Category: Insights

Expert opinion and insight from our experienced consultants.

Forensic accounting: An overview

Posted on by Admin Admin

Forensic accounting entails a process of auditing, accounting and investigation into a company’s finances. The information obtained can then be used in court, with forensic accountants often being required to give a statement as an expert witness on a case.

A forensic accountant typically begins their career as an accountant or auditor, before specialising and training for further credentials, for instance, the Certified Fraud Examiner (CFE) designation. To qualify, accountants require deep knowledge of tax legislation and financial reporting. The role involves a scrutinisation of accounts, finding hidden or concealed money, in an efficient and concise manner. Forensic accountants are versatile, working with data and numbers, and articulating their findings in a way that is presentable to a court.

A forensic accountant will be familiar with legal concepts and procedures and must be able to communicate financial information clearly and concisely in the courtroom. Likewise, their knowledge on regulatory compliance mandates and financial markets must be solid, in order for procedures to be correctly followed. Forensic accountants will also often need to review contracts, bank statements, accounting records or other data relevant to the investigation, all bearing on knowledge in financial crime and internal investigations. The information is reviewed to identify discrepancies or areas of inconsistency that support the case further.

Charlie Batho, a professional forensic accountant at ESA Risk, has shed some light on the ad-hoc nature of the job. “It is a unique form of accounting; each case is different and you can never be sure what you might come up against. There is no textbook guidance to it, each investigation is a one-off experience and every single case is different. When a company requires forensic investigation, it is usually for the first and last time. My job is to follow where the money has gone, usually in cash trails, scoping out how and why it has gone missing and providing answers for my clients.”

Forensic accounting involves working in a variety of areas, for instance in pre-litigation, accounting, complex finance and tax disputing.

Tax disputes

HMRC might start to litigate against an individual who is partaking in tax evasion, so when hired by that individual, the role of the forensic accountant would be to defend them, finding mitigating circumstances and evidence to demonstrate their innocence.

Marital disputes

In the case of a divorce, couples may dispute over the holding of shares. A forensic accountant would handle the financial disagreement and, if the case is taken to court, act as an expert witness. Depending on which side of the dispute they are hired to represent, the forensic accountant would explain the value of the shares and present a case for why their client is owed a certain amount.

Medical cases

In cases where children are born with disabilities or brain injuries, it is the job of a forensic accountant to establish what the ongoing capital award might be for the parents to look after the child for the rest of their life. Additions, such as ramps, shower-railings, disabled access around the house, a 24-hour carer and the annual RPI, must be taken into consideration. Forensic accountants project figures into the future to estimate finances, as well as looking retrospectively.

Fraud cases

In companies there are times accounts might be mishandled, cash goes missing or problems arise in internal accounting. Payroll fraud is an example of this, where employees add fictitious workers to the payroll and direct the money into their own accounts. It is the role of a forensic accountant to uncover and expose this kind of fraud to their clients.

Shareholder disputes

In business valuation, forensic accountants assist with valuing companies in various ways. For instance, two shareholders might each hold 50% of a company and one wants to exit and sell their shares, but there is a disagreement over the price to sell those shares for. Here, the forensic accountant will put together a financial report to support a case stating why the shares are worth more or less than the disputed amount.

Insurance claims

In cases that involve insurers not paying out, for example after a car crash, a forensic accountant would provide information to negotiate the claim. This would involve the worth of the car, comparing dealers’ prices and car policies on mileage.

Audit complaints

If an audit has been incorrectly taken and auditors have been negligent and misstated accounts or missed a fundamental accounting policy, a forensic accountant would have to prove how the auditors made an error, filing an insolvency case against them. This might be relevant if a company goes bust but the audit was previously signed stating that budgets and cash flows were all in order.

At ESA Risk, we offer expert litigation support and forensic accounting services, available for the consideration of any company or individual that requires assistance with a financial error or dispute.

What can we learn from Emotet?

Posted on by Admin Admin

Although originally intended to be a banking ‘Trojan horse’, Emotet has evolved multifariously by modular Dynamic Link Libraries (DLLs) and constantly updates itself into various versions to evade detection. Emotet was designed to steal sensitive information and personal details by infecting devices with malware that then spreads to other local and linked devices.

