Beware the man-in-the-middle of transaction emails

Angelique Ardé | 29 July 2021

Angelique Ardé is a writer and copy editor based in Cape Town. In her almost 30-year career in journalism, she has spent 15 years specialising in personal finance. She believes financial literacy and inclusion are integral to social justice and this specialist subject needs to be widely accessible: communicated plainly, honestly and without commercial bias.

Many South African investors have been financially ruined as a result of being caught in a man-in-the-middle cyberattack involving email hijacking.

With more of life being lived online, and consumers exercising poor “security hygiene”, these attacks are on the rise.

Described as the digital equivalent of eavesdropping, man-in-the-middle (MITM) attacks happen when cybercriminals place themselves between two parties in a commercial transaction. Neither party is aware that they aren’t talking to each other.

The attacker’s aim is usually to dupe you into paying funds into a bank account controlled by cybercriminals instead of the intended account.

The most targeted commercial transactions are lump-sum investments and property transactions, where the proceeds of a sale are being paid, or a deposit is being made.

In 2017 Durban psychologist Felicity Tonkinson lost her life savings of more than R1.2m to a man-in-the-middle after correspondence between her and her financial adviser about a recommended investment was intercepted.

In 2018 a Cape Town conveyancer fell victim to a man-in-the-middle attack and paid R420,000 – the proceeds of her client’s property sale – into a fraudster’s account.  These are just two of many cases that have been reported to the media, but often these cases are not reported.

Another increasingly common attempted fraud occurs when individuals or entities impersonate reputable authorised financial services providers.

Company impersonations

The Financial Sector Conduct Authority (FSCA) regularly warns investors about individuals or entities who are impersonating well known companies.  

Man-in-the-middle attacks that occur when business email addresses are compromised and hijacked may, however, be harder to detect.

Mimecast’s 2021 State of Email Security Report noted a 49% increase in business email compromise or impersonation fraud attacks last year. The Mimecast survey of  South African IT and security directors in various sectors found that seven out of ten had noted an increase in cybersecurity issues involving email.

Brian Pinnock, a cybersecurity expert at Mimecast, says many businesses have been victims of email compromise after someone in the organisation clicked on a dubious link, and it is likely that consumers are also victims.

People who are more cyber-aware were five times less likely to click on dangerous links originating from these phishing emails, he says.

Pinnock says you should “accept it as a given” that owing to numerous massive data breaches in recent times, your personal information – your name, ID number and address, particularly if you own property in South Africa – is already out there.

Cybercriminals map this information to your password compromised in a data breach. If you’re using the same password, or variations of it, across accounts, you’re particularly at risk.

Not teenage villiains

Pinnock says it’s unfortunate that consumers think of cybercriminals as a teenage super villain, a single hacker-in-a-hoodie unlikely to be interested in hacking them.

“That’s a terrible mindset. The reality is that call centre-like organisations are doing cybercrime. They do social engineering as a business in high volumes.”

Social engineering occurs when you are manipulated into doing something or disclosing your information.

Jason Jordaan, a forensic analyst at DFIRLABS, says that many victims of cyberattacks are people whose credentials had been compromised in data breaches.

If an email address and password are part of a data hack or leak, and the affected user reuses the same password for their email, an attacker will be able to illegally access their email account. Enabling multi-factor authentication can reduce these risks significantly.

Jordaan says that following a business email compromise, the devices of both parties often need to be forensically analysed, to identify the extent of the compromise. “I’ve had cases where both parties had been compromised,” he says.

Red flags

When you’re in the throes of a big transaction, certain things should always raise a red flag, he says. These include: 

  • A change of instruction – for example, the person you think is your financial planner suddenly departs from advice given and suggests you move your money to another investment;

  • A change of account details – you think you are dealing with your financial planner and you are suddenly instructed to ignore previous correspondence and use another bank account number when moving funds into an investment account; or

  • A change of email address – your financial planner previously emailed you from a business account and now you are receiving emails from what appears to be a personal email account.

In all of the above cases, it is highly likely that these messages are not coming from your actual adviser. They are coming from someone posing as your adviser.

It’s easy to accept an email at face value without examining the sender’s email address, but emails sent in a business email compromise often – although not always – provide clues that they are dubious: names in email addresses are misspelled as are domain names, he says.

Pinnock says you cannot afford not to be ultra-vigilant. “Double check everything. That is the critical thing, particularly when large sums of money are involved. Don’t make any assumptions.”



As internet users, we often lack awareness of cyber threats and how to practice good security hygiene. Cybersecurity experts Brian Pinnock and Jason Jordaan offer the following advice:

Run your email addresses through to check whether your personal data has been compromised by any data breaches.

If your email provider offers multi-factor authentication, turn it on. With multi-factor authentication even if the password to your email has been breached, no one can get into your email without an additional token sent to you via an authenticator app on your phone.

Use a reputable password manager that you pay for. A password manager allows you to memorise just one password for the manager.

Be careful of what personal information you share on social media that cybercriminals can harvest.

If you have suspicions about a website or an attachment, use a site such as VirusTotal to screen it before you open it.

Avoid downloading widgets and plug-ins to your browser or free services as they collect your information.

Secure your computer with antivirus software and keep it up to date.

Don’t assume that if you use a certain brand of phone or computer that you are immune to attack. Use antivirus software.

Clear your browser cache of information about the sites you visit regularly, as this information can be used against you.