I’m a victim of an email bank fraud, please help me to get my money back!
Unfortunately, the team at bowers.law hear these words all too often, so following on from our series of Room 228 Newsletters dealing with fraud, in this latest Room 228 Newsletter we look at the legal tools which we use to try to help (usually overseas) victims of e-fraud retrieve the money which fraudsters have (usually all too easily) stolen from them.
Why do employees commit fraud? (July 2020)
https://bowers.law/why-do-employees-commit-fraud/
Watch out watch out, there’s a fraudster about! bowers.law’s top (practical) tips to minimising fraud risk (August 2020)
https://bowers.law/watch-out-watch-out-theres-a-fraudster-about/
Don’t make it easy for the hackers! (October 2020)
https://bowers.law/dont-make-it-easy-for-the-hackers/
What is email bank fraud?
If you like acronyms: Email Account Compromise (EAC) or Business Email Compromise (BEC)
Most of the cases we see at bowers.law are where the fraudsters either infiltrate the victim’s email system to send out emails containing fake payment instructions, or they use virtually identical email addresses in emails containing fake payment instructions – usually with just one letter slightly different from the real email address (eg using ‘rr’ instead of an ‘m’ or an ‘I’ instead of an ‘L’).
Top Tip: You should never follow a payment instruction from your boss who is at the airport about to board a plane (when planes actually took off and landed anywhere) as the fraudsters may have been monitoring the boss’s emails for weeks and often send fake payment instructions the minute before take-off, as the accounts manager then has no way of verifying the payment instruction until the plane has landed at the (usually long-haul) destination (unless the boss has logged onto the eye-wateringly expensive public airline WiFi for the flight)!
What should you do when you realize you’re a victim?
The golden rule: Act DECISIVELY and act FAST.
Although your money is exceedingly likely to be withdrawn and disappear from the fraudster’s recipient bank account within 12 – 24 hours of the transfer, other funds from other victims will inevitably be paid into the same fraudster’s same bank account before the scam is uncovered, reported to the police and crumbles in a hail of police directives and court orders.
Top Tip: Fraudsters tend not to use lesser-known local banks to receive their ill-gotten gains – they use well-known international banks like HSBC and Bank of China because the target overseas account manager or financial controller is far more likely to be conned into pressing the ‘send’ button if the transfer of funds is to a recognised international financial institution – so in Hong Kong, HSBC Main Building, 1 Queen’s Road Central is far more likely to be the first destination for the stolen funds than say, Tai Yau Bank in Wan Chai.
- Call your bank
Call your bank to try to stop the transfer, or if the funds have already been transferred to a bank in Hong Kong (which they usually have been), request a recall on the basis of the fraud. In our experience however, it is very difficult for an account holder to stop its own bank from transferring the funds out of its account after the ‘send’ button has been pressed – obviously, the quicker the call to the bank, the higher the chances of stopping the transfer. You should be under no illusion however, it’s still really difficult to do!
If you can identify the recipient bank account (and you usually can), you should ask your bank to contact that recipient bank ASAP to try to stop the payment of your funds into the account of the recipient bank’s customer, but again in our experience, this is next to impossible to achieve.
- Report the e-fraud to the Hong Kong Police
You should log your report in the HK Police e-Report Centre at:
Upon receiving your report (backed-up by supporting documents such as the offending fraudulent emails and the bank transfer forms), the HK Police should inform the recipient HK bank of the suspicious transaction and (if the case is strong enough) issue a ‘letter of no consent’ to the recipient bank to ‘freeze’ the suspect bank account, to prevent any further withdrawals being made from that bank account at the same time as allowing funds (usually money stolen from someone else) still to be deposited into that same target bank account.
The HK Police should issue their letter of no consent if the report is made quickly and is backed-up by the relevant supporting documentation and if (and it’s a big ‘if’’) there are sufficient funds (at least about US$10K – US$15K) in the suspect target bank account, to make it worth the issue of the letter by the HK Police to the recipient bank.
- Notify your insurer
(Commercial) Crime Insurance: If your business involves the regular transfer of large amounts of money, it needs to have a commercial crime insurance policy to cover email bank fraud – sorry, but with the increasing prevalence of this type of cyber-crime, crime insurance is now a must. A crime insurance policy is usually standalone insurance coverage separated from most commercial business package policies. Key point – for your policyholder business to secure cover for the (sometimes huge) losses suffered at the hands of the fraudsters, it must have devised and must implement tight financial controls and must have active mitigation measures in place to minimise its cyber-crime risk exposure. Your insurance provider should help you with this.
Computer / Cyber Insurance: Most cyber insurance policies cover losses suffered as a consequence of cyber security incidents such as computer hacks, ransomware or malware infection, denial of service attacks (eg ‘freezing’ your email system) and data breaches / leaks. The coverage can extend to consequential reputational damage etc.
