MIGHT NEED A NETFLIX SPECIAL: THE CASE OF HAWARDEN V EDWARD NATHAN SONNENBERG INC.

A BUSINESS EMAIL COMPROMISE NIGHTMARE.

INTRODUCTION

In the world of cybersecurity, the most dangerous vulnerability isn't found in code—it’s found in us. While we worry about sophisticated malware, "career" email compromisers are busy hacking something much simpler: human perception.

This is the era of the digital heist, where social engineering has turned professional trust into a weapon. We see this play out with devastating clarity in the case of Hawarden v Edward Nathan Sonnenbergs (ENS).

In this post, I break down the mechanics of Business Email Compromise (BEC) and explore how the battleground for high-stakes robbery has moved to our inboxes. My goal is to bring awareness to these invisible risks. At the very least, I hope this serves as a nudge to finally watch Money Heist on Netflix; because when it comes to a well-executed plot, that show is in a league of its own

(Its all starts with the facts of the case)

Hawarden v. ENS: The Anatomy of the Heist

The execution of this heist wasn’t as flamboyant as a Netflix series; its brilliance lay in the simple, cold-blooded manipulation of perception.

The Setup: A Dream Home and a Red Flag

Ms. Hawarden was in the process of purchasing a property for R6 million. You don’t drop that kind of money unless you’ve found "the one." The process began normally: her estate agent, Pam Golding Properties, confirmed the seller accepted her offer.

Pam Golding played it by the book. They asked for a R500,000 deposit and explicitly warned her about the risks of Business Email Compromise (BEC). Ms. Hawarden did her due diligence, verified the bank details, and the deposit landed safely in Pam Golding’s trust account. So far, so good.

Enter the "GOATs" of Law: ENS

Once the deposit was paid, the seller’s chosen conveyancers stepped in: Edward Nathan Sonnenbergs (ENS). In the South African legal landscape, ENS is considered one of the "GOATs" (Greatest of All Time). They handle the highest level of law for the deepest pockets. When a firm like ENS handles your paperwork, your guard naturally goes down. You assume you’re in the safest hands in the country.

But the silent hackers were already in the room.

The Invisible Interception

Communication began between ENS and Ms. Hawarden. While we can’t be certain when the breach occurred, the criminals were likely "licking their lips" long before the first email was sent.

The first "hit" happened when an ENS secretary sent an email regarding bank guarantees. Unbeknownst to Ms. Hawarden, the hackers had intercepted the correspondence. The letter that arrived on her screen looked official—it had the ENS branding and the right tone—but the bank details had been swapped for the criminals' account.

For the next few days, Ms. Hawarden and ENS weren't actually talking to each other. They were talking to a "ghost in the machine"—a hacker playing God, intercepting emails and spoofing addresses with tiny, intentional spelling errors.

The "Michael Bay" Moment: August 20, 2019

On a Thursday in week 34 of 2019, the trap was sprung. Ms. Hawarden went to her bank to finalize the remaining R5.5 million.

She had a choice: a bank guarantee or an electronic transfer. She tried to call the ENS secretary for advice, but the call went unanswered (perhaps a cosmic sign to wait?). However, a brilliant ENS associate returned the call shortly after. They discussed interest rates, and Ms. Hawarden decided to pull the trigger on the transfer.

Boom.

She instructed the bank teller to send R5.5 million to the account details she had received via email—the criminal’s account.

The Aftermath: Gone in 48 Hours

The criminals didn't just take the money and run; they bought time. They intercepted Ms. Hawarden’s "payment sent" email and sent a fraudulent version to ENS with a fake proof of payment, claiming the funds would take 24–48 hours to reflect. They even sent follow-up emails claiming the money hadn't left the account yet to keep ENS from investigating.

By the time the fraud was discovered on August 29, the R5.5 million was poof—gone. The bank couldn't recover it. The criminals had vanished into the digital sunset.

Facing a life-altering loss, Ms. Hawarden turned her sights on the only entity left standing: ENS

Round 1: The High Court Battle

(Werksmans Attorneys vs. ENS)

Ms. Hawarden didn’t take her loss lying down. She enlisted Werksmans Attorneys—another heavyweight of the South African legal fraternity—to hold ENS accountable. They launched a delictual claim for Pure Economic Loss.

In simple terms, they had to convince the court that ENS had a legal duty of care to ensure Ms. Hawarden didn't pay that R5.5 million into a fraudulent account.

The Challenge: Proving the "Impossible" Claim

Pure economic loss is a tricky beast. Generally, our law doesn't recognize a right not to suffer financial loss through someone else's negligence. It’s considered "prima facie lawful" unless you can prove that the legal convictions of the community (based on our Constitution) demand that the victim be compensated.

Werksmans, led by C.H.J. Badenhorst SC and M.D. Williams, had to be creative. They successfully argued that:

1. Public Policy: Protecting a purchaser’s funds in a property transaction is in the interest of society.

2. The "Power" Dynamic: They cited Estate Van Der Byl v Swanepoel, essentially arguing the "Uncle Ben" principle: With great power comes great responsibility. Between a private individual and a massive law firm, the firm is better equipped to prevent the "mischief" of cybercrime.

