Cybercrime—How do they happen and what legal recourse is available?
From Nigerian nobility scams to international cyber-hacking syndicates to the recent COVID-19 themed phishing emails, the nascent history of cybercrime has been littered with animated anecdotes of imaginative methods through which assets have been wrongfully wiped out from individuals and organisations by unscrupulous and exploitative fraudsters.
This note provides an overview on how unwitting parties may fall prey to cybercriminals, some preventive measures, and the possible legal recourse available.
The Cyber Criminal’s Toolkit
A fraudulent attempt, typically carried out by email or by phone, to steal confidential personal information: Cyber fraudsters may send out messages from sham email addresses that resemble those from trusted institutions such as banks. These messages are designed to trick unsuspecting individuals into clicking on a link or opening an attachment. The individual is then lured under the guise of requiring to update their personal details with the trusted institutions to provide confidential and sensitive data such as their identification number, bank account number, credit card number, and password.
Business impersonation scams
This often involves the fraudster impersonating a trusted business partner / supplier: Once a business email account is successfully breached (through phishing, social engineering, malware, or a combination of the three), the fraudster begins to send emails that appear to be from the legitimate owner of that email account. Unsuspecting recipients of emails from this account may be directed to make money transfers to accounts held by money mules, and the latter will be directed to transfer those sums to an offshore account.
This is the process where hackers steal data by “sniffing” internet traffic: These sniffers may tap into an unsecured and unencrypted Wi-Fi network to monitor and capture all data packets passing through the network. Confidential information such as banking details, user IDs, and passwords, are effortlessly captured by the “sniffers” in such cases.
To avoid being a victim of such cyber fraud, individuals and businesses should refrain from using passwords or codes that are susceptible to brute-force attacks. Sensitive information should also only be relayed over a secured network. In this regard, those working from home during this coronavirus crisis should ensure that their WiFi network is secured and that easily-deducible passwords are avoided. Further, regular and frequent checks should be conducted to ensure that devices are free from malware.
Organisations such as banks have long introduced two-factor authentication to add an additional layer of security for customers. When a business partner or counterparty emails to inform that his / her bank account for payment has been changed, it is prudent for businesses and individuals to likewise employ a two-factor authentication e.g. to make a telephone call to confirm the purported change of instructions.
However, even these measures above may still not be effective against phishing attempts, especially as fraudsters are becoming more and more skilled and sophisticated. Ultimately, it remains vital for everyone to be vigilant and be alive to the various ways that assets may be misappropriated by cyber fraudsters.
Liability for Organisations
Institutions are also facing increased pressure to fortify the protection accorded to clients. A complacent organisation may find itself to be in breach of Section 24 the Personal Data Protection Act 2012 (PDPA), which requires organisations to make reasonable security arrangements to protect personal data in its possession. In 2019, Singhealth and IHiS were issued a combined fine of S$1,000,000 for failing to take adequate security steps or arrangements to protect personal data in their database.
For individuals, it would be prudent to assess the security measures of an institution before entrusting it with their personal data which may be used by unscrupulous parties for unsavoury ends.
Legal Recourse to Trace, Identify, and Recover Assets
Even though preventive measures are undertaken, oftentimes it just takes a momentary lapse by a single individual which is cruelly exploited by a fraudster to wipe out substantial funds from a business’ or individual’s bank account.
In such a scenario, one should quickly seek legal advice and take the necessary action immediately to try to recover the assets wrongfully transferred. A police report should be made without delay.
As the identities of the fraudsters are unknown, it will be necessary to seek out information from third parties who may be innocent but are nevertheless mixed up in the act. Innocent money mules are generally ready and willing to provide information to assist victims. However, the modern fraudster knows too well than to leave traces of themselves to money mules. As such, any information acquired from these money mules are likely to be of very limited assistance.
In these circumstances, Court orders should be sought to obtain documents and/or information from non-parties with a view to identify the offender. Such orders may be obtained against non-parties based on the Norwich Pharmacal principle, which states that an innocent third party who has been mixed up in tortious acts of others is under a duty to assist the wronged party by giving him full information and disclosing the identity of wrongdoers.
In the context of cross-border fraud, email routing and address data may be sought to be obtained to help identify the sender of an email. Additionally, the Internet Protocol address of a registered user of a website may be sought to be disclosed as well. This last point is particularly useful in the case of frauds perpetrated via social media networks.
Acquiring information from banks and obtaining a “freezing order”
Where discreet bank accounts are used to conceal the location of the funds acquired through fraud, it may be expedient to apply to Court for a Bankers Trust order. This compels banks to disclose information in support of tracing such funds.
Although funds may be traced to a particular account, it is generally inadequate to solely initiate Court proceedings to recover those funds.
As online banking has enabled funds to be dissipated with great ease, it would be imperative to take out a Court order to prevent those funds from being squirreled away.
Therefore, a Bankers Trust order is frequently followed by / applied together with a Mareva Injunction (also commonly known as a freezing order). A Mareva injunction prohibits a party from dealing with its assets in the interim, effectively freezing the party’s assets pending a final determination of the matter before the Courts.
In certain cases, Mareva injunctions can even apply to assets outside the jurisdiction. This can be useful where some of the funds have been transferred overseas.
Individuals and businesses (particularly the finance and IT security teams) are well advised to stay abreast of the latest developments relating to cybercrime. As society continues to become increasingly entwined with all things digital, our susceptibility to fraudulent schemes and cyber-attacks has never been greater. Nevertheless, there are preventive measures to mitigate such risks. There is also legal recourse available as highlighted above but one should definitely act as quickly as possible in order to secure recovery.
If you require assistance to recover assets where cyber-fraud has been perpetrated or for any other litigation dispute, please do not hesitate to get in touch with Lionel Chan via + 65 6239 5874 or email@example.com.