Note: Your insurer will still expect you to mitigate your loss by taking legal action to try to recover your misappropriated funds.
Top Tip: Every single email that is sent out by bowers.law has the following statement as part of the e-signature block, and you should have a similar one as an easy but effective way of reducing (ever-increasing) risk:
Our firm will never send you an electronic communication (email, WhatsApp, WeChat, Telegram, sms etc.) to notify you of any change to its bank account details, or to ask you to redirect any payment. If you do receive any such electronic notification or request, it is highly likely to be an attempt at fraud, so please do telephone us immediately to notify us of any such unauthorised communication.
Top Tip: You should verify any altered payment instruction by a telephone call to the company’s publicly listed general land line (certainly not by the same electronic messaging system used to send the message containing the payment instruction), and you should make the call yourself (not at a pre-arranged time as the fraudster may be monitoring your email exchanges), not wait to receive one from the fraudster’s burner mobiles!
- Call your lawyer
It sounds mercenary and predatory, but it’s not! You will need legal tools to try to recover your stolen money (at least we didn’t put ‘çall your lawyer’ as the first thing you should do)!
If the HK Police will not issue a letter of no consent to the recipient bank to ‘freeze’ the target suspect bank account, the civil procedure in Hong Kong is usually as follows:
- apply for an urgent Injunction Order (or ‘Freezer’ if you’re in the know) to ‘freeze’ the recipient bank account;
- issue a Writ against the account holder (usually a freshly (within about 12 months) incorporated HK$1 HK company with a small HK company secretarial outfit as the company secretary);
- serve the Writ at the account holder’s registered office;
- apply for a Default Judgment (as the account holder defendant almost never acknowledges service of the court proceedings); and
- issue garnishee proceedings against the recipient bank to enforce the Default Judgment against the defendant account holder and secure the payment out of the amount of your Judgment (plus interest and a tiny amount of fixed legal costs) from the recipient bank account into the bank account of your lawyer (who should then give it back to you)!
You may also have to apply for a court order requiring the recipient bank to disclose bank records to show where your funds have been transferred onto, so that you can ‘trace’ your money and bring proceedings against the next account holder in the next bank to receive your money – which in our experience is usually outside of Hong Kong, and which is usually a long and expensive process involving multi-jurisdictions.
Once the suspect recipient bank account is ‘frozen’ (by the HK Police or by a court order), you should expect the civil court process to take anywhere between 4 – 8 months to secure the recovery of all or at least some of your stolen money (especially during covid-related court slowdowns).
Seeing as there are no hard and fast rules on priority in Hong Kong in terms of claiming misappropriated funds, it’s very much ‘first come, first served’ when it comes to recovering your stolen money. If there are other victims chasing the same stolen dollars in the same bank account, you should expect to have to agree to share the funds in the recipient bank account pro rata to the amount of money stolen from each of you. We have experience of that exact thing happening with us receiving instructions on the same day from different corporate victims from the UK and the US chasing their stolen funds which ended up in the same fraudster’s bank account in the same Hong Kong bank!
The entire recovery process is driven by the risk and reward ratio between the amount of money you have lost to the fraudsters and the amount of money held in the suspect recipient account – the exact credit balance of which you may not know until the recipient bank is forced to disclose it during the garnishee enforcement process (unless the HK Police have given a firm indication that it’s worth your while to embark on the civil recovery process).
What are your chances of successfully recovering your stolen money?
In our experience, we have been able to make full or at least decent (proportionate) sized recoveries in about 60% – 70% of email bank fraud cases.
The not-so-secret trick to maximizing your recovery is to act DECISIVELY and to act FAST and to get your lawyer working on this for you ASAP after you discover the fraud – by persuading the HK Police to issue a letter of no consent to the recipient bank, or if they won’t, applying for a Freezer against the fraudster recipient account holder and its suspect target bank account. Securing the funds in the recipient bank account just as fast as you can is the key to recovery.
Don’t Forget: If your bank, fund administrator, accountant, stockbroker (or even lawyer) transfers your money away to a fraudster’s bank account in breach of the contractual terms of their engagement with you or negligently, you should have the option of suing them to try to recover your losses, if you can’t get your money back from the fraudsters!
Top Tip: Never sign an indemnity presented to you by any organization who you are asking to hold your money, as it will inevitably incorporate a term exonerating them from all liability for acting in breach of contract or negligently by following a fraudster’s fake payment instructions (without verifying those instructions) and transferring your money away into clear blue sky! Sorry, you’ll have to read the small print for once (we all have to)!
Please contact Kevin or Sophia at kevin.bowers@bowers.law or sophia.tsang@bowers.law if you have any questions about this Room 228 Newsletter.
This Newsletter is not intended to be and should not be relied on as legal advice. You should seek professional legal advice before taking any action in relation to the subject-matter of this Newsletter.