“In the current climate it is so fantastic to see a major triumph against such a destructive and parasitic malware such as Emotet which has wreaked havoc and has cost millions in damages over a prolonged period in the international banking sector as it infected numerous devices and stole data and money. It has taken a monumental effort from a number of different countries to achieve this and it’s definitely a step in the right cyber security direction.”

Ali Twidale, Banking & Financial Fraud Consultant at ESA Risk

The malware effectively grows by multiplying itself through a network of devices. Once it gains access to one computer, it has the means to affect many others, acting as a worm. This works via email attachments, malicious links and macro-enabled document files, usually hidden as compressed files that can spread the malware in the form of .doc, .docx and .exe files. The emails are often in regard to updates to financial information or are imitations of emails from popular shipment companies.

The malspam then spreads by ransacking your contacts list and forwarding itself into the inboxes of your friends, family, co-workers and clients. Since these emails are coming from your hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files. If a connected network is present, Emotet can also spread using lists of common passwords, finding its way onto other connected systems in a brute force attack.

Emotet is also known to arrive embedded in Word documents attached to emails, that run and install malware once the victim enables macros. These are often flagged as important, so that hackers can gain quick access into the intended device. Microsoft Outlook is also used to generate phishing emails from the infected device, continuing the cycle of malware right under the nose of the unsuspecting victim.

The rapid pace of spread is one of the most dangerous assets to Emotet, aiding the success of the malware in data theft and extortion. It is very difficult to erase from an infected computer, as attackers can update malware codes and enable the trojan to replicate itself across systems. It is undetectable by firewalls due to the nature of its encrypted channels, as well as its ability to lay dormant in a device. Emotet can evade detection from security scanners by remaining idle for extended periods of time and adapting into different versions.

The impact of Emotet

The evolving nature of the malware means it serves various functions for hackers. Notoriously, it has been used to steal banking information from individuals and companies but can also attain sensitive corporate information that is often used for ransom in exchange for a financial reward. Emotet is also often sold to other cyber criminals, extending the varieties of malware it can infect systems with.

Lotem Finkelstein of Check Point Software has revealed that Emotet has ‘sent phishing emails with more than 150,000 different subject lines and 100,000 file names for the attachments.’ Emotet campaigns have impacted global industries, including the malware TrickBot and Obot.

The impact has been enormous, with targets of Emotet including the City of Allentown in Pennsylvania which cost over $1 million to fix. The malware was initially detected in 2014 and has since enabled cyber attacks on Germany, China and Canada in particular. It tends to hide and then reappear in violent bursts, attacking in thousands of malspam messages at once.

Notable cases of Emotet attacks include that on the city of Frankfurt whereby its whole IT network had to be shut down. A similar instance was the attack on Heise Online in May 2019. The German publishing house received the typical email containing an infected Word document requesting access to edit. In turn, the domain controls were compromised so the company had to shut down IT systems in order to attempt to cleanse from infections.

Ways to avoid similar malware attacks

Although malware and trojans can often be difficult to detect and remove, there are measures you can take to avoid infection of your devices. First, ensure your device has cyber security systems installed, such as antivirus software and secure VPN. This software should block dangerous emails, but in cases that it does not, be diligent when checking your inbox. Avoid opening suspicious or unlikely messages or clicking on links that have come from an unrecognised source. Ensure your passwords are secure, you are making use of multifactor authentication and that you do not share devices that have confidential information on them with others.

According to ESA Risk’s Graeme McGowan, Cyber Risk & Security Consultant, the best ways to protect yourself from similar malware are:

  1. Keep your computer/endpoints up to date with the latest patches for Microsoft Windows. TrickBot is often delivered as a secondary Emotet payload, and TrickBot relies on the Windows Eternal Blue vulnerability to do its dirty work, so patch the vulnerability before the cybercriminals can take advantage of it.
  2. DO NOT download suspicious attachments or click a shady-looking link. Emotet can’t get that initial foothold on your system or network if you avoid those suspect emails.
  3. You can protect yourself by using multi-layered protection. If you suspect your device is infected, isolate it from any connected networks, then proceed to patch and clean the system.

Staying safe on social media

Posted on by Admin Admin

Most social media sites are free to use, and unrestricted access gives way to corrupt users or false accounts. As there is rarely a process of verification of identity, it can feel difficult to stay safe on social media sites. However, with security settings and privacy controls, users are able to monitor who and what they interact with.

