Combatting cybercrime and fraudPrint publication
Cybercrime and fraud are increasingly key risks for businesses, for professionals and for individuals alike. A Walker Morris Commercial Dispute Resolution specialist offers some practical risk management advice.
Scale of the problem
Information security breaches can cause devastating financial loss and serious reputational damage – and they are on the rise.
- Nearly 70% of large businesses experienced a cyber security breach in the last 12 months or so . That is an increase on the two thirds of large businesses which detected and reported a cyber security attack in the 2015/16 financial year. With attacks not reported, the true figure is likely to be much higher.
- Some 37% of UK businesses are now experiencing cyber attacks approximately once per month.
- Identity theft (of various types, including fraudulent e-mails, spyware/malware and other devices deployed via cyber attacks) now accounts for some 75% of fraud (up from around 40% in 2015/16).
- 2,356,000 instances of bank account fraud were reported in the 12 months to June 2016, making it the most common form of cybercrime in the UK .
- The National Security Council and Serious and Organised Crime authorities are aware of over 39,000 cybercriminals and over 6,000 cybercrime groups operating within the UK today. Although the authorities’ knowledge is improving all the time, there are still gaps, so the reality is even worse .
- Apart from organised crime, businesses face information security risks from ‘hacktivists’, IT-savvy teenagers, competitors and even simple human error.
- Cybercrime and fraud reports to the Law Society are also on the rise. Between 2012 and 2016 there was a 101% increase in reports of bogus law firms (54% of which related to the identity theft of a genuine firm or individual). That represents a 101% increase on 2012.
- In 2016/17, over 70% of the sums incurred by HM Land Registry’s Indemnity Fund involved claims concerning fraud and forgery .
- The FCA has also reported  its concerns that many business continuity plans do not work. For example, mirrored backup solutions, which rely on backup tapes which may be a few days old, are insufficient. If an attack happened tomorrow, what would be lost and what would be the effect on your business and your customers if your backup tapes were a week old?
Risks to watch out for
There are some increasingly common scams and indicators of fraud which, if they are detected in time, may enable a business to intervene to prevent any loss. Businesses should therefore ensure that their staff are trained to recognise and watch out for the following frauds and warning signs.
- Phishing is where fraudsters acquire sensitive information, such as bank account details, by posing as a known or trustworthy entity in an electronic communication.
- Identity theft can also be perpetrated when a fraudster impersonates a genuine individual or firm using details that may have been obtained via the internet, social media or other personal data sources.
- CEO fraud is a form of identity theft whereby a fraudster impersonates a senior figure at a firm to impose authority and to order money/asset transfers that might otherwise be prevented by fraud prevention policies or practices.
- E-mail hacking is where a fraudster hacks into the e-mail accounts of a business or individual and intercepts confidential information and communications. The fraudster can then pose as a person with whom that business/individual would expect to transact and can redirect monies or assets and disappear with the spoils. In a recent unreported High Court case which exemplifies a very common scenario, an individual claimant was defrauded of substantial sums of money when a fraudster hacked into his e-mail account and masqueraded as his builder. As the individual was expecting an invoice in respect of building works, he paid sums over to the fraudster in the belief that he had been sent a genuine invoice.
- Friday afternoon fraud is the name often given to a scam perpetrated on a bank or law firm late in the day in a conveyancing or similar transaction. The fraudster takes advantage of peak time pressure to complete (when information and data security lapses may be more likely to occur) to impersonate one of the parties.
- Bogus firms are created by criminals and deceive individuals or genuine firms to steal money or information.
- Social engineering is where a criminal gains confidential information through building a personal relationship with a member of staff.
- Malware is software which attacks a business’ data and information security. Viruses and other programs can infiltrate a business’ IT systems, causing damage and allowing access to data.
- Ransomware, an increasingly common and sophisticated form of malware, encrypts files and enables cybercriminals to demand a ransom for a decryption key. The FCA has reported that it now often sees not just isolated ransomware infections, but even self-replicating ransomware and other malicious software, which spreads rapidly through entire networks.
Warning signs/indicators of fraud
- Errors or inconsistencies in the spelling, grammar and terminology of firm names; slogans; logos; e-mail addresses, formats or account providers; other brand identifiers (such as company numbers, SRA/FCA registrations); and/or in communications generally.
- Newly registered or non-registered websites or domain names which may have been set up solely for the purpose of the fraud.
- Unexpected or unsolicited electronic communications – especially e-mails with attachments – which can contain and release malware.
- Absent, unclear or inconsistent background information, personal or trading history or other supporting documentation. These may indicate a fake or stolen identity.
