The rise and rise of business compromise fraud: a victim’s toolkit
January 2023 | SPOTLIGHT | FRAUD & CORRUPTION
Financier Worldwide Magazine
January 2023 Issue
At its most simple, business compromise fraud involves a fraudster compromising a business’s IT systems and tricking that business or another business into willingly making bank transfers to the fraudster. The crucial point is that these frauds – also known as authorised push payment (APP) frauds – involve a payment being made by a person in control of the account who is labouring under a false assumption that the payment details they are using are legitimate, whereas in fact the payee account is controlled by fraudsters. Scams can take on many shapes and forms, including: (i) the fraudster assuming the identity of senior management and asking someone within the financial department to make a transfer; (ii) hacking an employee’s email account in order to request payments be made to vendors; and (iii) hacking a vendor’s account in order to request payments. When the fraud succeeds, the fraud will result in a company’s bank transferring funds to a fraudster’s bank account at its bank.
The scale of this type of fraud is staggering. In 2021, there were 195,996 APP scams with combined losses of £583.2m. In the first half of 2022, there were 95,219 incidents of APP scams with gross losses of £249.1m.
What do to if you fall victim to a business compromise fraud
In the event of a company falling victim to a business compromise fraud, the most important thing to do is to act quickly, take advice and keep a documentary record of everything that has happened.
Businesses should consider making contact with various parties, including those outlined below.
The victim’s bank. This is important because the bank may be able to stop the payment or obtain its return. If not, the bank can also be a source of useful information, in order to assist with identifying the fraudsters and what has happened to the funds, albeit a court order will invariably be required before such information is released.
The fraudster’s bank. Although the fraudster’s bank may be on notice already from the victim’s bank, it can also be prudent to contact the fraudster’s bank directly. There are various legal points that can be raised which may assist in seeking to prevent dissipation of funds received.
Insurers. It can be important to put your insurance provider on notice of the fraud. It may be there has been little time to consider whether you have a viable claim for cover. However, unless the insurer is notified as soon as possible, this could become a future bar to claiming cover from them.
The intended recipient. Often, as a result of the fraud, a contractual obligation for payment remains unpaid. Hence the contractual counterparty can often be the party that identifies that something has gone awry by chasing for payment. If that is not the case, informing the counterparty may be prudent, not least since it may be that it is their systems that have been compromised and they may need to protect their own position. However, it is important at this stage to think carefully about the legal position vis-à-vis the counterparty and take steps to protect your own position – especially if it is the counterparty whose systems have been compromised.
The relevant criminal authorities. The reaction and subsequent action of the criminal authorities can be very jurisdiction dependent. Nevertheless, it can be prudent to seek to involve such authorities.
Cyber fraud investigator (internal or external). It will be important to quickly understand what happened, how the fraud occurred, and who the target of the fraud was. This knowledge is very important as it can influence the next steps.
Lawyers. It is important to take legal advice at an early stage. There are various legal tools available which may assist in locking down and recovering monies and identifying and pursuing wrongdoers or those who have facilitated the fraud.
Chances of recovering the funds?
Assuming that the transfer has not been stopped, the next question will always be what can be done to recover the funds, or otherwise ensure that no loss is suffered by the business. In reality, it is often the case that a combination of options will be the most effective and what routes are appropriate for each business depends on the facts of each particular case.
Insurance. If there is an insurance policy (policies that cover against cyber fraud are usually – but not always – separate from any main policy), this might be responsive.
The fraudsters (also known as ‘persons unknown’). An obvious target is the fraudsters. When this option does yield results, it is often because the victim has been able to obtain court orders enabling it to identify the fraudsters and trace the movement of funds and then freeze them.
Responsible employee. Although this can be an unattractive option, it may be worth considering any potential recourse against the employees who actioned the fraudulent payment instruction. If this route is being considered, it is prudent to seek employment law advice.
Victim’s bank. Depending on the bank and the nature of the transactions involved, a bank may have assumed an obligation to compensate the victim; alternatively it may bear some degree of responsibility for the fraud depending on the facts. There has been renewed legal interest in this avenue for recovery in recent times.
Fraudster’s bank. In the alternative to the victim’s bank, and for similar reasons, a fraudster’s bank can sometimes be a potential source of recovery as well.
The legitimate counterparty to the transaction. Recovery in this sense could amount to not having to pay to the counterparty some or all of the genuine sum owed but which was instead transferred to the fraudster, and any additional payment made above and beyond that which was actually due because of further fake invoices being generated. This will not only be a legal question but a commercial decision bearing in mind the wider relationship with the counterparty.
Tips for avoiding APP fraud
With APP fraud on the rise, what can be done to try to avoid falling victim? As always, prevention is the best cure. One step is to seek to ensure that internal protocols and procedures are up-to-date in relation to banking payments, and regular training sessions can also be useful to seek to ensure that staff are up to speed. Part of such training could include identifying signs for potentially fraudulent emails. We are also aware of companies that send tester phishing emails to employees on a sporadic basis to assist in educating those who fall foul of the scams. It is also worth checking and considering the insurance position to see whether and in what circumstances cover is provided and, if not, whether that is something that may be of interest.
Concluding remarks
While business compromise fraud will invariably continue to thrive, if a business falls victim to such a scam all is not lost. Key for victims is acting quickly and managing relationships and communications in a commercially and legally effective manner.
Jon Felce is a partner and Rosie Wild is a senior associate at Cooke, Young & Keidan LLP. Mr Felce can be contacted on +44 (0)20 3409 6085 or by email: jon.felce@cyklaw.com. Ms Wild can be contacted on +44 (0)20 7148 7405 or by email: rosie.wild@cyklaw.com.
© Financier Worldwide
BY
Jon Felce and Rosie Wild
Cooke, Young & Keidan LLP