Oftentimes people are too personable on social media and overshare details of their private lives. This creates the threat of online criminal activity, as situations like stalking, identity theft or hacking can occur if you do not make use of the safety precautions on social media.

There is also an increased risk of phishing, as criminals can tailor phishing emails just by looking at your social media profiles. For instance, once they know your job and some of your connections on LinkedIn, they can craft phishing emails that include company details or manager’s names to make them sound more believable. By having access to your connections on social media, hackers have information to build up an idea of a company’s employees, to either target certain individuals or identify entry points into company databases.

In cases where attackers cannot directly access company data, nor manipulate employees via phishing emails or contaminated links, they may use social media to decipher suppliers and related companies to find a different entryway. This can be done via fake profiles which give hackers access to people’s information, enabling them to spread malware or malicious links. Hackers might also use fake business pages, or fabricated job offers, to lure people in and take their personal data or set up transactions which result in financial information being exchanged, or money being sent.

How to stay safe on social media

Staying safe on social media works differently for each platform: on Facebook, users can alter their privacy settings, making their posts viewable by ‘friends and family only’. You have control over who can see your page and even search for you, as well as the amount of access they have to your friend list, which can be changed to ‘only me’.

Similarly, Instagram allows you to monitor who follows you by setting your account to ‘private’ in your settings. There is also a block feature and ‘remove follower’ feature that means you can revoke users’ access to your page. Location services can also be turned on or off when necessary, so that it is difficult from criminals to locate you or gather information about where you live and work.

On Twitter, there is also the option to remove your location from your tweets. Twitter offers various privacy and security options that protect your account and allow you to be discreet with your personal information. You can manage your contact lists, remove pre-filled contacts and put your account on private so third-party users cannot access your tweets.

LinkedIn is a platform where users can obtain a lot of information about each other, but people are often less cautious, as the site is primarily used for professional networking. Updating where you work, your current projects and places like your education history can be a goldmine for hackers and scammers. As with the other social media platforms, your safety could always be compromised, so it is important to implement security measures to avoid that.

10 tips for staying safe

  1. Never give financial information to anyone over social media.
  2. Research job offers received via LinkedIn, especially if it seems too good to be true or is made up of generic messages or unaffiliated links.
  3. Keep personal information private, such as your phone number and place of residence.
  4. Limit details about your work history online.
  5. Be cautious with who you are connecting with. A lot of people ‘over-friend’ on social media for the sake of networking, but adding strangers is not very safe.
  6. Protect your passwords. In 2012, LinkedIn lost over 100 million users’ passwords and email addresses to the dark web. Many people use the same password for every site, so vary your passwords, make them a mix of both letters and numbers and try to vary them between different social media accounts.
  7. Have a Master Key (a password storage application) to keep all your passwords secure and use ‘Last Pass’, an app that helps you keep track of your various passwords.
  8. Set up security answers (this option is available on most social media sites).
  9. Use two-factor authentication (a second barrier of security that verifies your password, for example, by sending a code to your phone number or email).
  10. Use a single sign-on, such as OpenID, which enables you to manage all your social media accounts from one place.

7 ways to avoid data breaches

Posted on by Admin Admin

According to the Ponemon Institute, the accumulated cost to a company from a data breach is $3.86 million on average. Hackers may blackmail companies with threats to leak private data by holding information hostage and demanding a ransom. Data breaches are thereby invasive and extremely costly, both financially and in terms of the damage they can have on a company’s reputation.

Stolen data could include:

  • Financial information – including bank details and investment details.
  • Personal Health Information (PHI) – medical data, details on health conditions, prescriptions and treatments.
  • Personal Identifiable Information (PII) – contact information, education, workplace, birth dates and other personal details.
  • Corporate information – details of contracts, trade secrets, business plans and marketing information.
  • IT data – system structure, encryption keys, passwords and usernames.
  • Legal information – information on court cases, acquisition details and regulatory rulings.

This data can then be sold or used for fraud and identity theft. Hackers tend to sell stolen information on the dark web, like in April 2020 when Facebook was breached, leaking the identities of 267 million users. Although passwords were not included, the hacker stole names, email addresses, dates of birth and phone numbers, all information that could be used to target the users by phishing.

