Cyber fraud is one of the most common crimes in the UK, with several million cases reported to police every year. Cyber criminals have been taking advantage of the COVID-19 pandemic to extract millions from individuals and businesses.
Action Fraud, the UK’s online centre for reporting fraud and cyber crime, has reported that more than £4.6 million has been lost by victims to COVID-19 related cyber fraud alone. The first COVID-19 related fraud was reported in February and during March such reports increased by 400%.
With economic uncertainty causing financial anxieties, and with large numbers of the population working from home with slower/less secure IT networks, cyber fraudsters have tailored their crimes to the current circumstances. Some of the reported COVID-19 frauds have included:
- Online shopping scams - relating to the sale of fake or non-existent face masks and hand sanitisers, virus cures, treatments and testing kits.
- Government grant scams – businesses are sent texts and emails purporting to be from the Government and offering grants. The victims follow a link to a fake government website where fraudsters capture their information.
- Investment scams - victims are sent bogus investment advice and are encouraged to take advantage of the economic downturn by investing their money into bogus schemes.
- Invoice fraud – fraudsters impersonate suppliers and use COVID-19 as a reason to change the legitimate payee’s account details to those belonging to the fraudsters.
- Bogus supplier websites – as suppliers struggle to meet demand/businesses struggle to source supplies, fraudsters list in-demand stock on fake websites and take payment without providing the goods.
- Rent deferral scams – fraudsters pose as landlords offering rent deferrals in exchange for deposits which are paid directly to those behind the fraud.
- COVID-19 contact tracing – fraudsters pose as NHS contact tracers and ask for personal details and even request payment in return for a testing kit.
Whether related to COVID-19 or not, if you or your business fall victim to cyber fraud, it’s important to act fast to stand the best chance of recovering the money that has been stolen.
When deciding what course of action to take, the key questions are: what to do and who to pursue?
Should I pursue the Fraudsters?
Given that the victims of cyber fraud do not know that they are being targeted by cyber criminals, this inevitably makes identifying the fraudsters a difficult task. However, there are means by which victims can attempt to identify the fraudsters and trace the whereabouts of the stolen money:
- Freezing injunctions – a Court order which prevents fraudsters from dissipating the stolen money until a Court can give judgment. If the victim chooses to commence proceedings against the fraudsters, and does so quickly enough, the stolen money can be protected until judgment. The injunction will only be effective, however, if it is granted before the stolen funds are further transferred or withdrawn.
- Norwich Pharmacal order (“NPO”) – a Court order compelling a third party, such as a bank, to disclose information. Banks can be forced to disclose the details of the accounts to which the stolen money has been transferred or the names of the account holders. With the help of an NPO, a victim of fraud may be able to identify the fraudsters and determine whether any funds remain in the identified accounts, or identify where they have been transferred.
- European Financial and Economic Crime Centre (“EFECC”) – a new unit set up by Europol to help law enforcement authorities in Member States and EU bodies trace the movement of money obtained by fraud (and other financial crimes) as it moves across borders.
It must be remembered, however, that pursuing cyber fraudsters may prove to be futile: any action taken may be too late and the stolen funds may have already been withdrawn or transferred to untraceable accounts. Even if the fraudsters can be identified, it is possible that they may not have sufficient funds to pay the victim if successful proceedings are launched.
Should I pursue the banks?
If a payment, which turns out to be fraudulent, was not authorised by the holder of a bank account, banks are required to refund the money to their customer. Protection for bank customers was strengthened by the introduction of the Contingent Reimbursement Model Code for Authorised Push Payment Scams (“CRM Code”) in May 2019. Under the CRM Code, which has now been extended to December 2020, signatories, which include banks and other financial instructions, commit to reimbursing customers who have been tricked into authorised push payment (“APP”) scams (where the victim is tricked into authorising a payment to an account which they believe is legitimate, but is controlled by fraudsters).
Participating banks can reject claims if the customer has ignored previous advice relating to fraud and APP scams, but, between its introduction and March 2020, £41 million has been reimbursed to victims under the CRM Code.
If a payment, which turns out to be fraudulent, was authorised by the account holder, the bank is not considered to be liable and therefore any claim seeking to recover losses will almost certainly be rejected. However, it is important to bear in mind that banks have a duty to put procedures in place to protect their customers’ accounts from fraud and therefore there could possibly be a claim in contract and/or negligence if their practices are found to be insufficient.
If a victim of fraud believes their bank is liable, but their claim is rejected by the bank, a complaint can be made through the Financial Ombudsman Service. If their assessment finds that the customer was treated unfairly, they may require the bank to refund the lost funds with/without interest and/or compensation.
Should I pursue the person whose email account was hacked and who I thought I was transferring the money to? For example….law firms.
Given the large sums of money that are held by, and transferred to, client accounts, law firms are increasingly becoming the target of sophisticated cyber fraud attacks, notably by email modification fraud (intercepting emails and falsifying emails to change bank details), phishing emails, malware attacks and CEO fraud (impersonating a senior figure at a law firm).
If, at the time the fraud occurred, the firm lacked up-to-date software and IT systems, had not given sufficient warnings to its clients regarding the changing of bank details or failed to respond quickly and appropriately to suspicious activity, a case for negligence could be formed. Such a case would be strengthened if there was also evidence that the firm had previously been the target of a cyber attack, yet had failed to improve its systems and procedures.
Despite being one of the most common crimes in the UK, obtaining justice for cyber fraud is, by no means, a simple task. This, coupled with the fact that the costs of pursuing the stolen funds may be disproportionate to the amount lost, means that taking any action may possibly be prohibitive for victims. For the right cases, pursuing a claim will be valuable and worthwhile, provided action is taken swiftly.
Sarah Murray