Know your fraudster – Time to make it easier to pursue cyber criminals

The Challenge

Victims of cybercrime as opposed to many other victims of frauds face the additional challenge of not having an immediate understanding of who has caused their loss. Whilst other victims, such as those subject to investment fraud may be able to identify those that caused the loss, victims of fraud such as payment diversion fraud or interception of email fraud directing change of account details for payments are often met with barriers when they seek to identify what happened, how and by whom.

What happens in practice?

The classic case is payment diversion fraud. This is where a party due to receive payment makes contact with the paying party to state that their account number and sort code has changed but not the account name. The recipient looks at the communication directing the change of details, all looks as expected in terms of the logos, email addresses and so on and so the payment is processed but is actually paid to a fraudster’s account. It was the fraudster who sent the change of account detail request.

This has been a common fraud for some time and those in a procurement function are well aware of this scam. However, the morphing of this fraud is catching some unawares. What if the request to change of account details refers to previous emails you sent and even appears to be responding within a thread of emails? That appears to legitimise the request to change the bank account details in the eye of the receiver. The intimate knowledge of previous communications by email acts on human conscience to comfort and affirm that this email is legitimate. Payment is made, the money is stolen.

There has been an increase in email monitoring by fraudsters. They watch carefully for communications they can infiltrate and just at the right time, they send an email in the language, appearance and style of those they impersonate and simply carry on the conversation leading to a request to change the account details. What did you not spot? The email address from the fraudster ended “.co.uk” and not “.com”. Why did you not spot this? Human nature is to take a cursory glance because we have so much to do. We autofill email addresses, we filter over 100 emails a day on average, compared to the days before email when written communication may have been less than 10 letters per day. Whatever the reason, the money has gone from your organisation or from you personally.

The Fraudsters Identity

When fraud hits, often as an individual or organisation, you are not prepared. You are not sure who to turn to first, the police, a lawyer or your insurers. It becomes a greater frustration if you cannot identify who perpetrated the fraud, as you are left also trying to find help with understanding who did this.

For payment diversion fraud, the answers may well exist. The bank that operates the account to which you sent the money will know. They should have the identity documents of those owning and operating the account used by the fraudsters and could also help by showing you where money was at least initially transferred to after you sent it. Unfortunately, the fraudsters’ bank have no duty or obligation to provide you with this vital information. You are not their customer. Their customer’s details are in fact subject to data protection and so cannot be disclosed. The police may be able to get this information, but cannot share it with you.

There are avenues to gain access to the bank account information, but a court order for non-party disclosure will take time and some expense. You may be able to expedite this approach through an urgent application to court of this nature, but as the victim, despite having already been subject to fraud and at financial loss, you are left having to find more money just to try and understand more about the crime.

As to your own bank, they have no legal obligation to check that the account you sent the money to is operated in the name of the party you intended to pay. As long as they followed your instructions as to the account number and sort code then they are absolved of responsibility for the loss.

Time for change?

With the difficulties of gaining access to the information held by the fraudster’s bank, at Today Advisory we feel there should be changes to make access to information to aid reaction to fraud easier for victims.

We would welcome your views as we are keen to see if we can find a route to address this inequality of access to information.

Arun Chauhan is a solicitor specialising in advising on financial crime compliance and anti-corruption measures together with prevention, investigation and reaction to fraud, as well as a member of the Today Advisory team. A former head of the commercial fraud team of a top 20 National law firm he is the founder and director of Tenet Compliance & Litigation, a niche law firm.