Around the world there have been numerous cases of cross border email scams where individuals or companies received scammed or spoofed emails that pretend to be from C-suite or senior staff of the company or business partners to wire transfer funds to bank accounts in Asia, a lot of times coming to or going through Hong Kong.
According to the statistics from the US Federal Bureau of Investigations (the “FBI”), the domestic and international exposed US dollar loss between October 2013 and May 2018 due to business email scam cases exceeded USD 12 billion. The Cyber Security and Technology Crime Bureau of the Hong Kong Police mentioned at the recent Information Security Summit 2018 conference that every day, 400 companies in Hong Kong are being targeted with business email scams and 70% of all cybercrime losses in Hong Kong are from email scam cases.
What are the different types of scams?
The scams come in many different forms and below are two common examples:
- The Chief Financial Officer (the “CFO”) (or someone in the company that has authority to arrange to wire transfer funds – in some cases this include temporary administrative staff) received a spoofed email from the Chief Executive Officer (“CEO”) or a business partner that funds are required to be remitted to a new bank account for a secret project or because of new business arrangements resulted in the opening of a new bank account. The amount of the transfer is not too big and ranges from USD 10,000 to USD200,000 that the CFO would have authority to instruct the transfer without the need of any second authorization or checking.
- A variation of the above is that the CFO or staff is asked to contact a third party or a lawyer with another email address so that the CFO would no longer be communicating with the “CEO” that uses the company’s email address domain name.
I have been scammed, what happens next?
Once it is found out that the scammed money have been wire transferred to a bank account in Hong Kong, the person or corporation who is the victim of the deception should immediately contact the bank to contact its correspondent bank to try to stop the fund transfer. At the same time, the victim should file a report to the local police and directly to the Hong Kong Police. A report to the Hong Kong Police on business email scams or cybercrime can be made electronically via the Internet through the e-Report Centre of the Hong Kong Police.
Sometimes the money might have left Hong Kong or further transferred to another account already but if the report to the police is made quickly enough, the police would notify the relevant bank and the bank would likely stop the operation of the bank account as the money in the bank account might be crime proceeds with potential money laundering implications, which would effectively be a “freeze” on the account and the monies in the account would be kept on hold.
In some cases, the monies might still be in the bank account even after a while after the victim discovered that it had been scammed because the bank account holders might be a different group of people other than the email scammers. The bank account holders might also be criminals but offering the accounts as a service for money laundering purposes. Hence there might be multiple sums going through the bank account at any one time and for any particular remittance that went into the bank account, the bank account holder/operator would need to wait for instructions from the remitter on how they would like the funds to be remitted out and to whom. So if a police report is made or civil legal action is taken quickly enough, the victim might still be able to recover the monies from the bank account.
It is not easy to ask the banks for assistance or information on the amount of money in the subject bank account. The banks would usually respond that they could not assist due to banker and customer confidentiality duty and if the victim would like to have the information, the victim should apply for a Civil Court to compel the bank to disclose such information to the victim. But if the money is already gone, then it would be a waste of legal costs and time to obtain a court order with an answer from the bank that there is nothing left to pursue.
If the matter has been reported to the police and the police investigates the matter as a potential crime or money laundering case (the monies in the bank account may be crime proceeds from a deception offence), in the course of the police’s contact with the bank, the bank might have provided information of the bank account including the amount of money in the account to the police. The business email scam victim as the complainant to the police may enquire with the police the amount left in the bank account and the police might provide that information to the complainant. If such information is available, then it would be easier for the victim to assess whether it is worth pursuing. If the money is long gone or the amount is small, it may not be worth throwing good money after bad.
If there is still money in the bank account that has been “frozen” due to the ongoing police investigation, then the victim needs to move fast to take civil legal action against the bank account holder for recovery of funds and ancillary enforcement actions to compel the bank to pay out the money to the victim. Given that the bank account might be used for money laundering, which means that funds in the bank account might be chased by different victims, if one is not quick enough, even if a judgment is obtained against the bank account holder, there could be competing judgments and enforcement actions.
In Hong Kong, an asset-freezing injunction (a Mareva injunction) can be obtained quickly on an urgent basis and also ex parte (unilateral) basis. But it can be costly and the injunction will need to “bite” the money in the bank account when it is still there. Sometimes the bank account holder might agree that an injunction be imposed to preserve the status quo and in such a scenario, the injunction application can be made by consent of both the claimant and the defendant (bank account holder).
In some cases, an unusual situation might arise where the bank account holder might defend the claim as they might also be (or claim to be) the victim of fraud. There have been cases where the bank account holder received funds from a “buyer” of goods that the bank account holder as a trader or manufacturer had delivered, not knowing that the funds for the goods were from another victim of a business email scam that has been tricked to send funds to that bank account. In such a scenario, there could be 2 innocent victims competing for the same funds. Whether the bank account holder as the defendant can resist the claim will depend on whether it could show that it was an innocent party and had changed its position in good faith as a result of the incoming (disputed) funds.
What can I do to avoid getting scammed?
Given that many of these cases are cross-border and can involve multiple jurisdictions, it is difficult for law enforcement agencies or lawyers to pursue and chase the funds by way of criminal or civil procedures. Accordingly, the best way is to invest in preventing this from happening, including enhancing administration and systems upgrade to check and monitor incoming phishing emails and cross-border wire transfers. It is also important to train and raise the awareness of the staff.
The FBI has a very good tip when responding to emails or any suspected emails: don’t hit “Reply” but hit “Forward”. The reason is that if the email was a spoofed email from a scammer, if you hit “Reply”, it will usually auto-fill the email address field with the email address of the sender of the incoming email and send a reply email enquiring or checking with the person who sent the email, you will only reach the scammer and receive another fake email. But by hitting “Forward”, you will need to type the real email address of the person and the email will reach, say, the true CEO or CFO who will expose that the email for fund transfer was a spoofed email.
Enterprises may also consider buying cyber insurance that may cover business email scam incidents.
Have any questions about cross-border email scams?
If you have any questions about cross-border email scams, you can get a Quick Consult with Dominic Wai or with other lawyers. With Quick Consult, for a transparent, flat fee, a lawyer will call you back on the phone to give you legal advice.
This article is written by Dominic Wai from ONC and edited by Rishika Pundrik of Asia Law Network.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.