The risks posed by 'traditional' forms of fraud (undertaken by dishonest employees or directors diverting funds from client accounts) will always be of concern to financial services businesses. However, the threat of cybercrime, and particularly email fraud, has become a growing issue for both regulated entities and fraud practitioners looking to tackle offences undertaken by sophisticated criminals acting remotely.
Profound changes in technology and connectivity have provided the clients of financial services businesses with the ability to open and operate accounts via the internet. They expect rapid transfers, ease of access to credit and debit cards, and wireless payment platforms. Whilst providing highly desired functionality, these innovations open up individuals and businesses to fraud on an unprecedented scale.
No individual or entity should think themselves impervious to an attack by opportunistic criminals. Ian Dyson, the commissioner of the City of London Police, revealed in a recent Guardian interview that he was the victim of credit card fraud. In that same interview he gave a frank analysis of the growing volume of online fraud offences and the inability of police services to deal with every reported instance.
The risk to financial services businesses cannot be underestimated. An attack on the infrastructure of one or more Jersey-based entity could cause a significant economic impact; leading to reputational damage, loss of trade and the potential for regulatory penalties.
The risk to law firms is also significant. Law firms are repositories of enormous quantities of information and are acknowledged by experts to be the easy way for cybercriminals to gain access to information not only about firms and lawyers themselves, but also their clients.
Business Email Compromise (BEC) fraud – which typically involves hacking into a company's IT system and using spoof communications to induce an employee of a company to initiate unauthorised electronic transfers – has affected businesses globally. The majority of unauthorised transfers are to banks in Asia, as well as certain Eastern European and African countries. According to the FBI's Internet Crime Complaint Center (IC3), which has tracked BEC scams since 2013, there were 22,143 domestic and international victims with combined dollar losses of more than $3 billion.
Research has shown a rise in several types of BEC; CEO Fraud, Mandate Fraud and "Friday Afternoon Fraud." The Island's financial services business should be aware of these types of fraud to prevent significant losses.
CEO Fraud commonly occurs when a junior in the finance department of a large company receives an email from the CEO of the firm, asking him or her to move money from one account to another. The email is fake, created through hacking or spoofing, and preys upon the culture in some businesses where junior staff are too nervous to confront their superiors when they receive a questionable email appearing to be from them.
In cases of Mandate Fraud, businesses will receive an email from a supplier informing them that the supplier has changed bank account details. Again, the email has been hijacked, and the business pays the funds out to the fraudulent 'supplier' account.
Finally, "Friday Afternoon Fraud" typically takes place, as expected, on a Friday afternoon. Starting with a telephone call to the firm's accounts department or Finance Director purporting to be from the fraud unit of its own bank, the caller is able to provide (by hacking the firm's online banking access) details of the genuine transactions made that day, thereby giving the impression of legitimacy. They will claim that suspicious transactions have been made from the account and that it has been frozen, and will offer the firm assistance with any urgent payments that it needs to make in the meantime. The firm will be required to provide its online bank details, which the caller then quickly uses to defraud the firm of large amounts of money.
The individual payments will typically be for slightly less than £100,000 to avoid detection for as long as possible. When multiple payments are made, they will be for differing amounts, again to avoid raising the bank's suspicion. Once each payment is made it is quickly transferred to other accounts and often moved out of the jurisdiction. As these payments are usually made on a Friday afternoon and may not be discovered until the following Monday, tracing these funds can be next to impossible as they will have long since been dissipated.
Upon becoming the victim of cyberfraud, it is essential to act quickly to minimize losses and secure the best chance for recovery.
Jersey-based businesses must be prepared for these types fraud and take pre-emptive steps to lessen the risk. Do not let yourself be a target; undertake regular tests to ensure the resilience of your IT infrastructure to hacking. Initiate training programs so that employees across your business are aware of the types of BEC fraud they may face.
You should apply common sense checks when dealing with all telephone enquiries or emails that request disclosure of bank account details and never divulge passwords to third parties.
The most important factor is a timely response to perceived irregularities. This will maximise the chance of recovering any stolen funds. If you are unfortunate enough to be targeted, you must liaise with the bank from which funds were fraudulently transferred as quickly as possible. You will need to actively engage the States of Jersey Police and provide full details of how the fraud was carried out.
You will also need engage legal representatives who can take steps necessary to trace stolen funds and obtain freezing orders to prevent further dissipation. In this respect, Baker & Partners benefits from being the Jersey representatives of the ICC Commercial Crime Network, FraudNet and we are able to offer a seamless service across multiple jurisdictions through our close association with professionals who are experts in asset tracing and recovery.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.