Scammers use DocuSign API to send fraudulent invoices
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Fraud is a serious criminal offence. So, when we think of holding fraudsters to account, we automatically think of the criminal justice system. However, it is worth considering fraud and its relation to the civil law. A recent case in England shows that it may be possible for fraud victims to recover stolen funds using the civil courts.
The case involved an individual based in England, who had 15 million Euros stolen from their Cayman Islands bank account. The Cayman Islands bank had sent the funds to the fraudster’s bank account after receiving a fake payment order, despite having conducted two verification calls. The verification calls had been placed to a mobile phone controlled by the fraudsters.
Upon investigating the incident, the fraud victim discovered that the stolen funds had been transferred to a bank account in England. This was the fraudster’s big mistake. It provided the victim with an opportunity to be a claimant in the English civil court system.
Under English law, a provision exists for victims to launch claims against “persons unknown.” The intent of this provision is to allow victims to pursue cases against wrongdoers whose identity is not yet known.
As a result, the court was able to freeze the bank account that received the stolen funds, whilst requiring the bank to disclose the beneficiary of the account. Furthermore, since most of the funds had already been dispersed to other bank accounts, the claimant was able to piece together a chain of money transfers, resulting in more accounts being frozen.
This approach allowed the claimant to trace and freeze approximately 11.5 million Euros. Crucially, it gave them time to investigate the methods used by the defendant, to prove that these funds were indeed stolen.
By filing a third-party disclosure application against a mobile phone company, the claimant revealed that the defendant had purchased a phone specifically for use in the verification calls with the Cayman Islands bank. The defendant claimed to have received emails from a third-party asking them to receive the funds, but the claimant was able to demonstrate that those emails were spoofed. Nor could the defendant answer why the funds had been dispersed so rapidly to a series of other bank accounts, all linked to his close associates.
All the evidence compiled by the claimant was strong enough for the court to issue a summary judgement against the defendant. Whilst not able to recover all the stolen funds, the claimant was able to recover a significant portion of it.
There are significant differences between legal regimes in Australia and England.
For starters, the ability to launch civil claims against “persons unknown” is unique to English courts. Under normal circumstances, Australian courts would require a defendant to be named. This makes it difficult for Australian fraud victims to ensure bank accounts are quickly frozen whilst they gather evidence to identify the beneficiary and prove that the funds were the proceeds of crime.
Furthermore, England, along with Singapore, are the only jurisdictions in the world with the authority to issue worldwide injunctions to freeze bank accounts. For any Australian fraud victim who has seen their funds moved offshore, Australian courts are limited in their ability to assist.
However, perhaps the biggest obstacle to pursuing fraud through civil courts is the cost.
Not only would a victim need to avail the services of lawyers, but they would need specialist private investigators or digital forensics experts to compile the evidence they require. None of this comes cheap. Unless the size of the fraud is substantial, the costs associated with civil law action would likely outweigh the benefits.
Clearly, preventing fraud in the first place is the best strategy. With the legal costs of civil action so high, it makes sense to invest in systems that will prevent these types of fraud.
The bank in the Cayman Islands was deceived by a fake payment order. Even though they conducted verification calls, they inadvertently made those calls to the fraudster himself. It is likely that bank staff simply called the phone number listed on the fake payment order, rather than independently sourcing the account owner’s genuine phone number.
With a system like eftsure in place, sophisticated fraud of this nature would not succeed. eftsure enables a payer to verify bank account details against a database that aggregates millions of proof-of-payment datapoints. This helps ensure that funds are never inadvertently sent to a fraudster’s bank account, no matter how sophisticated the fraudster is.
Reach out to us today for a no obligation demonstration of eftsure, and how it can help you avoid these types of fraud and avoid costly legal action.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
US construction and government sectors lost $7.7 million in BEC scams. Learn how fraudsters exploited financial controls and how finance leaders can protect their organisations.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.