- Last minute changes to key information, such as bank details or correspondence addresses.
- Unexpected overseas accounts or addresses.
- Absent or inconsistent telephone numbers, in particular absent or inconsistent landlines, and telephone numbers which divert to call-back services.
- Pressured instructions for unusually quick completions.
- High value/cash transactions or transactions with other unusual elements (such as back-to-back transactions).
- Inconsistent search results.
- A ‘gut feeling’ that something is not right.
Prevention and cure
There are some simple, practical steps that all businesses can take, both to help manage the risks and to mitigate damage caused in the event of an attack.
In terms of prevention:
- Customers/clients should be advised of the risks – if they are alive to the risks they can help, especially in relation to the protection of their own data and communications.
- Staff training is vital. All staff should be trained to recognise and react appropriately to the risks and indicators of cybercrime and fraud. In particular, all staff should be made aware of the existence and terms of businesses’ policies, procedures and reporting requirements where fraud is suspected.
- Businesses should share, internally, information and data relating to any attempted attacks. All areas of a business can then become alive to suspected attacks as soon as they occur.
- Policies, procedures and reporting requirements should be reviewed and updated, and training should be repeated, regularly. Cybercrime is a sophisticated and fast-moving phenomenon. Fraudsters today are very adept at harnessing technological advances for criminal purposes.
- Undertake regular online checks to ensure that your own firm/brand is not being impersonated.
- Adopt and foster a security culture, which includes good cyber security governance; the identification and protection of key assets; fit-for-purpose IT security/detection capabilities and business continuity plans; and a comprehensive understanding of how data is stored and protected. (In many cases, this will involve a detailed understanding and adoption of any third party/cloud data storage provider’s threat profile.)
- Where possible, firms should facilitate home and mobile working for their staff. This can help to ensure business continuity in the event of an attack.
- Where possible, meet and speak, rather than always communicating by e-mail and be extremely cautious of giving any sensitive information electronically.
- Where electronic communication is essential, encrypted e-mails and password protected portals offer a much greater level of data security.
- The Law Society’s Find A Solicitor website can be used to check the identity of qualified solicitors in England and Wales and Lawyer Checker can be used to verify solicitors’ accounts.
- Bank account details should be confirmed in person or on the telephone. This should include asking security questions to which only the genuine party or solicitor would know the answer.
- Any instructions that are given to change bank account or payment details should be treated with the utmost caution, investigated thoroughly and ideally confirmed in person.
If you do find yourself or your business a victim of fraud:
- As well as following any internal incident management regime, you should immediately notify the police, who may be able to recover some of the stolen monies and potentially take action against the fraudsters. You should also notify any lender and/or insurer, any other parties to the transaction or the customer/client and any interested/industry bodies such.
- Seek immediate specialist legal advice. For example, Walker Morris Commercial Dispute Resolution team has significant expertise in fraud claims and would be able to urgently initiate a freezing injunction to try to preserve stolen monies in the fraudsters’ bank account(s). If the whereabouts of monies is unknown, Walker Morris also has extensive experience in tracing and recovery.
- There are also other tactical options which specialist solicitors could deploy on a victim’s behalf. In the recent builder/hacker case referred to above, the victim was able to apply to the High Court for both a Norwich Pharmacal order  (which required the bank to reveal the identity of the holder of the account into which the defrauded sums had been paid), and a declaratory order that the monies were held by the holder of that account on trust for the victim.
- Other civil remedies which may assist in a fraud case may, depending on the circumstances, include breach of contract, negligence, breach of trust, unjust enrichment and/or tracing claims – all of which could help to recover lost funds.
Cybercrime and fraud are risks that are on the rise – but so too are the knowledge, technological means and legal expertise required to effectively respond to and combat them.
The best means of protection for your business and your customers is to be proactive in your data protection and security practices, and to have expert legal assistance in your corner just in case anything does go wrong.
If you would like to discuss the content of this article in more detail, please do not hesitate to get in touch.
 UK Government Cyber Security Breaches Survey 2017 Main Report
 UK Government Cyber Security Breaches Survey 2016 Main Report
 Source: Agenda Screening Services
 Estates Gazette ‘Lessons on Fraud’, 14 October 2017
 FCA’s ‘Approach to cyber security in financial services firms’, September 2016
 a Norwich Pharmacal order, named after the case which gave rise to the remedy (Norwich Pharmacal Co v Commissioners of Customs and Excise  AC 133) allows pre-action disclosure against a person who will not be party to subsequent proceedings, so as to identify another person (for example a wrong-doer); or so as to identify the nature of a wrongdoing, who or which can then be the subject of proceedings.