The number of COVID-19 confirmed cases has been proceeding along an upward sloping curve, so is the number of cyber fraud cases. Rarely does a month pass by without cases reported to the Hong Kong or Singapore Police. In fact, it would seem the shift to remote-working resulting from the pandemic has led to an acceleration in the number of cyber fraud cases.
The growing trend of cyber fraud cases is reflected in the latest figures published by the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force in September this year [1] , revealing that more than 6,400 technology-related crimes were reported in the first half of 2020 alone causing more than HK$1.52 billion of losses. The same can be observed in Singapore where the Cyber Security Agency of Singapore reported in its annual report that cyber crime cases have jumped by more than 50% than the previous year. The high number of cyber fraud cases in 2020 makes it clear that malicious actors are taking advantage of the transition to remote working arrangements to target both corporates and individuals.
The wide adoption of information technology continues to bring us convenience and commercial benefits. We must not forget however, the risk of cyber fraud at the same time increases correspondingly. In recent months, during which COVID-19 has inevitably led us to spend more time on the internet, the cyber fraudsters' means of getting hold of victims' monies has been changing incessantly. This can be seen in recent examples of business email scams which have become increasingly targeted and sophisticated.
Impersonation has long been a trick for fraudsters and this extends to the impersonation of corporates. Very often, these “corporates” claim to be authorised investment management companies or financial institutions. The fraudsters may impersonate the staff of registered institutions of the Hong Kong Securities and Futures Commission (“SFC”), and in doing so also set up a website with contact details, including an actual CE reference (Central Reference Number, a reference number issued by the SFC) searchable on the regulator's public register, with a seemingly genuine investment account management portal where the victim can manage their portfolios of shares and options.
The so-called "investment manager" of the firm (in fact, the fraudster) may place cold-calls to foreign individuals to entice them to participate in allegedly lucrative investment deals, taking full advantage of the victim's vulnerability and unfamiliarity with the Hong Kong investment market and the desire to diversify investments due to the low global interest return on saving deposits. These victims, without suspecting anything, duly transmit monies in the hope of gaining positive investment returns.
In fact, not only are individuals susceptible to cyber fraud cases, corporates are also falling prey even where they have exercised a reasonable degree of caution. We have seen fraudsters offering foreign corporates loans in return for lower costs of debt-financing, compared to the big banks. The fraudsters will press the corporate to transfer sums of money to proceed with the financing transaction citing reasons such as the sums are required to pay “taxes levied by government authorities" or for "additional transaction costs incurred".
Usually, seemingly proper loan agreements together with guarantee documents do not raise any suspicion until the corporate, with the passage of time, realises the fraudsters have been putting up spurious excuses to thwart any transfer of real monies. As one may have expected, these "investment managers", " loans" or "investment returns" never existed.
Another type of cyber fraud is where the fraudster impersonates a supplier and provides fraudulent banking details to which payment for legitimate transactions should be made. The company making payment would discover the fraud only when the actual supplier complains that payment (for goods and services rendered) have not been received, and it would be left to the two legitimate commercial parties to sort out which party should bear the loss if the amounts lost cannot be recovered.
Businesses should react swiftly upon discovering a cyber fraud case before the chance to recover any monies becomes too slim. They may consider taking the following steps:
In Hong Kong, they should make a report to the Hong Kong Police Force providing critical information, such as the identity of the fraudster (if known), the total amount of sums transferred and the bank account information. This may in turn prompt the Joint Financial Intelligence Unit (JFIU), a governmental organisation jointly run by staff members of the Hong Kong Police Force and the Hong Kong Customs & Excise Department, to issue a "no consent letter" so that the relevant bank(s) refrain from dealing with the monies in those bank accounts any further.
Where the "no consent" letter is issued by the Hong Kong Police, the bank invariably will err on the side of caution and refuse to make any payments out of the account – the effect is that the account will be "informally frozen" for as long as the no consent letter is valid.
According to the internal manual of the Hong Kong Police, the Force Procedures Manual, generally the following factors will be taken into account when deciding whether the "no consent" regime will be invoked [2]:
(i) the reasonable prospect of successfully obtaining a confiscation order. This in turn requires the Police to take into account:
(ii) the reasonable likelihood of obtaining a restraint order;
(iii) the reasonable likelihood of a victim obtaining an injunction within a reasonable period of time;
(iv) any other consideration that may have a bearing such as when dealing with an absconder or an overseas request; and
(v) the underlying principle that persons guilty of criminal offences are denied their proceeds of crime.’
