Combatting cyber fraud: Practical advice for businesses

23rd September 2021

Faceless fraud: the issues

The fact that cyber fraud is on the rise is well documented.  To date, so too has been the reality that pursuing criminals through cyberspace and actually recovering any assets is fraught with legal and practical difficulty and risk.

How do victims pursue defendants whose identity is unknown; how do they collect evidence and/or trace assets which exist only in digital form and which are perceived to be capable of deletion or dissipation instantly with a click or a swipe; and do the up-front costs which a defrauded victim must meet in order to seek justice represent a worthwhile investment, or does taking legal action in such cases involve throwing good money after bad?

It is reassuring to note, from a number of recent, high profile cases, that whilst cybercrime and fintech are developing apace, the law of England and Wales is, for all practical purposes, keeping up.  Taking tangible action against fraud in cyberspace is therefore becoming more widely understood, more effective and therefore more worthwhile from a cost/risk perspective.

The UK courts’ response

The recent cases of AA v Persons Unknown [1] and Fetch.ai v Persons Unknown [2] (both of which are explained in our more detailed video on combatting cyber fraud) together address and overcome some of the key legal, technical and procedural hurdles which a victim of cyber fraud can face.

Establishing England and Wales as a leading jurisdiction for the prosecution and resolution of such cases, AA and Fetch.ai confirm:

• Cryptocurrency assets are recognised as property under UK law and private keys associated with cryptocurrency accounts constitute confidential information.
• Cryptocurrency assets are located (and claims associated with them can be heard) wherever the owner has a residence or place of business.
• The Civil Procedure Rules contain various ‘jurisdictional gateways’ which, if met, allow for service of claims out of the jurisdiction. That can facilitate the service of UK-based claims and injunction applications against defendants/respondents who are based elsewhere, whether that be in another part of the world, or even in cyberspace.
• Cryptocurrency cyber fraud cases demonstrate a tendency towards the finding of exceptional circumstances to allow service by means not otherwise permitted. Courts may be especially willing to make orders for service by alternative means in cases where service under the Hague Convention for service abroad would take weeks or months.
• A proprietary injunction prevents a person from dealing with assets in which a claimant has a proprietary interest. Proprietary injunctions attach to the assets in question (whereas freezing injunctions attach to defendants/respondents personally) and can therefore give greater security to a claimant.  Proprietary injunctions are also less intrusive as against defendants than ‘freezers’.
• Where a claimant does not have a proprietary claim, they can nevertheless pursue a freezing injunction even in circumstances where the identity of wrong-doers is unknown. The UK courts are generally willing to take a sensible and pragmatic approach to awarding an injunction to assist a victim of fraud or other harm/tort caused by persons unknown.
• Applications for injunctions often need to be supported by specific additional tactical orders, perhaps requiring third parties to disclose information, documents or even identities that would otherwise be subject to duties of confidentiality.
• A Norwich Pharmacal order is a fairly wide disclosure order which can be made against a person who is not a party or wrongdoer, but who may be able to provide information needed to identify a party/wrongdoer or to facilitate the seeking of redress.  Norwich Pharmacal orders cannot be made outside the jurisdiction.
• A Bankers Trust order is a slightly more limited option than a Norwich Pharmacal. It can require banks or financial institutions to disclose account information and can therefore still be highly effective in fraud cases.  Bankers Trust orders can be made outside the jurisdiction.

Practical advice

The UK courts offer tangible and time-sensitive options for victims of cyber fraud.  However there are also some practical steps that businesses can take to protect themselves and their customers.

In terms of prevention:

• Customers/clients should be advised of the risks – if they are alive to the risks they can help.
• Staff training on the indicators of cybercrime and fraud, as well as the business’ own fraud-related policies and procedures, is vital.
• Policies, procedures and reporting requirements should be reviewed and updated, and training should be repeated regularly. Cybercrime is a sophisticated and fast-moving phenomenon.
• Adopt and foster a security culture. That should include cyber security governance; the identification and protection of key assets; fit-for-purpose IT capabilities and business continuity plans; and a comprehensive understanding of data storage and security.
• Be mindful of what information is being transmitted by email and, if practicable, consider meeting to speak (whether by telephone, virtually, or in person), rather than always communicating by e-mail.
• Where electronic communication is preferred, encrypted e-mails and password protected portals offer much greater security.
• Any instructions that are given to change account or payment details should be treated with the utmost caution, investigated thoroughly and ideally confirmed in person.

If you do find yourself or your business a victim of fraud:

• As well as following any internal incident management regime, you should immediately notify the police, any lender and/or insurer, any other parties to the transaction or the customer/client and any interested/industry bodies.
• Seek immediate specialist legal advice. Walker Morris’ Commercial Dispute Resolution team has significant expertise in fraud claims and would be able to urgently initiate a proprietary and/or freezing injunction to try to preserve stolen assets, together with our Technology and Digital and wider teams, who are well used to advising from a prevention perspective, for example on matters such as governance and/or data security.
• If the whereabouts of monies is unknown, Walker Morris and specialist legal tech/fintech investigation firms also have extensive experience in tracing and recovery.

Cybercrime and fraud are risks that are on the rise, but so too are the knowledge, technological means and legal expertise required to effectively respond to and combat them.  The best means of protection are to be proactive in your data protection and security practices, and to have expert legal assistance in your corner just in case anything does go wrong.

Please do not hesitate to get in touch.

[1] [2019] EWHC 3556 (Comm)

[2] [2021] EWHC 2254 (Comm)