But the obvious advantages of speed and informality of commerce are accompanied by dangers that businesses sometimes aren’t aware of or don’t take seriously. Here we take a close look at a commonly encountered form of online fraud – business email compromise.
The email looks innocent, like any of the dozens of others received every day by departments responsible for making payments in our companies. It’s all standard, nothing to rouse suspicions. The sender’s details, the context in which the message is sent, and the terminology used all check out. It is usually only some time later that it comes to light that the email was sent by criminals. This is the essence of the cybercrime referred to as “business email compromise” (BEC) or “email account compromise” (EAC).
It consists of mimicking real correspondence in order to obtain money under false pretences. The criminals create email addresses beguilingly similar to the real addresses of trading partners. At the top level visible to the recipient, the fictitious email address of the sender may even be identical to the address of the supposed sender. Only a deeper analysis of the address reveals the differences.
The goal of the attack is to delude the recipient into thinking that he is corresponding with someone he knows. This is typically a trading partner or a superior at work (often for example the CEO). According to FBI reports, a radical increase in offences based on BEC/EAC schemes has been noted since 2010. In 2015 the FBI even labelled these cybercrimes as the most urgent problem in cyberspace. In June 2016 the FBI estimated the total value of losses generated so far by these offences at over $3 billion. And the FBI statistics only reflect a portion of BEC/EAC incidents.
Cybercriminals masquerading as a person known to the recipient of the email typically request at some point that certain funds be transferred to a bank account given in the email. In the case of emails from a supplier this often comes in the form of a notice of change in the account used by the supplier. In the case of an email supposedly from a superior this might be, for example, a note about the need to make a transfer connected with a top-secret project.
Some of the instances we have encountered in our practice plainly showed that the cyber attack was very carefully prepared. The criminals probably monitored the correspondence between the victims for some time. This enabled them to fit perfectly into the context of the existing correspondence, choose the right moment, and use the same expressions, effectively lulling the injured parties into dropping their guard. The email messages are often lent credibility by providing telephone numbers to supposedly trusted third parties (such as lawyers) who will confirm the transaction data provided in the fake email.
The scale of these crimes varies. In most instances the fraudsters manage to coax the victims into making transfers of several hundred thousand dollars, but there have been instances where many millions changed hands.
The funds transferred using the fake messages usually go to a bank account established by a straw man—an individual or firm who may or may not be aware they are cooperating with criminals. From that moment, the race with time begins.
How to secure stolen funds?
Time is of the essence. If the funds reach the account of the person or firm associated with the criminals, it won’t rest there long. Most often the funds are forwarded on, electronically, to countries known for their aversion to international cooperation, and there all trace of the funds is lost or the funds are removed in cash from ATMs.
Blocking of funds immediately after they reach a Polish bank account is possible with a decision issued by the prosecutor. A problem here is the duration of the blockade, which cannot exceed three months before charges are filed against a specific person. But it has happened in our practice that the cooperation between banks has proceeded with such difficulty that the injured firm did not assert its claims until after this period expired. Even if the injured party established before that time the data for the account where the funds were sent, there is a still a danger that after 90 days the blockade will lapse and the criminals will exploit this loophole in the law to sweep up the funds for themselves.
A solution could be to obtain interim relief securing the claim in a civil proceeding. As the party authorised to dispose of the funds, the injured party has a claim for their return to the owner of the account where the defrauded funds were found. The legal basis for such a claim could be either tort or unjust enrichment. This is a claim of a financial nature and may be secured among other things by attachment of the claims to the bank account or other claims, including for example the claim the account holder may have against the bank or the prosecutor’s office to pay out the money when the blockade period ends. The security is imposed by the court upon application of the plaintiff filed with the statement of claim or before commencement of the proceeding.
The latter possibility is particularly attractive in light of the low court fee and the speed of action by the court which is vital to the case, as the court should decide the application promptly but no later than one week after it is filed. If the court grants the application ex parte, without notifying the defendant, the security may be enforced immediately by the bailiff. In effect, the bank or prosecutor will not be entitled, but required, to transfer the secured claim to the bailiff’s deposit account, where the funds can safely await the final judgment of the court or decision by the prosecutor to return the funds to the account of the rightful owner.
How to get it back?
The injured parties in cases of this type generally share one motivation: they want their money back. They’re rarely interested in identifying the perpetrators and the people helping them.
Prosecutors and police also take a pragmatic attitude toward such cases. Aware of the international dimension of these offences, they focus on what is feasible to achieve within their national jurisdiction. The fact that the events making up BEC (electronic correspondence, financial flows) typically occur in jurisdictions that are far apart means that the specific elements of the scam can be treated for example as fraud or money laundering. The legal classification affects the direction and scope of the measures taken by the law enforcement authorities.
Because the prosecutor has control over the funds blocked in a bank account, the decision on release of the funds and return of the funds to the injured party also rests with the prosecutor.
In practice, the principal challenge in this situation is to collect sufficient evidence to persuade the prosecutor to return the funds to the person who lost them as a result of the fraud. In the formalised criminal procedure, this often makes it necessary to obtain evidence through international legal assistance, which presents numerous difficulties.
But sometimes it happens that the holder of the account takes legal steps for release of the blocked funds. On top of that, sometimes the tax authorities step into action, exercising their right to take measures competing with those of the prosecutor’s office and the police. Then it may be necessary to initiate or continue a civil case in which the court will decide on the obligation of the account holder to pay the stolen amount back to the injured party. Such a proceeding can be surprisingly difficult, as the plaintiff must indubitably prove its right to the specific funds in the defendant’s account and the correlating duty to release the funds by a firm that may have funds in its account deriving from various — not necessarily illegal — sources.
In short, in seemingly simple cases connected with the return of defrauded funds, it is necessary to deploy a battery of available instruments in various legal regimes and proceedings.
The law trails far behind
The radical growth in the number of cybercrimes based on BEC schemes undoubtedly results also from the negligible effectiveness of the battle against such offences. One of the main reasons is that the legal system is not suited to the task. We outlined above some examples where the regulations don’t fit the nature of cybercrimes. But there are many more such examples. Banking secrecy rules quite effectively hinder the search by victims for basic information about the fate of their stolen funds. There is also a lack of effective instruments of international law enabling efficient access to information necessary to prosecute criminals (eg the relevant IP numbers and other teleinformatic data). Traditionally, criminal law remains the most poorly harmonised legal regime, which in globalised trade prevents an effective battle with cyber criminals.
Given the difficulties in pursuing justice by traditional methods, victims are beginning to focus on less-obvious solutions. They are starting to pursue damages from the financial institutions that participated in carrying out the transfers, in particular the institutions that maintained the accounts of the straw men used in the scheme. In the near future, the number of such claims against financial institutions is expected to grow. For many injured parties, it may be the only chance to make up their losses.