After the "no consent letter" has been issued, the Hong Kong Police will generally try to obtain a restraint or confiscation order over the property as soon as practicable. Where the property belongs to the victim, the Hong Kong Police will request the corporate to apply for a civil injunction in respect of the property.
In Singapore, a report should be made to the Singapore Police Force who can take steps to assist with the cyber crime. In particular, victims should be careful to preserve the relevant email or data from the computer and to note down the date and time of the crime. The police report filed will also be of assistance in consequent civil action to preserve and recover the funds.
In both Hong Kong and Singapore, the victim may consider a proprietary and Mareva injunction and/ or a Norwich Pharmacal application. It is of paramount importance that these civil actions are taken without delay. As time passes by, there will be an increasing risk of dissipation of funds and difficulty in tracking the whereabouts of the funds. This may result in the funds being transferred from the initial bank account to second or even third layer recipients, or even leave Hong Kong entirely.
Another practical reason as to why legal action should be commenced quickly is that the Court may be reluctant to grant injunctive relief when a significant amount of time has passed. This is based on the guiding principle established in the case of American Cyanamid Co (No 1) v Ethicon Ltd [3] regarding the balance of convenience that the court has to make when deciding whether to grant an injunction - that is, whether it would do greater damage to the plaintiff if the injunction was wrongly refused than it would do to the defendant if the injunction were wrongly granted. This is particularly important in the context of a Mareva injunction where the applicant must also demonstrate that there is a real risk of dissipation of the assets over which the injunction is sought.
As time is of the essence, it is particularly important to work with experienced lawyers who would be familiar with the issues which arise in such situations, such as how the defendants could be served proceedings in such cases. Further, as these crimes are borderless and funds flow are easily international, it may be necessary to have parallel proceedings.
Once a fraudster has succeeded in securing the transfer of funds from the victim, they may proceed to erase records of communication with the victim to avoid being traced and their real identity from being discovered. It is therefore incumbent upon the victim to make a backup of all communications with the fraudster after discovering the fraud. Whilst most social media and instant messaging apps keep a record and timestamp of all communications, it may be prudent to check if any conversations have taken place off-line and whether a complete timeline of events can be constructed from the available records.
Where suspected hacking or phishing has also taken place, digital forensics experts should be engaged at an early stage to assist with the investigation and preservation of evidence. Where the funds have been paid in cryptocurrency, crypto-asset tracers should be engaged.
Even with the help of the Police and legal practitioners, it may not be possible to recover the entire financial loss. Contacting your insurer to check if these losses are covered under existing insurance policies could potentially be a more efficient way to "minimize" the overall loss. The unfortunate fact is no security system is infallible in face of the ever-changing fraud landscape. Therefore, when negotiating new insurance policies, especially in terms of insurance coverage, it will be a good idea to factor in the prevalence of cyber fraud and check the type of coverage that may be available in such cases (including coverage for costs of injunctions and the like).
Long gone are the days when fraudsters displayed obvious signs of criminality such as spelling mistakes and misinformation. As our on-line world has increased in sophistication so have the cyber criminals. The fight against cyber fraud, as well as the fight against COVID-19, will inevitably be an uphill battle for the foreseeable future given fraudsters, like virus, will continue to "mutate" in face of the new landscape.
Therefore, stay safe and stay vigilant.
We have experience in advising companies and individuals how to navigate through high value, sophisticated cases of cross-border cyber fraud. In the past years, we have assisted our clients in obtaining urgent injunctions to freeze funds transferred between various bank accounts and, in tracing the funds. We have also advised them in relation to garnishee proceedings and managed to reclaim a significant amount of funds on behalf of the clients.
If you would like to know more about how Bird & Bird can assist with you, please get in touch with the authors or your regular Bird & Bird contact.
Bird & Bird have also published a wide range of briefings on the impact of COVID-19 on other businesses and industries which you can read here. Please stay connected and healthy.
The content on this Article seeks to provide you with general information on cyber fraud and its related civil causes of action. The information contained herein is not legal advice in respect of the application of Hong Kong or Singapore law and should not be relied upon or act on as such. It is subject to changes without further notice and may not be fully up-to-date.
[1] See https://www.scmp.com/news/hong-kong/law-and-crime/article/3100531/cybercrime-surges-hong-kong-covid-19-work-home
[2] Paragraph 3.6 of Interush Ltd & Anor v Commissioner of Police & Ors [2019] 4 HKC 194
[3] [1975] 1 All ER 504.