Hacked computer leads to contract termination
In the recent Supreme Court of New South Wales decision of Deligiannidou v Sundarjee  NSWSC 437, the buyers of a property sought a declaration that the contract of sale was still valid and enforceable in circumstances where the buyers' deposit was paid to a fraudster's bank account.
On 1 February 2020, the buyers exchanged contracts of sale with the sellers to purchase an apartment in Sans Souci, south of Sydney for $560,000. Pursuant to the terms of the contract, a 10% initial holding deposit ($1,400) was required to be paid by the buyers before 1 February 2020. The remaining $54,600 was to be paid before 12 February 2020. The contract stipulated that the deposit amounts must be paid by cash or cheque, and didn't permit the use of electronic funds transfer (EFT).
On 31 January 2020, the sales agent sent an email to the buyers suggesting if they wished to secure the property, they should pay the initial holding deposit into the sales agent's trust account. The sales agent included the BSB and account details for the trust account in the email to the buyers, who subsequently transferred the initial holding deposit of $1,400 into the trust account.
A week later, the sales agent sent another email to the buyers reminding them that the balance deposit of $54,600 was to be paid into the trust account by 5.00pm on 12 February 2020. The sales agent again included the BSB and account details for the trust account in the email to the buyers. However, a few days later, the buyers received what appeared to be a further email from the sales agent reminding the buyers of the balance deposit amount to be paid and providing the BSB and account details for a different bank account (a fraudulent account). The email formed part of an email chain between the sales agent and the buyers, including the earlier email from the sales agent two days prior.
On 12 February 2020, the buyers sent a screenshot to the sales agent confirming the transfer of the balance deposit amount of $54,600. However, neither the sales agent nor the buyers identified that the transfer was to the fraudulent account and not the trust account. Two days later, the sales agent advised the buyers that the balance deposit amount had not been received into the trust account. It was eventually discovered that the email sent on 9 February 2020 was sent by a fraudster who had gained access to the sales agent's computer system.
On 19 March 2020, the sellers purported to terminate the contract on the basis that the deposit had not been received. The buyers commenced proceedings against the sellers and sales agent seeking:
- A declaration that the contract was still valid and enforceable;
- An order for specific performance of the contract; and,
- Damages from the sales agent for its allegedly misleading and deceptive conduct.
Clause 25(ii) refers to "Work Health and Safety" and includes an acknowledgement by the sellers that at all material times, "...the Agent acts under the direction, management and control of the Principal [the sellers] to facilitate the real estate transaction between the Principal and the purchaser..."
The Court held that the proper interpretation of Clause 25(ii) of the Exclusive Agency Agreement is that it's directed to the sellers' obligations in relation to the safety of the property. As a result, the Court held that Clause 25(ii) "does not have the effect of giving the Agent authority to make directions, inconsistent with the Contract, as to how the deposit is to be paid." Accordingly, the buyers' application for interim relief was dismissed.
This decision serves as a timely reminder that agents should familiarise themselves with the relevant terms of every contract of sale and ensure they're not acting outside the authority conferred on them by the contract and their seller clients. Agents should also be extremely vigilant when it comes to corresponding via email, particularly when requesting and receiving account details for the payment or disbursement of deposit funds.
As a matter of best practice, agencies should have up-to-date cyber policies in place outlining the requirements to be followed by all staff for money transfers (e.g. multifactor authentication of account details) as well as regular training to ensure the agency remains on alert for the risk of hackers gaining access to email communication with clients and other parties.