A South African court recently ruled that buyers are responsible for ensuring their EFT payments go to the right account. Does this new reality mean consumers must become cybersecurity experts?
In a landmark ruling from the South African Supreme Court of Appeal, the court decided it is the buyer’s responsibility to ensure an electronic funds transfer (EFT) is made to the correct bank account, putting the burden of fraud prevention squarely on the consumer.
While this ruling may seem like a reasonable precaution in an age of increasing cybercrime, it raises a serious question: Should we really expect consumers to become cybersecurity experts just to make a simple payment?
The case involved two car dealerships, where the buyer, Hyundai Louis Trichardt, paid for vehicles via EFT, only to later discover cybercriminals had intercepted the payment and redirected it to a fraudulent account.
While the buyer was a victim of business email compromise (BEC), the South African courts found that the responsibility ultimately lay with the payer to verify the details of the transaction. The court’s verdict emphasizes the “debtor bears the risk of misdirected EFT payments” and shifts the responsibility away from the seller and even the financial institutions involved.
The shifting burden of responsibility
The rise of cybercrime, especially in the form of sophisticated scams like BEC, has made it increasingly difficult for consumers to avoid falling victim to fraud. According to recent data, the UK alone saw over £1.17 billion lost to fraud in 2024, with authorised push payment (APP) scams accounting for a staggering £341 million.
This marks a 12% increase in fraud cases from the previous year, with nearly 252,000 incidents reported. The sheer volume of such crimes suggests consumers are being put in an untenable position, one where it’s not just about making a payment but ensuring that it is routed correctly in an increasingly complex system.
This global increase in digital fraud shows that fraud prevention cannot solely rest on the shoulders of the consumer. The very systems designed to facilitate easy transactions – online banking, mobile apps, and payment platforms – are the same systems that make it easier for criminals to exploit vulnerabilities.
When a consumer attempts to make a simple payment, they are placing their trust in banks, businesses, and payment platforms to ensure that the transaction is secure. To place the responsibility solely on the consumer, as the South African ruling suggests, is to overlook the systemic flaws in the infrastructure of digital payments.
Should payment fraud responsibility be shared?
While consumers must always take precautions, such as verifying account details and using secure payment methods, such precautions are often insufficient in the face of the highly sophisticated fraud schemes that are currently prevalent. Banks and businesses have a crucial role to play in safeguarding transactions, but the existing systems often fail to provide adequate protection.
In the South African case, the buyer, Hyundai, relied on an invoice sent by the seller, Northcliff Nissan, which included the bank account details for the EFT. However, cybercriminals intercepted the communication and altered the account details, redirecting the funds to a fraudulent account. This type of fraud is growing in popularity and sophistication, with criminals exploiting weaknesses in email systems and payment infrastructure.
Banks are the gatekeepers of financial transactions. They have the power and resources to implement fraud detection systems that can identify suspicious transactions, alert consumers to discrepancies, and even stop payments before they’re completed. Yet, many banks fall short of providing sufficient protections.
While the UK has taken steps toward better consumer protection with regulations like the Payment Systems Regulator’s (PSR) mandate for reimbursement in cases of fraud, such measures are not universally available. In 2024, 67% of funds lost to APP scams were reimbursed in the UK, but that still leaves a significant portion of victims without recourse.
Moreover, businesses which process payments are equally responsible for ensuring their communications and systems are secure. If Northcliff Nissan had implemented stronger measures, such as confirming payment details with Hyundai via a secure method, the fraud might have been prevented. Sellers must take greater responsibility in ensuring the integrity of the transaction, especially when the risks of cybercrime are so high.
A question of fairness
The South African court’s decision raises a fundamental question: Is it fair to place the burden of fraud prevention entirely on the consumer? While buyers have a duty to be vigilant, expecting them to act as cybersecurity experts is unrealistic and burdensome. Technology and digital payment systems should be designed with consumer protection in mind, but as it stands, many of these systems have exploitable weaknesses that put consumers at risk.
Technological vulnerabilities in payment systems are not only a threat to consumers but also to the integrity of the entire digital economy. In the EU, for example, while the Payment Services Directive 2 (PSD2) has introduced measures like Strong Customer Authentication (SCA), the EU still grapples with fraud rates in payment systems. In 2023, the EU recorded €2.0 billion in fraud across payment instruments, and credit transfers were a major contributor, despite the introduction of enhanced security protocols.
Banks and financial institutions must invest in more robust fraud prevention technologies, and businesses must take a proactive role in securing customer data. Until these industries address the root causes of cybercrime, placing the full responsibility on consumers is not only unfair, it’s also an unsustainable approach to fraud prevention in the digital age.