   
   

The Perfect Legal Storm: Elements of the Delict

Once the court accepted the "Legal Duty," the rest of the dominoes fell in favor of Ms. Hawarden:

• Causation: Werksmans argued that "but for" ENS’s failure to warn her about BEC, and "but for" them sending their bank details via unencrypted email, she wouldn't have lost the money. The court agreed—the link was close enough.

• Fault (Negligence): The court found that the risk of BEC was highly foreseeable. For a firm like ENS, failing to implement strict safety protocols wasn't just a mistake; it was legally negligent.

• Wrongfulness: Because a legal duty was established through public policy, the failure to act (the omission) became wrongful in the eyes of the law.

  
  

The Verdict: A "Micheal Bay" Explosion for ENS

The High Court didn't just rule against ENS; they did so with a punitive costs order (attorney-and-client scale). This suggests the court was unimpressed with ENS's defense.

ENS was ordered to pay back the R5.5 million, plus costs. To most, this looked like the end of the road. A massive victory for the "underdog" against a legal titan.

But as Socrates said: "Know thyself."

ENS knew their worth, and they knew the law. They weren't about to let a R5.5 million precedent stand without a fight. They packed their bags and headed to the Supreme Court of Appeal (SCA)

Round 2: The Supreme Court of Appeal (SCA)

(The Great Reversal)

The SCA judgment was a masterclass in legal restraint. I have to give props to Acting Judge F.B.A. Dawood. Usually, appeal judgments are dry and skip the facts, but this one gave us 13 pages of pure "bars" and insight.

ENS didn't take their High Court loss lightly. They brought in the heavy hitters—Clyde & Co, led by the legendary W. Trengrove SC. Their mission? To prove that ENS didn't owe Ms. Hawarden a legal duty of care to protect her from her own choices.

The Point of Departure: "Everyone Bears Their Own Loss"

In South African law, the starting line for any delictual claim is simple: You bear the loss you suffer. Conduct that causes pure economic loss isn't automatically "wrongful." For ENS to be held liable, the court had to decide if it was reasonable to impose that R5.5 million burden on them.

Why the SCA Flipped the Script

The SCA dismantled the High Court’s ruling using three main pillars:

1. No Attorney-Client Relationship The court pointed out a hard truth: Ms. Hawarden was not a client of ENS. She was the purchaser; ENS represented the seller. There was no contract between them. The court found that the loss didn't happen because of a glitch in ENS's system, but because cybercriminals exploited a vulnerability in Ms. Hawarden’s digital environment.

2. The "Indeterminate Liability" Trap The Constitutional Court has warned about this before: if we make law firms liable for every time a third party gets hacked, we open the floodgates to "indeterminate liability." Essentially, if the court ruled against ENS, every professional who sends an email could be on the hook for a hacker's brilliance. The SCA found this legally "reprehensible."

3. The "Vulnerability to Risk" Factor This was the "dagger" in the case. The law asks: Could the plaintiff have protected themselves? The SCA looked at Ms. Hawarden’s actions and noted:

• She chose an EFT over a secure bank guarantee.

• She failed to verify the bank details before clicking "send," despite having done so successfully with the estate agent earlier.

• She didn't take the same precautions for R5.5 million that she took for R500,000.

  
  

The Final Verdict: Victory for ENS

The SCA concluded that while what happened to Ms. Hawarden was a nightmare, it wasn't ENS's nightmare to pay for. It would be unreasonable to shift the responsibility for her choices onto the law firm.

The result? The High Court order was set aside. Ms. Hawarden’s claim was dismissed with costs—including the cost of two counsel. ENS walked away with the "W," and the legal world got a stark reminder: Your inbox is your responsibility

The Climax: The Ghosts in the Machine

While we’ve spent our time dissecting the legal battle between a homeowner and a corporate titan, one group remains entirely out of the spotlight: the criminals. Somewhere out there, there are individuals who managed to divert R5.5 million into a bank account and vanish. They haven't been found. They haven't been named. They are currently enjoying the fruits of a "digital heist" that required no explosives and no getaway car—only patience and an understanding of human psychology.

The Lesson: Protect Your Perimeter

Cybercrime is no longer a distant threat or a plot point in a Netflix series; it is a clear and present danger to your livelihood. As technology advances, so does the ingenuity of those who operate outside the law. This case is a stark reminder that the law will not always step in to save you from a digital mistake.

Take heed of the warning:

• Update your systems: Keep your anti-virus and security patches current.

• Secure your data: Encrypt your emails and sensitive attachments.

• The "Human" Verification: Never, under any circumstances, transfer large sums of money based on an email alone. Pick up the phone. Verify the voice.

Most importantly, keep your mind alert. In the digital age, your perception is the most valuable system you own—don't let someone else hack it

Disclaimer

The views and opinion expressed are those of my own, based on my own experiences and my subjective interpretation of the subject matter. They are not authority nor should they be construed to be authority. Do your research, read further, gain knowledge and do what you want with it. Non of the views expressed herein are legal advice. Always seek a legal practitioner for your legal problems