No one is immune from cyberfrauds and cyberattacks. Individuals, businesses, professional firms and even government organisations often fall prey to such attacks and become victims of numerous frauds carried out daily across the globe.
Recently the FBI has announced that banks located in China and Hong Kong remain the primary destinations of fraudulent funds (most of which are the result of cyberfrauds) in 2019. In fact, the Hong Kong police handled 887 cases of commercial email fraud involving total losses of HKD1.7 billion (approximately USD219 million) in 2018, representing an almost 100 per cent increase on the total losses suffered in the previous year.
The situation in the PRC is equally serious if not worse. According to the latest report published by the China Justice Big Data Service Platform in November 2019, there were around 48,000 cybercrime cases handled by PRC courts between 2016 and 2018, with substantial increases each year.
Cybercriminals are becoming more tech-savvy and sophisticated in the ways in which these frauds are being facilitated. However, despite the increasing number of cyberfrauds being committed in the past couple of years, the underlying methods being employed have not changed significantly. The use of "business email compromise" or what is commonly known as “CEO Fraud” scenarios are still being deployed, and individuals at companies continue to fall victim to these well-used schemes.
A refresher of some of the techniques used in cyberfrauds
In order to avoid becoming the next victim of an attack, corporations need to continue to be vigilant and look to educate their employees of the following techniques and schemes often deployed by cybercriminals:
- Sending emails and/or instant messages that impersonate the owner, CEO, Managing Director or other senior executives of the victim corporation. Generally, these messages will direct the victim's finance personnel to transfer funds quickly to an overseas bank account in order to complete an “important acquisition” or “share purchase” which is urgent and needs to be kept absolutely confidential.
- Utilizing email accounts with deceptively similar addresses to confuse the victim as they look like real email addresses if not checked with care. For example, replacing the alphabet “l” in the real email address with the numeral “1” in the fake email address.
- Impersonating the counterparty of a business transaction and informing the victim’s business or finance personnel of a change in payment account details (due to business, tax or other reasons).
- Pretending to be reputable lawyers, accountants and other professional advisers in order to give more credibility to their fraudulent schemes. Fraudulent emails are often coupled with telephone calls to a corporation’s finance personnel that are purportedly from individuals of these professional firms.
- Once the victim corporation’s system is compromised, setting up inbox rules to redirect emails to a fake email account set up by the cybercriminals to further the fraudulent scheme thereby avoiding detection.
What corporations should do to prevent falling victim to such schemes
We set out below some practical tips to help you mitigate the risk of falling victim to cyberfrauds:
- Regularly remind employees of the company’s payment procedures and guidelines that must be strictly followed. Any exceptions or deviations must require certain approval steps.
- Provide regular trainings and updates on cyberfrauds and cybersecurity risks to employees on what they should or should not do to avoid falling prey to cybercrimes. Use practical case scenarios to help illustrate to company employees how these frauds are actually carried out.
- If this is not already being carried out by IT security, then making sure:
- anti-virus and detection software are regularly updated;
- regular reminders of phishing attacks and other IT security warnings are circulated; and
- tailored penetration tests to the company’s IT systems are regularly performed.
- Develop and update effective incident response plans which designate clear roles, responsibilities, response actions and designated response teams in case of an attack. For example:
- Who should be the lead responder? Should it be someone from in-house legal or IT security?
- A designated response time for engaging outside experts, particularly needing to contact very quickly outside counsel experienced in this area at the relevant local jurisdiction (typically this should be someone in the country into which company funds have been fraudulently transferred) or someone who can connect to such local expert in order to maximize your chance of recovering any lost funds and assets.