Similarly, in May 2014, eBay experienced a data breach that impacted 145 million users. The attacker used three employees’ details to break in and for 229 days accessed names, addresses, dates of birth and encrypted passwords. Although credit card information remained safe, customers were required to renew their passwords and in turn, eBay’s client confidentiality was affected.

An instance of a medical breach was the NHS Highland data breach, where almost 300 patients’ details were sent to members of the public. This included contact details, dates of birth and the name of their clinic.

Breaches often occur by cyber attacks, weak passwords, malware attacks from infected emails, drive-by downloads from compromised webpages, payment card fraud and theft of office computers. It can also occur by human error through accidental insider leaks, as well as intentional disclosure by employees with access to confidential data and systems.

Attackers can use employees as their way into an organisation’s information. They usually exploit weak systems by researching the company’s infrastructure to find loopholes, or target employees by analysing their social media and constructing emails that can trick that employee into clicking on infected links or to follow phishing messages. Fraudsters also make use of phone numbers by making phone calls asking for card details pretending to be a bank employee or a service provider. So, how do you avoid a data breach and protect your sensitive information?

How to avoid a data breach

Remember that banks and regular corporations never ask for personal information over the phone or on email. Look out for correspondence that asks you to reset your password, receive compensation or tells you to act immediately to recover funds.

Ensure that:

There are now laws for companies to inform customers if they have had a data breach, in case personal information has been compromised. To avoid this happening in the first place, get good defences in place and be alert.

Risk management: 5 areas you should be focusing on

Posted on by Admin Admin

As risk cannot be eliminated in its entirety, the question is how to deal with the issue effectively without putting the business and its managers in a straitjacket. Risks must be identified, evaluated and controlled to allow the business to function and grow.

The purpose of effective risk management is to enable the company to prepare for foreseen risks that may materialise and take steps to prepare for such events by putting in place the best systems to reduce or minimise the risk to manageable levels.

A sound strategy should not compromise the company’s appetite to take risks or engage in a risky venture. On the contrary, it will enable better decision making within a company that is alive to the risks involved in its operation and armed with a strategy of mitigation.

There are 5 principal areas to consider:

1. Avoidable risk

These include risks that can be controlled from within the organisation, such as employee unauthorised acts or failures to abide by company procedures. Such risk ought to be avoided by a compliance-based approach, such as background checks during the recruitment process and double-signature requirements when dealing with invoices or cheques.

Also, injury in the workplace can cause losses to productivity, so health and safety procedures and training must be in place.

2. Strategic risk

Any company must assume certain risks to be able to generate returns from its business strategy. Such risk is not inherently undesirable but cannot be managed through a rules-based process. Instead, you need a risk management programme to reduce the likelihood of risk materialising and mitigate its effects should it occur.

In order to maintain financial processes within a company, consistent accounting procedures should be put into place to monitor accounts and track cash flow.

3. External risk

There are many risks outside the company’s control or sphere of influence, such as natural disasters or a pandemic. These require another approach to identify them and devise a mitigation strategy.

For instance, environmental risks such as fires, floods or power outages can be prepared for by carrying out maintenance check-ups and safety inspections, putting fire escape procedures into place, and training staff.

As the world evolves, the workplace must adapt along with it, so regularly monitoring risk management strategies is imperative in keeping systems relevant and ready to face external risks.

4. Technological risks

Areas to focus on must now include the company’s IT systems, as all companies rely heavily on digitised systems to enable them to do business. Threats include data breaches, cyber risks and outages that threaten the very existence of the company. Any risk management plan must therefore include the IT systems to spot and control the risks to digital assets, including digital and non-digital backups and keeping company computers up-to-date.

With a well thought-out programme of analysing the threats and risks to the business IT infrastructure, the company will be able to prevent IT disasters before they happen. Although an insurance policy can act to transfer risk, it treats the symptom not the cause; money cannot recover lost data or repair the damage to a company’s reputation.

No company – however small – should operate without a disaster recovery plan and cost-effective means of protecting data from potentially catastrophic loss as part of its overall risk strategy.

5. Third-party risks

When outsourcing IT to third-party providers, there is the risk of those providers not being compliant or having appropriate security standards. Giving outsiders access to your systems introduces the risk of intellectual property theft, network intrusion and more.

Third-party risks can be combatted by conducting risk assessments and audits to screen third-party distributors and suppliers. Monitoring is an important part of due diligence, alongside in-depth inspections into the companies you are working with.

