invoices or in the mails themselves. Property sales are usually high value transactions and thus a natural target for fraudsters.
Increasingly though, other non-property related business-to-business and business-to-customer transactions are being targeted – the higher the value of the deal, the more likely it is to be subjected to online crime.
Let’s take a topical example…
It’s high-value inverter time, and the bad guys are taking note…
You decide to install a high-value inverter, courtesy of Eskom’s “no end in sight” loadshedding. Inverter installers – let’s call them “Speedy Sparkies Inverter Systems” – email you a quote for R145,000. You accept. Back comes an emailed invoice from fred@speedysparkies.co.za asking you to pay R100,000 upfront to cover materials. You transfer R100k to the X Bank account on the invoice and ask when they will install. The friendly return email reads “Thanks for the payment, we’ll fit you in next week Thursday. Best, Fred”.
Thursday rolls around but no Fred. You phone him. “But you haven’t paid us yet” says Fred. “Yes I have, I paid into your account last week and you emailed confirmation of receipt of payment”. “No, definitely no payment received and no email from us confirming receipt.” “That’s impossible Fred, I have your email in front of me”. At which stage you notice, with a sinking heart and rising panic, that that last email came from fred@speedy-sparkies.co.za – with a hyphen. “Nope, really sorry” says Fred, “there’s no hyphen in our email address and we bank with Y Bank not X Bank. You’ve been scammed. We’ll try to help you but you need to pay the R100k again before we can install”.
Denial, anger, acceptance, then off to the bank to ask for help and off to SAPS to lay charges. Your bank and the police are sympathetic but not hopeful of recovery. So what happened?
How did you just lose R100k?
Using phishing tactics, the scammers hacked into Speedy’s email system then monitored all their emails, waiting for a high value contract to pop up. They pounced, intercepted the email to you with the invoice, changed only the return email address and the bank account.
You suspected nothing – the look and feel of the email and invoice are totally genuine, the wording of the mails is Fred’s (right down to his trademark sign-off “Best, Fred”), the email address difference is so subtle you don’t notice it. Sometimes scammers can even “spoof” an email address, where the sending email address appears to be the same as the legitimate one.
It all looks 100% authentic and of course by the time you and Fred realise anything is amiss, your money is long gone.
The only winners here are the scammers and the question now is “who is the loser?”
Who takes the loss? Who pays for your inverter now? Can you sue?
Here’s the rub – you blame Speedy for allowing their system to be hacked. You accuse them of negligence and of failing in their duty to keep your data safe in compliance with POPIA (the Protection of Personal Information Act). But Speedy deny fault and say you carry the risk and anyway it’s your mistake for not noticing the falsified email address and for not phoning Fred to check the bank account details. Speedy’s insurers confirm they have no cover for this sort of fraud.
Do you have a legal claim against the business? There’s no cut-and-dried answer to that, with our case law outcomes to date tending to vary with each particular set of facts, and the courts referring to various questions of proving negligence, compliance with payment instructions, “considerations of legal and public policy”, and reference to a general rule that anyone making a payment to someone else is required to check that they are paying into the correct account.
So as a customer, it’s probably safest to work on the basis that you could well be held to be the party at risk and will almost certainly have to prove (at the very least) negligence on the part of the business in order to stand a chance of establishing any claim against it.
As a business on the other hand, your legal position is far from secure. You will be accused of negligence (and perhaps also breach of POPIA) if it is your system that was hacked. Even if it is your customer’s email account that has been hacked you are still at risk, as confirmed by the recent High Court award of R5.5m (plus interest and costs on the punitive attorney and client scale) in just such a case against a conveyancing firm on the basis of its legal duty of care towards a property purchaser, and on a finding that “but for the negligent transmission of its account details and failure to warn [the buyer] upfront of the inherent danger of BEC, she would not have suffered the loss.” In the Court’s words “sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated”.
On a strictly practical level, your reputation is at stake and those 5-star Google Reviews could be in for a knock.
Bottom line – take legal advice specific to your case. Perhaps you will both be advised to cut your losses and to share the pain 50/50. Far from ideal, but a lot better than protracted and bitter litigation.
Prevention being as always a lot better than cure, we share below some ideas on how to protect yourself from this sort of cyber fraud in the first place.
Prevention – here’s what to do
- Businesses: Most importantly, protect your systems from being hacked! Train all staff in the increasingly sophisticated nature of phishing emails, update all your software and beef up your anti-virus and anti-malware protections and protocols. Consider not putting your banking details on invoices and tell customers to phone you to check any details they are given. Consider using a secure payment portal with two-factor authentication (2FA) and protect any PDF documents you send (it’s a myth that PDFs can’t be altered). Tell customers on every email that you will never advise any change of bank details by email. Check with your insurers whether you can get cover for this risk.
- Customers: Take the same strong anti-hacking measures. Never pay anything without checking bank details direct with the business, either in person or telephonically (don’t use the phone numbers on the emails or invoices, they could easily have been faked as well). Check email addresses carefully – make sure the return address is the same as the sender’s address (some tips on how to do that here), watch for subtle changes like ‘.co.za’ becoming ‘.com’ or vice-versa, and remember that every hyphen, every letter and every number in the email address counts. Use bank-defined beneficiaries for online banking where possible. Be very suspicious of any “we’ve changed our banking details” communications.
Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.
© LawDotNews
January 3, 2023
“Double Jeopardy” for Tax Evasion – Penalties plus Prosecution
“Administrative penalties and criminal proceedings do not serve the same purpose. The [one] is aimed at strengthening internal controls of the administrative authority and to promote compliance while the other is aimed at correcting a behaviour that caused harm to the society.” (Extract from judgment below)
SARS has announced major crackdowns on tax defaulters, and a recent High Court decision highlights the dangers of being caught out for “intentional tax evasion”.
R1.3m prejudice to SARS
- A close corporation (CC) registered for both income tax and VAT (value added tax) rendered “nil” returns to SARS over a four-year period, indicating that no income had been generated and no expenses incurred.
- After a tax audit, SARS determined (and the CC admitted) that the returns were false and that SARS had in consequence suffered prejudice of R819,607 on VAT and R493,600 on Income Tax.
- SARS levied 10% late payment penalties and further imposed a 150% understatement penalty on both Income Tax and VAT. The 150% was imposed for “intentional tax evasion”.
- Both the CC and the member were then also charged criminally for intentional tax evasion.
Both penalties and prosecution – is that “Double Jeopardy”?
They applied to the High Court for a declaration that the relevant sections of the Tax Administration Act are invalid, arguing that it is inconsistent with the constitution to “criminally punish the taxpayer twice for the same criminal offence of intentional tax evasion.”
Which raised the question of whether or not this was a case of “double jeopardy” – the legal rule that “no one may be punished for the same offence twice.” You cannot, in other words, be repeatedly prosecuted for the same offence.
But, held the Court, “nothing precludes civil administrative proceedings and criminal proceedings from the single act”. Double jeopardy does not apply in a case such as this where “calling the taxpayer to account for the wrongdoing before an administrative body as well as the criminal are two distinct processes”.
In other words, both the CC and the member, having been subjected already to hefty administrative penalties (that 150% understatement penalty must hurt particularly badly!) now face criminal prosecution as well. Criminal records, substantial fines and direct imprisonment are all on the table.
Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.
© LawDotNews