This piece is by Jon Felce and Rosie Wild, Partners at Cooke, Young & Keidan LLP and takes a look at the complexities of business fraud.
Falling victim to business compromise fraud is a stressful, frustrating and often isolating time. Businesses and individuals can lose immense sums of money overnight, sometimes without even realising it for some time. Whilst it may seem like it when a scam is discovered, does a scam really mean that all is lost? After being defrauded, victims might be fearful of whether their business can survive the situation and confused at what steps to take next.
Is there any hope for such victims? Can a business ever recover the money that has been stolen, and what is the best way to handle and overcome the situation? Crucial to the answer is often taking advice from experts as soon as possible.
What is business compromise fraud?
In summary, business compromise fraud occurs when fraudsters manage to compromise an IT system and use it as a shield to hide behind whilst they trick the business into willingly transferring funds to the fraudsters’ account.
An important feature of these cases (that are also known as authorised push payment or APP frauds) is that they involve payments being made willingly by individuals (hence the term, authorised) who genuinely believe that the payment is going to a legitimate account or person, when in reality the destination account is operated by, or under the control or direction of, a fraudster.
On the surface, it may appear that these cases are easily avoided, but these incidents occur in many different forms, which can make them harder to spot – especially when carried out so professionally. A primary example of this is a fraudulent email coming from someone who appears to be a member of the company’s senior management team requesting an employee to authorise a bank transfer, or a fraudster impersonating the counterparty to a contract who is expecting a payment from your business.
The sums involved in this type of fraud are astonishing. A report produced by ACI Worldwide and GlobalData last year anticipated that losses will double in the UK by 2026 to well over £1 billion.
I was a victim of business compromise fraud – what can I do?
A critical step if this happens to you (or your business), or you suspect that this might have happened to you, is to react immediately, keep documentary evidence of events (e.g. emails, phone records etc.) and preserve the information that you have relating to the incident.
Some of the potential action points are set out below, but it is important to note that these will vary on a case-by-case basis.
Your bank/the business’s bank: In some cases, your bank may be able to block any payments (including pending transactions) and recover any money that has already left your account. This is not always possible, but the bank can still be a useful resource for notifying the onwards recipients of your stolen funds of the fraud which can assist with freezing funds further down the line. In one experience, although the monies had left the destination account, quick action by the victim’s bank was able to ensure that the onward recipient’s bank froze the monies before subsequently returning them to the victim.
The intended transferee: In many cases, the intended recipient is actually the person who flags an issue as they have not received the expected payment (and which you/the business believes has been made). A discussion between the two parties is important here, to identify which system has been compromised and what steps to take next. It is important to be careful in these situations however, as you do not want to potentially compromise your position vis-à-vis this party in relation to who should bear any loss (especially if the counterparty has any culpability for the IT compromise).
The business’s insurance company: An important step is notifying your insurance provider as soon as an issue arises. Notifying the insurance company early helps to protect your interests if there is coverage available.
The fraudsters bank: It is a worthwhile step to contact the fraudulent party’s bank (i.e. the bank you/the business send the funds to), even though it is possible that they have already been in discussion with your bank following the event. Contacting them may mean that they take steps to freeze the funds which could prevent dissipation. In one of our recent cases, for example, we learned that the bank had frozen monies and ultimately transferred these to the police.
Investigators: It is important to find out quickly how the fraud occurred, and whether it was your mailbox, or IT system, that was compromised. These findings are likely to steer the future direction of the case, as well as any deficiencies in a business’s IT systems that may need rectifying. Specialist investigators can be hugely valuable in identifying this information.
Of course, as well as the avenues outlined above, it is wise to notify the relevant criminal authorities and seek legal advice to help obtain information, freeze assets and hopefully recover them (and some of the above steps you would not necessarily want to take without seeking advice first).
How can I try to recover my assets? Is this impossible?
If the money has left your account, then sometimes it will not have left the fraudsters’ account and can be recovered at source. This information might not be readily available, and unfortunately on many occasions the sums erroneously transferred leave the fraudsters’ account rapidly. Fortunately, fraudsters are not always as diligent in dissipating monies further, and we have successfully recovered monies from complacent fraudsters who think one onward transfer is sufficient to escape with their stolen loot.
Frustratingly, there is no guaranteed route to recovering the stolen funds and the targets for recovery depend on the facts of the case. However, the following is a list of those who you may consider targeting for recovery.
The first, and perhaps most obvious target is the fraudsters themselves – often referred to legally as ‘persons unknown’. However, in practice, these people may be difficult to
locate and recover assets from. This route can be effective when the victim has been able to obtain the necessary court orders that has enabled them to identify the fraudsters and their location, see where the funds have gone, and freeze assets. A common misconception is that only the stolen monies can be frozen, whereas in reality it may be possible to target the fraudsters’ other assets too.
As noted above, your business may have coverage under the terms of an insurance policy. As a general rule, it is important to check whether the policy covers cyber fraud or whether this needs to be taken out separately.
Contacting banks directly can also be a successful method of asset recovery – whether it is your own bank or the fraudsters’. In some cases, depending on the type of transactions that were involved in your case, your bank may be under an obligation to compensate you – or at least bear some of the responsibility. Claims against fraudsters’ banks are more difficult, but not necessarily impossible, depending on the facts of your case and there have been occasions when we have recovered sums from the fraudsters’ banks.
The other available avenues may be less attractive from a commercial point of view. First, pursuing the legitimate counterparty, who you had believed the money was going to originally in the event that they were responsible in some way for the fraud. Although you may not get your money back per se, a successful recovery in this instance could mean you do not have to pay them the sum (either full or in part) of money owed originally, or any additional costs that may have incurred since. This is often a commercial decision and will depend on your relationship with the counterparty.
Another option is to consider pursuing the person responsible for actioning the fraudulent payment request. If you do decide to take this route, be sure to seek employment law advice beforehand.
How can I avoid becoming the victim of APP fraud?
A staggering number of APP frauds take place each year, with figures showing no signs of slowing. However, this does not mean that an attack on your business is inevitable. There are a few simple but useful methods you can do to help prevent falling foul of a fraudster’s scam.
Ensuring that your internal banking procedures are well-adapted to try to intercept these types of fraud can minimise your risk, for example ensuring that a call is made to check any new banking details provided before payment is made. Make sure you place the call yourself, rather than accepting a call from the third party, as fraudsters have adapted and we have seen instances where they make fake calls to the business/individual to confirm the fraudulent bank details.
Likewise, frequent staff training is important as fraudsters are constantly coming up with new ways to dupe businesses into authorising their disingenuous payment requests.
As touched on earlier, insurance policies should be reviewed frequently to ensure that your business has the level of protection it needs (including cyber-insurance). Having that extra layer of protection could help to offer some peace of mind should the worst happen.
Falling victim of these scams can be draining, and the process of clawing back assets is often arduous and stressful. However, acting quickly, seeking advice, and being careful with communication can assist to stabilise the situation and provide a chance of recovery.