There is a moment in almost every property transaction where everything hinges on a single email.
The conveyancer sends the trust account details. The buyer, days away from owning a home, reads them, opens online banking, and transfers the balance of the purchase price. Often millions of rand. In one click.
Nobody in that chain stops to ask a question that, in hindsight, is the only question that mattered: is this email actually from the firm, and is this actually their account?
For a growing number of people, the answer turns out to be no. And by the time anyone discovers it, the money is gone.
This is the quiet anatomy of conveyancing fraud, and it is not a fringe problem. It is one of the most financially devastating forms of cybercrime in South Africa today, it disproportionately targets law firms, and the legal and financial consequences of getting it wrong have just shifted decisively onto whoever clicks "pay."
This article is about why that happens, what the numbers actually look like in South Africa, Africa, and globally, what is really causing it, and what a firm can do about it that goes beyond "phone to confirm the account."
What this fraud actually is
The technical name is Business Email Compromise, or BEC. Stripped of the jargon, it works like this.
A criminal gains access to, or convincingly imitates, an email account involved in a transaction. It might be the buyer's account, the seller's, the estate agent's, or the conveyancer's. They sit quietly inside the email thread and watch. They learn the names, the tone, the timeline, the amounts. They wait for the exact moment money is about to move.
Then they strike with a single, perfectly timed message: the banking details have changed, please pay into this account instead. Or they intercept a genuine email carrying real trust account details and simply swap the account number before it lands in the recipient's inbox. The branding is right. The signature is right. The thread is real. Only the destination of the money is wrong.
The reason property transactions are the favourite hunting ground is brutally simple. The sums are enormous, the payments are one-off, and the entire process runs on email between parties who often have never met in person. Property sales usually involve large amounts of money, and electronic communication between attorneys and clients is fertile ground for interception and deception.
That is the whole con. No malware, no hacking in the Hollywood sense. Just patience, impersonation, and a transaction that trusts an inbox it should never have trusted.
The numbers: how big this really is
Globally
The scale is staggering, and it is getting worse, not better.
In 2024, the FBI's Internet Crime Complaint Center recorded total reported cybercrime losses of USD 16.6 billion, the highest figure ever recorded and a 33% increase on the previous year. Within that, business email compromise alone accounted for USD 2.77 billion in losses across 21,442 reported incidents in 2024.
Step back and the decade-long picture is worse still. BEC has cost organisations a reported USD 17.1 billion since 2015, and attack volume rose by 54% between 2023 and 2024 as criminals adopted generative AI to produce convincing, error-free emails that mimic trusted colleagues and vendors.
And the human element is the entire vulnerability. These attacks rarely use malware or exploits. They rely on impersonation, urgency, and trust to convince employees to wire money. It is a low-tech con with high-reward results, and it keeps working.
To put a frame around how widely it touches business: a 2025 survey by the Association for Financial Professionals found that 63% of organisations experienced business email compromise in 2024. Nearly two in three.
Africa
This is not someone else's problem imported from abroad. Africa is both a major target and a major origin point for this exact type of fraud.
INTERPOL's Africa Cyberthreat Assessment found that cyber incidents across the continent caused estimated financial losses exceeding USD 3 billion between 2019 and 2025. In parts of the continent, the problem now dominates the crime landscape entirely: cybercrime makes up over 30% of reported offences in West and East Africa.
BEC specifically is concentrated and organised. INTERPOL's private sector partners report that 11 African countries concentrate most BEC activity, with Nigeria, Ghana, Côte d'Ivoire, and South Africa among the main hubs, and the financial sector is particularly targeted. The methods described are precisely what conveyancers see: in West and Southern Africa, fraudsters often use lookalike domains or slightly altered email addresses, alongside scams linked to invoices and payment requests.
The real estate connection is not theoretical. In one prosecuted case, a Nigerian national was sentenced by a US court in November 2024 to 10 years in prison for orchestrating a BEC scheme targeting real estate transactions that affected more than 400 victims and stole USD 19.6 million.
