Legal aspects of fighting cybercrime appearing in the form of business email compromise | In Principle

Go to content
Subscribe to newsletter
In principle newsletter subscription form

Legal aspects of fighting cybercrime appearing in the form of business email compromise

Business email compromise, or BEC is a type of cyber-facilitated fraud where fraudsters compromise IT networks, intercept business communications, and by using different manipulation techniques, trick employees into making wire transfers to fraudulent bank accounts. The fraud itself is not a new creature. It is an old trick, merely conducted with the use of modern technologies.

Five or six years ago, when we started to be instructed in matters of this type, our clients were mostly large corporations with the amounts taken running into millions of euros. The client pattern has changed over time. Now we less frequently see large corporations, while smaller and medium-sized enterprises are being tricked more often. It appears that large corporations have invested in compliance and IT solutions and became more resistant. Smaller companies have not achieved it yet and many of them were only forced to go online due to the pandemic.

It should be highlighted that Poland is not a jurisdiction the hackers are operating from, or where they are targeting their victims. However, it is  frequently used by fraudsters as a money-transit hub. To trick a foreign business, a fraudster needs to divert payments to accounts in credible jurisdictions, not to an account in a jurisdiction that would immediately seem suspicious on its face. Hence, we see that defrauded monies are often diverted to fraudulent accounts opened at Polish banks, and then either forwarded from there to other accounts in more exotic jurisdictions, or cashed out.

The example of large corporations is promising. It shows that through awareness-raising programmes, proper compliance, and IT solutions, any organisation can mitigate the risk of BEC fraud. Raising awareness and change-account protocols do not require substantial investment, and based on our practice they can be effective. However, while falling victim to a business email compromise fraud, time is of the essence.

In many cases in which we have been instructed, our clients were able to recover at least part of the defrauded funds, which were blocked by one of the banks used for the transaction. Banks are under a statutory duty to conduct anti-money laundering monitoring of transactions. If a particular transaction or pattern of client behaviour is suspicious, banks may suspend transactions and may block the account for the time necessary for a more thorough review.

It is clearly evident that human employees do not screen every single transaction. Banks use IT systems to review transactions on an automated basis and fraudsters try to fly below banks’ radar and use accounts in a way that does not trigger internal alerts.

Thus if you realise that you are a victim of BEC fraud, it is critical to report it to the bank where the fraudulent account is held. If the bank was not aware of the fraud, it sure is now, and should take action. If the funds are in the account, the bank can block them. If the funds have already been forwarded to another bank, the bank can notify those other banks. If the funds have been cashed out, the bank should preserve the available evidence—closed-circuit TV recordings, IT logs to online banking etc.

We report abuses to the banks for our clients. Those reports need to be filed as soon as possible, usually within hours. The report should be submitted through the channel that will give the best chance that it will be reviewed immediately. We usually use emails, hotlines, and online reporting. A report has to contain details and supporting materials showing the bank that it is credible and justifies action. We also advise clients to request their own banks to submit a similar report via bank channels like SWIFT. This adds to the credibility of the reporting.

Reporting the abuse to the bank is critical for recovery. However, it is certainly not enough. Banks may not disclose any information to us, due to bank secrecy laws. It is thus essential to also report the fraud to law enforcement. Only the law enforcement authorities can acquire information and documents from the bank so that the facts can be pieced together: what has happened to the funds, is any money blocked, are there any traces that could lead us to the fraudsters etc..

Shortly after the investigation is opened, we are usually in position to have a clearer picture on the further strategy. If the funds are blocked in the account, we can take actions aimed at getting them back. Currently the practice for returning stolen funds is rather straightforward. If the funds have been forwarded somewhere else, we may follow the money, and request law enforcement authorities to request other banks to produce information and see whether those other banks have blocked the funds.

At that point, we usually think about the next strategy. What are the prospects of detecting the fraudsters? Not merely the low-tier money mules, who often have no assets of their own and little ability to compensate for our losses. Can we detect higher-tier players? This is also a time when we start checking whether any third parties have caused or contributed to the loss and might be liable in damages (such as banks or intermediaries).

In case of business email compromise frauds, it is also essential to determine to which of the parties the loss should be allocated. Should it be the sender of the money, or the party that was expecting the payment? This type of dispute is emerging, and resolution depends on the applicable law and the factual circumstances (e.g. whose IT systems have been hacked).

Unfortunately, there are too many of these cases. This type of fraud is only possible if the fraudsters can easily open and operate accounts in credible jurisdictions through which they can divert large sums of money to places removed from the reach of law enforcement.

Governments need to impose stricter rules on opening bank accounts, regulators need to enforce these rules better, and courts need to allow for private enforcement of these rules when banks fail to comply. Banks need to adopt better risk assessment and monitoring of accounts in near real time. Banks also need to partner with law enforcement and lawyers to create channels for reporting abuses, much as tech companies do.

We are sure that through public and private measures, the scale of this type of fraud can be effectively reduced in a relatively short time.

Łukasz Lasek, adwokat, Dispute Resolution & Arbitration practice, Wardyński & Partners


The content of this article is a part of Episode 6 of the programme News from Poland – Business & Law. You can watch the episode here >>>

All episodes >>>