Commodity traders make millions of dollars of payments every day. Imagine making a large payment to your seller and only learning days or weeks later that the payment hasn’t been received by the intended recipient. Perplexed, you dig into your emails only to discover that fraudsters masqueraded as your counterpart using a fake or spoofed email address and diverted funds by sending fraudulent invoices mirroring the details of the actual transaction, save for one respect: the recipient’s bank account.
As a victim of cyber fraud, you suddenly find yourself facing battles on multiple fronts. There would be investigations into if and how your or your counterparts’ systems have been breached. Depending on the culpability of your counterpart, you will be at risk of having to pay a second time. Most importantly, you want to know to whom the funds got diverted to and how to recover it back.
The Cyber Fraudster’s modus operandi
International traders are particularly attractive to cyber fraudsters given the frequency of trades and payments. The modus operandi of the fraudsters will generally entail monitoring of communications between the parties to know when to intervene:
- The hack: The fraudster needs to first get access to the emails. This could involve a hack into a trader’s IT systems or a phishing attack to trick an employee into divulging information, or a combination of the two.
- The deception: The fraudsters will register website domains that are ever so slightly different from the actual domains of the parties. Email inboxes are created using a fake domain (for eg: “@domains.com” instead of “@domain.com”), so that the fraudster can masquerade as the seller undetected.
- The diversion: At the time payment instructions are issued, the fraudster will intercept the invoice and send its own fraudulent invoice with amended bank details on the pretence of “audit” or “tax reasons” to divert funds.
Getting Recovery of Diverted Funds
Once the fraud is detected, there are a few tools available to the victim, all of which require a swift response. Having good practices and systems to spot abnormalities is key as well as familiarity with a ready recovery plan that needs to be implemented quickly.
- Investigation: Investigations will need to be done internally and externally with the bank. However, the police are often best placed to investigate such acts, not just because they have wide powers to freeze bank accounts involved in criminal activities such as fraud or money laundering.
- Freezing Injunction: Depending on which jurisdiction the diverted third-party bank account is located in, it may also be possible to apply to the Courts to freeze or attach that third party bank account. However, freezing an account of an unidentified party can be challenging, so a freezing injunction can be considered in tandem with an identification exercise (below).
- Identification & Tracing: Identifying the holders of the diverted third-party bank account and the ultimate beneficiaries typically results in a roadblock from the bank seeking to protect such information under banking secrecy legislation. But in certain jurisdictions, a third-party can be compelled through a disclosure order to disclose information such as the account opening forms, know your customer documents and information relating to the ultimate beneficial owner of.
The disclosure order, known as a Norwich Pharmacal order is an equitable remedy available in some specific cases. The trader would generally have to establish a prima facie case of fraud by the bank’s customer, the fact that the fraudsters routed the monies through the bank and that it would be necessary, just and convenient for the bank to disclose information it has in its possession to allow recovery. The public interest in the disclosure of information relating to fraudulent action or criminal conduct generally outweighs the banks’ duty to keep its customers’ information confidential.
A Norwich Pharmacal order which seeks to identify those behind the accounts, is typically deployed with a banker’s trust order used to trace the funds diverted by the fraudster.
Be forearmed in the war of cyber-attacks
Preventing cyber-attacks from taking place involves strengthening two aspects of a trading company’s operations (a) the security of the company’s IT systems; and (b) the human element – continuing education and awareness of every person at the trading company. With remote working increasing the risk of unsecured networks, trading companies should consider taking the following preventative measures:
- Strengthen email security & rules: Put in place multi-factor authentication for email, so that attackers must have something else (for eg: a phone or authentication app), in order to gain access to a person’s email. In some instances, fraudsters use email forwarding rules to forward emails from the company to their own email accounts. Filters may also be used to forward emails with specific keywords, such as “bank”, “payment” or “invoice”. It is possible to set up notifications to detect email forwarding rules, so that the company’s staff or IT department can disable those rules and change passwords to restrict external access to email, if necessary.
- Behaviour: Avoid clicking links and opening suspicious attachments in emails. This is the classic hallmark of a phishing attack, which cyber criminals use to obtain people’s personal information and gain access to a company’s IT systems. With cyber-attacks being more commonplace, employees particularly those dealing with finance, should be alert and alive to suspicious activities and spoofed email addresses.
- Systems: Put in place a payment review process that deals specifically with requests to change payment instructions. Such a request should spark investigations into the authenticity of the reasons provided for the change. The identity of the seller and the authenticity of the instructions should also be confirmed through video calls or phone calls to the seller at a previously verified number. Once payment is made, ask the seller to confirm receipt of monies as a matter of practice.
- Mitigation: Obtain insurance for exposure to losses arising out of cyber fraud.
A best practice for trading houses would be to have a dedicated “cyber-attack response team” whereby investigation and legal recovery steps can be taken in tandem. Having a team conversant with the different recovery options from the outset can make all the difference in timing and by consequence, recovery of diverted funds.