And the threat is evolving in a direction that should worry every firm still relying on "just phone to confirm." In Southern Africa, cybercriminals have adopted AI-powered tools to create sophisticated deepfake voice and video impersonations, leading to a considerable escalation in voice-based fraud by mimicking executives and vendors. The phone call, long held up as the safety net, is itself now a target.
South Africa
South Africa sits at the sharp end of this. South Africa has some of the highest incidents of cybercrime, and cybercriminals are using increasingly sophisticated social engineering tactics to defraud unsuspecting victims. Conveyancing firms are singled out for a reason. Conveyancing firms especially are targets of cybercrime, due to the large sums of money involved in property transactions, and because most correspondence between firms and clients happens by electronic communication, which makes it very attractive for criminals.
The financial bleed is measurable. South African banks and their customers collectively lost over USD 184 million in 2023, and identity fraud increased by 167% across Africa according to Sumsub's 2024 report, with South Africa among the countries experiencing growth rates exceeding 300%.
This is the environment a South African conveyancing firm operates in every single day.
The case that changed everything: ENS v Hawarden
If a firm needs one reason to take this seriously beyond the moral one, it is a 2024 Supreme Court of Appeal judgment that quietly rewrote where the financial risk lands.
The facts are almost unremarkable, which is exactly the point. In May 2019, Ms Hawarden agreed to buy a property for R6 million. ENS was appointed as the conveyancing attorneys by the seller. There was no attorney-client relationship between her and ENS. When the R5.5 million balance fell due, ENS sent her a letter with its trust account details, including a fraud warning. That email was intercepted by a third party who had gained access to her email account. The fraudster removed the fraud warning, altered the account number, and she transferred R5.5 million into the fraudster's account, which was withdrawn before the fraud was discovered.
The High Court initially found ENS liable. Then the SCA overturned it. The Supreme Court of Appeal unanimously set aside the ruling that had found ENS liable to pay R5.5 million, holding that the loss was not caused by ENS or a failure of its systems, but by hackers who had infiltrated her email account and diverted her payment.
Read the reasoning carefully, because this is the part every firm and every client needs to absorb. The court found she could have avoided the risk by verifying ENS's account details, that she had previously been warned about BEC by the estate agent, and that she must take responsibility to protect herself against a known risk. The judge went further: any warning by ENS about the risk of BEC would have been meaningless, because by that time the cybercriminal was already embedded in her email account.
Here is what that means in plain terms. The court declined to make the firm the insurer of everyone it emails, partly to avoid exposing attorneys and all creditors to indeterminate liability for losses they could not control. Sensible. But the flip side is unforgiving: the financial loss now sits squarely with whoever made the payment into the wrong account. If that is your client, your client carries the loss. If a process failure on your side puts your firm in the frame, as earlier judgments like Fourie v Van Der Spuy showed when attorneys were held liable for paying away a client's trust balance on an emailed instruction without verifying it, then your firm carries it.
Either way, "we sent the right details, it's not our problem" is not a strategy. The law has made verification not a courtesy but the dividing line between who keeps their money and who does not.
What is actually causing this
It is tempting to file this under "cybercrime" and reach for antivirus software and a stern email signature. That misses the real cause.
The root problem is structural, and it is the gap SOTRU was built to close. There are two failures sitting underneath every one of these losses.
First, the communication channel itself carries no identity. Email was never designed to prove who is on the other end. Modern convenience has come with an upsurge in cybercrime against law firms, and the most common attacks are interception and phishing. When trust account details, mandate changes, and payment instructions travel through a channel that cannot verify the sender, every message is a leap of faith. The branding can be copied. The thread can be hijacked. The address can be spoofed by a single character. There is nothing inside an email that cryptographically proves it is genuine.
Second, verification and communication are disconnected. A firm might do thorough FICA onboarding at the start of a matter. But that verification happens once, in a separate system, and then trust is assumed for the rest of the relationship. The actual instructions, the moments where money moves, happen later, in the inbox, with no link back to that original verified identity. People change. Bank details change. An email account gets compromised mid-transaction. And the one-off check done weeks earlier does nothing to catch it.
