Cruel e-mail scam robs dad of his pension savings
Seeff denies liability after Cape Town man loses nearly R1m he paid into fake account
PETROFSKI Williams is a broken man. His nearly R1-million pension payout, which he put down as a deposit on an investment property, is gone — siphoned off by fraudsters who hacked into an e-mail account belonging to one of southern Africa’s leading estate agencies.
Gone is his dream of using the rental income from the house in Langebaan — about 120km north of Cape Town — to cover his daughter’s university fees.
The irony of the story is that Williams, 50, who had worked in the City of Cape Town’s property management department for 26 years, is a cautious man. He was careful throughout the deal to buy the R1.25-million home, even delaying paying the deposit until he could be guaranteed a competitive interest rate from the conveyancers, pending transfer.
So careful that, after the estate agent had e-mailed at least three different bank account numbers for transferring the R900 000 deposit, Williams called the agent from inside his bank and, he claims, read out the bank name and account number he’d received in her final message to him that day. He asked her to confirm the details, which she allegedly did, and the money was transferred to a Nedbank account.
Of course, unknown to Williams, that final e-mail in July this year — despite having been sent from the agent’s official Seeff address — was fake: it contained the account details of fraudsters, and not the appointed conveyancers.
When the funds didn’t arrive, a cyber forensic investigation was commissioned by the Seeff Langebaan franchise (Seeff offices are independently owned and run). It concluded that the agent’s e-mail account, username and password had been compromised by an unknown party.
In a report released more than a month later, consultancy eForensik said: “The scammers appear to be very skilled and have the knowledge to spoof e-mail accounts . . . [they] appear to have inside knowledge of property transactions — possibly by hacking into e-mail accounts and/or by insider information.”
Forensic investigators said the agent’s laptop could also have been compromised by a “spear phishing” attack, which is a phishing attempt directed at specific individuals or companies.
General phishing usually involves fraudulent e-mail messages which appear to come from legitimate sources, like a bank, university or service provider.
In their report, the investigators hired by Seeff said they had found no evidence that their client’s staff members had been involved in the fraud, nor could they determine whether Williams had confirmed the fraudulent account information with the agent as alleged. She reportedly “cannot recall”.
So where does this leave Williams? Not sitting very pretty. Unemployed and having lost his money, he is in no position to fight Seeff in court.
Said the distressed father: “We have been experiencing significant difficulty in getting any further substantive response from Seeff, its franchisee or lawyer, as to how they propose to deal with what happened.
“We believe that Seeff has been negligent, not only in relation to its lax computer security, which enabled its agent’s e-mail account to be hacked, but also because the agent was negligent in failing to check the bank account details when I specifically telephoned to check these immediately before transferring the deposit.”
A bank official has signed a statement confirming that, in her presence, Williams read out the bank account details to the estate agent over the phone.
“My wife and I have the clear sense that we are being fobbed off by Seeff in the hope that this matter will go away,” Williams said. “We will, however, not drop it, as we are not able to absorb the financial loss and we have suffered severe emotional distress.”
Gillian Bolton, a forensic legal expert who is assisting the former municipal employee, agrees.
“There is the broader issue of the role and responsibilities of the Seeff group as regards the security of its IT environment, given that the agent made use of a Seeff domain name . . .
“The cyber forensic report should in no way be seen as a comprehensive forensic investigation, as it was very limited in terms of its mandate and scope,” she said.
The lawyer acting for Seeff Langebaan, Charlene du Toit, said her client had briefed counsel who had advised that the franchise was “not negligent in any way whatsoever” and nor was any Seeff employee.
She said that, immediately after becoming aware of the fraud, her client had offered to assist the Williamses financially, “with litigation or in any other way, to recover the funds”.
“Our client has always been, and still is, prepared to assist the complainants, the bank and the SAPS, and to co-operate in an attempt to recover the funds and/or trace the individual responsible,” Du Toit said.
The Power Report has learnt that this is one of at least 11 similar cases under police investigation in Cape Town. All share the same modus operandi and are believed to be the work of the same syndicate.
The cases, dating to last November, involve other estate agencies and conveyancers. There have been similar cases reported in KwaZulu-Natal — as recently as last month in Durban.
So can’t Seeff, as the umbrella company, compensate Williams?
Said Seeff national marketing manager Ted Frazer: “We explored the possibility of making a claim through the Estate Agency Affairs Board Fidelity Fund. However this fund is only applicable to issues pertaining to trust-account fraud.
“Seeff is currently exploring procuring cyber insurance. However, not only is this prohibitively expensive, but [it] also only provides protection for losses arising from data fraud, not financial losses.”
Frazer said Seeff was not responsible for the cyber attack, nor had it been negligent. The group was Google’s largest estate-agent client in southern Africa, and enjoyed the benefit of its “robust IT security”.
“The brand and branch have only been implicated in so far as the perpetrators acted under the guise of a Seeff e-mail address,” he said.
Williams is gutted. “These people are heartless. This is 26 years of my working life taken from me. My daughter’s future education is now gone,” he said.
It’s certainly heartbreaking. And whoever is ultimately found liable, if anyone is, this matter sounds alarm bells for all consumers, particularly those buying property, to take special care when transferring funds.
Triple-check bank account details, especially when e-mailed. Assume absolutely nothing.
Tune in to Power FM 98.7’s “Power Breakfast” (DStv audio 889) at 8.50am tomorrow to hear more from Megan
These people are heartless. This is 26 years of my working life taken from me