Recovery from cyber fraud loss in the COVID-19 era

In recent months, COVID-19 has led to a fundamental shift in the way we work. Millions of office workers are working from home or adopting flexible working arrangements on a daily basis. Meet-and-greet opportunities are completed over emails. Team meetings are conducted over video calls. This will be the “new normal” for a number of office workers in the foreseeable future.

With the rapid development of technology in the past decade, businesses are more equipped than before to support their employees in this “new normal”. However, businesses are also considerably more exposed to the risk of fraud resulting from cyber security breaches and technology crimes (“Cyber Fraud”) due to: (i) the frequent use of external networks and personal devices; and (ii) the increased difficulty of verifying payment requests from colleagues based in different locations.

In our view, the main risk areas for businesses include:

i.    CEO impersonation fraud: This is where an individual (e.g. a financial controller) receives emails from a fraudster impersonating the CEO of the individual’s employer. The fraudster then requests for urgent payment to be made in respect of top-secret, high-value, but fictitious, transactions.

ii.   Change of payment instructions fraud: This is when an individual receives emails from a fraudster impersonating the business partner or supplier of the individual’s employer. The fraudster requests a change of payment instructions and requires payment of actual invoices to be made to companies controlled by the fraudster.

In Hong Kong, 887 cases of a similar nature totalling HK$1.7 billion were reported in 2018.[1] Due to the increased vulnerabilities of working in this “new normal”, we anticipate a sharp upward trend in the number of cases and amount involved in Cyber Fraud in the near future.  

Nonetheless, even if Cyber Fraud occurs, businesses still have a realistic chance of recovering losses if they act quickly upon discovering the fraud. In particular, businesses that have been defrauded to make payments to Hong Kong bank accounts should adopt the following two key steps in order to maximise recovery in Hong Kong.

Step 1: Report to Hong Kong Police

Businesses should file a report with the Hong Kong Police as soon as a Cyber Fraud is discovered. The report can be made in person at the nearest police station in Hong Kong. Alternatively, an electronic report can be submitted online[2] and later supplemented by a formal statement to the Hong Kong Police.

Upon reviewing the information reported, the Joint Financial Intelligence Unit may issue a letter of “no consent” (“No Consent Letter”) to the bank to state that it does not consent to dealings in the Hong Kong bank account which received the payments related to the Cyber Fraud.

While the No Consent Letter strictly speaking does not legally bind the banks, in practice, banks in Hong Kong tend to give effect to the No Consent Letter by temporarily freezing the bank account in question. That said, the Hong Kong Police has full control of whether, and if so when, to issue the No Consent Letter. Further, the Hong Kong Police does not have jurisdiction to recover monies on behalf of businesses and expects businesses to recover monies by instructing lawyers to commence civil action in Hong Kong. Therefore, businesses should not rely on the No Consent Letter other than as a potential temporary “hold” on the bank account in question and should proceed with Step 2 without delay.

Step 2: Obtain injunction and banker’s disclosure orders

At the same time as Step 1, businesses (which are referred to as the “Plaintiff” below) should take out legal action in Hong Kong on an urgent basis in order to potentially apply for the following injunction and banker’s disclosure orders:

  1. Proprietary injunction – The Plaintiff has a proprietary claim over the funds that have been defrauded from the Plaintiff by the fraudster pursuant to the Cyber Fraud. The purpose of a proprietary injunction is to freeze the assets to which the Plaintiff has such a proprietary claim. In order to obtain the proprietary injunction, the Plaintiff is required to demonstrate that:

    a. there is a serious issue to be tried on the merits;
    b. the balance of convenience is in favour of granting a proprietary injunction; and
    c. it is just and convenient to grant the proprietary injunction.

  2. Mareva injunction – There is a high risk that the fraudster may dissipate its assets such that any judgment eventually obtained cannot be executed against its assets. Thus, it is necessary for the Plaintiff to apply for a Mareva injunction as a “top-up” protection in support of the proprietary injunction. For this application, the Plaintiff is required to prove that:

    a. it has a good arguable case on a substantive claim;
    b. there are assets within the jurisdiction;
    c. the balance of convenience is in favour of granting a Mareva injunction; and
    d. there is a real risk of dissipation of assets or removal of assets from the jurisdiction which would render the Plaintiff’s judgment of no effect.

  3. Banker’s disclosure order – In order for the Plaintiff to trace the defrauded funds, the Plaintiff will need to apply for disclosure of banking documents against the third-party bank pursuant to section 21 of the Evidence Ordinance (Cap.8). In order to obtain the banker’s disclosure order, the Plaintiff is required to show that:

    a. there is a real prospect that the information may lead to the location or preservation of assets to which it is making a proprietary claim;
    b. the request is sufficiently specific; and
    c. the documents should be disclosed on the balance of prejudice in terms of the potential advantage to the Plaintiff versus the potential detriment to the fraudster.

Businesses should act promptly and instruct lawyers to prepare the necessary application documents for the injunction and banker’s disclosure orders mentioned above. The applications should then be listed on an urgent basis before the duty judge. If a No Consent Letter is issued, then businesses should be under slightly less time pressure but should still issue the civil action without delay.

Although delay by the Plaintiff may not technically need to be justified, this is a question that the Hong Kong court will likely ask when it is deciding on whether to grant the injunction and banker’s disclosure orders. Any delay by the Plaintiff is also an issue that can be raised by the fraudster if the fraudster objects to the relief applied for from being granted. It is thus in the best interests of businesses to act immediately upon discovering Cyber Fraud.

Conclusion

The total number of cases and total amount involved in Cyber Fraud is projected to be on the rise in the COVID-19 era. Businesses should therefore have in mind the two key steps set out above in relation to payments made to Hong Kong bank accounts as a result of Cyber Fraud. Business should also act swiftly upon discovering Cyber Fraud in order to maximise recovery from Cyber Fraud loss in Hong Kong. However, the factual circumstances relating to each incident of Cyber Fraud will be different and the potential success of recovery may vary depending on multiple factors including when the Cyber Fraud was first discovered. Businesses will ultimately need to balance competing commercial needs in order to develop the most suitable strategy bearing in mind the merits, risks and costs of any potential recovery strategy. Therefore, the best option is to seek legal advice promptly upon discovery of the Cyber Fraud. This will enable businesses and lawyers to proactively work with each other to develop a tailor-made loss recovery strategy at the earliest opportunity.

[1] https://www.police.gov.hk/ppp_en/04_crime_matters/tcd/types_12.html

[2] https://www1.erc.police.gov.hk/cmiserc/CCC/PolicePublicPage?language=en