The benefits of a robust risk management programme

The creation of a safe and secure working environment has multiple benefits. A dependable health and safety policy followed in practice creates an engaged workforce that is less likely to be absent and with lower turnover of staff. Fewer avoidable accidents also mean reductions in costs of claims, legal action and insurance premiums. Healthier and happier employees are better motivated which in turn improves productivity.

The advantages of having a solid risk management strategy serve to improve the stability of the business and protect its operations from events detrimental to its interests. Guarding against the risks identified by the implementation of the policy will provide the company with a competitive edge. A company with a robust risk policy is a more resilient, better-run company.

A solid risk management framework forms an essential part of meeting a company’s wider environmental, social and governance responsibilities, thereby enhancing the business’ reputation for corporate responsibility among investors, customers and the community in which it operates.

Fraud prevention in 5 steps

Posted on by Admin Admin

With financial criminals working in a fast-paced, digital environment, the number of commercial fraud cases soared in 2020, totalling to over £220 million in London and South East England alone, as shown in KPMG reports. The Crime Survey for England and Wales estimated a 15% increase to £3,863,000 lost by offences in the same year.

Alongside the financial dent of fraud on businesses, is the risk it poses to the reputation and confidentiality of your organisation. But this can be avoided by following these 5 straightforward steps that will help you take control of the risk of fraud.

Fraud prevention steps

1. Know your staff

Be vigilant when hiring employees – conduct background checks, consider social media accounts, run credit reports and enforce employee policies. Employees may abuse their access to sensitive information or bank details, but safeguards as simple as a DBS check and review of prior job references can help you avoid potentially damaging hires. Other preventative techniques include mandatory holiday time off, job rotation and creating a hotline for whistleblowers. Furthermore, hold fraud training sessions for both online and offline security threats, as well as training for the proper use of handling confidential data.

2. Keep records

Keep a record of transactions, financial details and arrangements with external suppliers. Ensure there is data stored on the company finances, and that payment amounts match invoices. Make sure you are aware of all paper documents to avoid information getting into the wrong hands. Mail, credit card information and cheques need to be securely stored and printed financial statements or sensitive papers should either be shredded or safely recorded. Ensure you have a record of all transactions; in case you have paid for fraudulent services or have received incorrect details.

3. Monitor analytics

Conduct random audits to ensure your balances, income statements and cash flow are all in order. Monitor accounts using advanced analytics for a full view of any vulnerabilities within your organisation- these ensure detection of preliminary signs of fraud. By making use of the right technology and IT systems, you are more likely to pick up fraudulent activity in its early stages, rather than waiting for human detection which allows the rate of fraud to exponentially increase over time. Monitoring systems enable your organisation to stop the multiplication effect of fraud before it grows into a larger financial loss. They detect and flag up the anomalies and inconsistencies that point towards fraudulent activity early enough to save you from losing more money.

4. IT Protection

Your digital information is most at risk from hackers and online fraudsters, so ensure company computers are secured with firewalls, anti-virus and malware detection software. Internet controls are also vital, and you should avoid entering personal passwords or payment methods into public computers.

Documents are at a high risk of being accessed through data breaches, or by malware and ransomware. To avoid this, install cyber security services or sign up to Anti-Money Laundering schemes. SARS (Suspicious Activity Reports) are also highly efficient in recognising fraud. Make sure you are updated on regulatory developments in places you operate, whether that be the UK or globally, so that your SARS remain relevant to the current jurisdictions.

5. Get help from partners

Risk management organisations can help you assess and mitigate fraud risks, and work towards fraud prevention. ESA Risk’s consultants include specialist fraud examiners, such as Lloydette Bai-Marrow, a former principal investigative lawyer with the UK Government’s Serious Fraud Office (SFO). Lloydette recommends companies remain diligent and aware of the risks of fraud, especially in light of the Covid-19 pandemic: “Business owners must be militant in evaluating risk assessment and profiling their employees; those that are vulnerable and may feel justified to commit fraud, and those that are working from home without any enforced security.”

While investing in technology is important, so is making best use of your workforce. ESA Risk can work alongside your compliance and intelligence teams and help strengthen the resilience and experience of your employees through training and consultancy. Mitigation works by combining and investing in IT and human resources to maximise security and awareness of fraud.