Put those two failures together and you have the perfect conditions for fraud: high-value payments, flowing through an unverified channel, based on instructions nobody can cryptographically trace back to a verified party. The criminals have simply understood this structure better than the industry that relies on it.
The standard defences are all reactive patches on this broken structure. Phone to confirm the account? Voice can now be deepfaked, and as the SCA noted, if the criminal is already in the email account, warnings arrive too late. Load trust account details on banking systems so they need not be emailed? Helpful, but partial. Educate clients to be vigilant? Necessary, but you are asking a first-time buyer to out-think an organised syndicate.
None of these fix the underlying problem, which is that the channel itself cannot tell you who you are dealing with.
How SOTRU combats it
SOTRU's premise is straightforward: stop trying to bolt verification onto a channel that was never built for it, and instead embed verified identity directly into the channel where the transaction actually happens.
Concretely, that means a few things working together across the lifecycle of a matter.
Verified identity at source. Companies, directors, authorised representatives, and bank accounts are confirmed against trusted sources and issued as reusable, cryptographically signed credentials. When a counterparty appears in a transaction, you are not taking their email signature on faith. You are dealing with a verified identity that cannot be cheaply faked or spoofed.
Communication tied to that identity. Instead of an inbox where anyone can imitate anyone, messages move through channels that are encrypted in transit and at rest and bound to a verified organisational identity. You are no longer communicating with an email address that claims to be a firm. You are interacting with the firm, cryptographically. That single shift removes the foundation impersonation fraud is built on.
Verification that continues, not a one-off check. Because identity stays connected to the relationship, changes get surfaced rather than slipping through silently. A change to banking details or an authorised representative is something you see, not something you discover after the money has left. This is the gap that one-time onboarding can never close, and it is precisely where these frauds live.
A complete, identity-linked audit trail. Every verification and every instruction is recorded against a verified identity. In a world where the SCA has made it clear that the question "did you verify?" decides who carries a multi-million-rand loss, having a defensible, time-stamped record of exactly who said what, and who confirmed which account, is not just good governance. It is direct protection.
The honest framing matters here, and it is the framing SOTRU holds to: this is about reducing fraud risk, not eliminating it, and no responsible provider should claim otherwise. What it does is remove the structural weakness, the unverified channel, that this entire category of fraud depends on. It turns the transaction from one built on assumption into one built on verified identity.
A note for the broader audience
If you are not in the legal industry, it would be easy to read this as a conveyancing story. It is not.
The exact same structure, an unverified communication channel carrying high-value payment instructions, is what drives invoice fraud against construction firms, payment redirection against procurement teams, claims fraud against insurers, and executive impersonation against boards. Conveyancing is simply where the sums are largest and the consequences most visible. The mechanism is identical everywhere money moves on the strength of an email.
That is why this matters far beyond law firms. Anyone who pays an invoice, approves a payment, or acts on an emailed instruction is exposed to the same gap. The property transaction just shows it in its starkest form.
If you run a legal or conveyancing firm
Two things are worth saying directly.
First, we are actively building configurable compliance workspaces for conveyancing and legal firms, designed to simplify your compliance obligations and sit alongside secure, identity-verified chat. Rather than treating compliance and communication as two separate burdens, the goal is to bring them into one verified environment, so that meeting your obligations and protecting your transactions are part of the same workflow rather than competing for your team's time.
Second, if your firm has a specific requirement, reach out and talk to us. SOTRU is being built in close collaboration with the firms that use it, and we are happy to develop new functionality to meet genuine needs in the legal and conveyancing space. If there is a workflow, a verification step, or a compliance pain point that would make a real difference to how you operate, that conversation is exactly the kind we want to have.
The fraud is not slowing down, the law has made clear where the loss lands, and the inbox was never built to carry the trust we have been asking of it. The firms that move first to embed verified identity into how they communicate and transact will be the ones still standing when the next R5.5 million email arrives.
