The English High Court has demonstrated a willingness to adapt existing practices to address the challenges posed by payment fraud in the digital age. In the case of CMOC Sales and Marketing Limited v. Persons Unknown [2018] EWHC 2230 (Comm), the High Court granted a worldwide freezing injunction against "persons unknown" responsible for misdirecting substantial payments by hacking emails, and permitting service of documents by electronic means such as WhatsApp, Facebook and via an online data room.

Not all jurisdictions have proven themselves to be as willing to manufacture remedies for those who have fallen victim to cyber attacks. Dentons' Global Injunctions Toolkit, available without a subscription at www.globalinjunctions.com, provides a comparative overview of the available procedures in 35 countries around the globe, allowing its users to gain insight almost immediately upon discovery of a fraud into the principles governing injunctive relief in those jurisdictions which may be relevant in their own case.

Facts

In CMOC, the claimant company was the victim of a fraud by which unknown criminals hacked into its email system and caused the payment of approximately US$8 million to fraudulently controlled bank accounts.

Some 10 days after the fraud was discovered, CMOC obtained a worldwide freezing injunction against "persons unknown" as the identity of the fraudsters and ultimate recipients of the misdirected funds were not apparent at that stage. The claimant then began the process of identifying the culprits by obtaining information and disclosure orders against the banks to which the funds had been transferred.

This was an extensive, complex and time-consuming process. Over the nine-month period from obtaining the injunction until trial, some 14 applications were made to the Commercial Court, together with another seven on paper, concerning payments made to some 50 banks in 19 jurisdictions. As matters developed and further information was obtained, CMOC joined various parties to the proceedings, often serving formal court documents by electronic means such as WhatsApp and Facebook. The claimants also set up an online data room containing key documents and provided various interested parties and defendants with access as a means of serving those documents upon them.

In the event, the perpetrators did not engage with the proceedings and the claimants obtained judgment at trial, together with a costs order in their favour on the indemnity basis. The extent to which CMOC has been able successfully to enforce the judgment obtained so as to recover assets is unknown.

HHJ Waksman QC (sitting as a Judge of the High Court) noted that it had been established law for some time that the court had jurisdiction against persons unknown in appropriate cases: see, for example, the judgment of Sir Andrew Morritt VC in Bloomsbury Publishing Group Limited & J.K. Rowling v. News Group Newspapers Limited [2003] 1 WLR 1633, a case concerning restraint of the early publication of a Harry Potter manuscript.

The Judge noted: "… there is a strong reason for extending the principle in [the context of cyber fraud], which is that the freezing injunction can often be a springboard for the grant of ancillary relief in respect of third parties which arguably could not get off the ground unless there had been a primary freezing injunction".

Further, said that Judge, proceeding in this way meant that "vital information is likely to be obtained from banks in particular as to the identity of the account holders pursuant to the principles in Norwich Pharmacal Co v. Customs and Excise Commissioners [1974] AC 133 and/or Bankers Trust v. Shapira [1980] 1 WLR 1274. This may result in the claimant being able to name and investigate particular defendants…", leading ultimately to recovery.

Claimants who are defrauded of large sums of money will wish to move as quickly as possible to recover the stolen funds through injunctive relief. The CMOC case shows that the English courts will typically take a pragmatic and creative approach where possible to protect the interests of those who fall victim to this crime. Not all jurisdictions do so. Dentons' Global Injunctions Toolkit provides its users with a means of comparing the approach of multiple countries' courts simultaneously upon discovery of a fraud and assists in ensuring that recovery action is appropriately coordinated and targeted.

The High Court followed its approach in CMOC in its recent decision in World Proteins v. Persons Unknown [2019] 4 WLUK 35, where it held that a freezing injunction should continue against persons unknown, following push payment fraud of €500,000. In this case, a fraudster managed to spoof emails to the claimant from what appeared to be its long-time supplier, which led to two payments of €1,500,000 and €500,000 being paid into the fraudster's bank account with Barclays. Once the claimant had discovered the fraud, it was able to recover the €1,500,000 – however, the position regarding the €500,000 was not as straightforward. Consequently, the claimant immediately issued a claim for the monies and applied for a freezing injunction over the account. Although the name of the fraudster was not known at the time, the owner of the account was clearly identifiable as the beneficiary of the payments received.

Following CMOC, the freezing injunction was granted, following which the identity of the individual was revealed through disclosure of bank records. It was discovered that, of the €500,000 transferred to account, €141,000 had been dissipated to three accounts in Dubai. The remaining balance of €359,000 was frozen. The individual was added to the proceedings pursuant to CPR 19.2.4. The claimant then made an application for default judgment, which was granted on the basis that the individual had failed to respond to or engage with the proceedings in any way.