What is `man-in-the-middle' fraud?

A form of fraud, colloquially known as a `man-in-the middle' attack, has become increasingly common in recent months. Targets of a manin-the-middle attack range from individual consumers to large multi-nationals. The mechanism of the fraud is as follows:

A fraudster creates one or more email addresses that are visually similar to those of one party say, Party A to a legitimate commercial arrangement. For example, Party A's email address might be `operations@partya.com', so the fraudster might create the address `operalions@ partya.com' (the difference here being underlined). The fraudster will then contact Party A's counterparty say, Party B using the visually similar email address, misrepresenting himself to be Party A. The fraudster hopes that Party B will not notice the change in the email address (which is apparent on the face of the email received by Party B) and will instead simply press `Reply' to the fraudster's email. The fraudster can then continue to communicate with Party B, unbeknown to and to the exclusion of Party A. Generally the fraudster will seek to divert payments that Party B owes Party A and to abscond with those payments before either Party A or Party B realise that the third party was involved.

The fraudster's initial way in relies on either fortunate guesswork on their part or on obtaining access to previous emails between Party A and Party B (eg. by hacking one or other email accounts). Neither Party A nor Party B through any act or omission facilitate this fraud; it is the fraudster who interposes himself into the transaction (though it would be open to Party B to discover it by carefully checking the email addresses on received emails).

How to avoid falling victim to the fraudster?

As indicated above, it is open to Party B to prevent this form of fraud occurring by checking the identities and email addresses of those people from whom Party B receives emails. Party B should not rely on the `display name' of the email sender (which is selected by that sender), but should instead make sure that the underlying email address from which the message originated is one that he, Party B, recognises and does not include typographical errors. Party B should be particularly careful if he receives an email asking him to do anything unexpected. The classic example of a man-inthe-middle attack is where the fraudster asks Party B to change the bank account to which payment should be made, often after the real Party A has sent an invoice with the genuine bank details on it. A fraudster will often take steps to mimic the language used by Party A, the email signature, and may even copy onto a fraudulent replacement invoice images of stamps, seals or written signatures that have been applied to Party A's original invoice. (Another indication that Person B can be on the lookout for is therefore a perfectly identical signature appearing on multiple documents, when slight variations would be expected if each was a genuine signature applied by hand to different documents.)

If in doubt, Party B should not rely on assurances as to legitimacy via email (which may, after all, be coming from the fraudster not Party A). Party B should contact his counterparty by other means such as by telephone to confirm any changes in payment instructions. Party B should also beware emails apparently from Party A insisting that payment be made quickly for whatever reason.

What to do on discovering the fraud?

Understandably, in a busy commercial operation, Party B or its agents might not always take all of the steps that they ought to. If a fraudster successfully dupes Party B into paying, what should Party B do? The first step will always be to contact the bank from which Party B made payment. In some circumstances, such as in SWIFT payments, the bank might be able to withdraw the payment if the fraudster has not yet received the money. In any event, the bank will be able to apply a trace to the funds which may assist in later recovery.

Party B's bank will also often be able to provide details of the bank which received the payment. Party B could then approach this bank, seeking information about the identity of the account holder. It is rare that a bank will be able to provide this voluntarily given its data protection obligations, but often the bank will agree not to object to an application by Party B to the court for a Norwich Pharmacal order. This form of order requires the receiving bank to disclose information about the account holder and the location to which any funds were forwarded. Party B could also consider seeking freezing relief against the fraudster at this time. With a degree of luck, Party B might freeze the funds and be able to recover them pursuant to a claim in deceit or restitution. Clearly, the earlier Party B takes action, the more likely it is that recovery will be made (as there has been less time for the fraudster to hide the proceeds of the fraud).

Who bears the loss if the fraudster escapes?

Regrettably, Party B's efforts to recover the funds from the fraudster are frequently unsuccessful. Professional fraudsters will pass the funds through numerous accounts, often in several jurisdictions and using shell companies, which makes the process of tracing, freezing and enforcing against the funds laborious. Party B will then have to consider his position vis--vis Party A.

If the fraudster escapes with the money, either Party B will have to pay again (so bearing the loss) or Party A will be deprived of his payment (so bearing the loss). It would ordinarily be expected that Party B would be required to pay again, but this will be determined by the precise terms of the contract between Parties A and B and what Party B's payment obligation was. This will vary from case to case.

A further complication as between Parties A and B is presented by the involvement of brokers or other intermediaries. It is common in many industries (shipping and insurance, among others) for the relationship between Parties A and B to be brokered by an agent, and fraudsters will often target such intermediaries. By tricking the agent, the fraudster hopes that the agent will pass the fraudulent messages on to Party B, who will be unable to detect the fraudulent origin of the message. Where the agent is exclusively acting on behalf of either A or B, the position is clear: the act of the agent who has been duped by the fraud is deemed to be the act of their principal. However, where the agent is the joint agent of both Parties A and B, the question of which party bears the loss of the fraud depends on the capacity in which the agent was acting at the relevant time. The principles underpinning dual capacity in agency in circumstances such as these are far from clear, and it should be expected that this will be a hotly-contested area until those principles have been established.