Financial due diligence

Posted on by Admin Admin

“Due diligence is a strategy to reduce the risk of failure”

– Herrington J. Bryce, Nonprofit Times

By conducting research into a business, or stock, or investment, individuals can confirm basic information and evaluate the potential of their investment before completely committing to it.

Financial due diligence may include the following:

  • Reviews of financial records, including cash flow generations and capital expenditure.
  • Asset examination.
  • Analysis of financial risks.
  • Financial projections.
  • Information on management and current policies.
  • Potential liabilities and risks to cash flow post-transaction.
  • Company valuation range estimation.

It is also beneficial for sellers to conduct their own due diligence before meeting with buyers, so they can be prepared for the examination and increase the likelihood of making a successful transaction. There may be accounting discrepancies, or conflicts over intellectual property rights, for instance, that can hinder or halt the selling process. Vendor due diligence thereby enables companies seeking investment to provide a detailed report of everything an investor needs to know, reducing the likelihood of price negotiations if the buyer finds flaws in the business through their own due diligence.

For investors, due diligence provides security when it comes to the transaction process. Buying shares, investing in a company, or buying it out, requires knowing about what you are getting into. The acquisition process often involves detailed due diligence to ensure that the buyer is comfortable with the financial agreement they are entering.

It involves an analysis of taxes, working capital requirements, historical financial performance and forecasts, all of which should be addressed before payment is made. Financial due diligence can be used to estimate a valuation range of the target business, which can be compared to the heads of terms negotiated between the buyer and the seller prior to due diligence. This can provide comfort to the potential buyer that the price they intend to pay appears reasonable.

Financial due diligence requires cooperation between both parties and transparency in providing the right information. Experts are often needed to check financial accounts or taxation, to ensure financial risk areas are investigated thoroughly. Any risks found may be advised on and can lead to negotiations on the buying price, which can influence the process of acquisition.

When investing in new companies, for instance, experts must look at various factors such as a company’s net income and trends in profits, volatility in revenue streams, target market size and the total valuation of the company. It is also important to analyse competition within the industry, aligning company profits against those of competitors. Due diligence can help compare the finances of various companies within an industry to determine which is most successful and predict the direction the entire industry is going in.

Looking into the management is also useful in determining levels of expertise and experience in a company. If a company’s management to shareholder ratio is low, there may be reason to be cautious. Shareholders tend to be best served when managers or company directors have also invested in stock performance. Company debt is also something to look out for, especially in comparison to other businesses in the same industry.

Investors should remember that it is better to be cautious than overly optimistic, in order to make careful and informed decisions about where to place their money. Having an exit strategy is also useful when going into business with a company that has not performed well on their due diligence. Even for companies that performed well; past performance does not guarantee future financial stability, so it is better invest in stocks that are not volatile, or businesses that are not at risk of a sudden decline.

Long-term and short-term financial goals can be forecast by undertaking due diligence on a company, monitoring whether cash flows have been steady, the pattern of profit margins and whether said company plans on issuing more shares. By making sure you know specific risks to the assets you plan on investing in or buying, you can avoid regulatory or legal issues from arising in the future. It reduces the risk of unexpected surprises post-transaction and enables you as a buyer to implement future strategies.

Financial due diligence is thereby vital in ensuring that both parties involved in a transaction are holding the same information regarding the assets being sold. It helps to reduce risk and assure buyers that they are investing their money wisely. By identifying both strengths and flaws, investors are given a holistic account of their investment and can make a fully informed decision thereafter.

Cyber fraud and ‘persons unknown’

Posted on by Admin Admin

Unknown individuals had hacked in to CMOC’s systems and sent forged payment instructions to CMOC’s bank, resulting in the fraudulent diversion of millions of pounds into bank accounts held by a large number of international and overseas banks, operating across multiple jurisdictions.

CMOC v Persons Unknown [2018] EWHC 2230 (Comm) is a landmark case because it is the first time that the High Court has granted a worldwide freezing injunction against alleged anonymous perpetrators involving cyber fraud in England and Wales. Up until this point, injunctions against ‘persons unknown’ had rarely been granted and even then only for cases like online libel.

According to the Law Gazette’s coverage of the ruling, the High Court’s injunction ultimately required 35 international and overseas banks in at least 19 jurisdictions to freeze the assets of the individuals and the alleged stolen funds, and to reveal the identity of the alleged fraudsters as well as the details of any onward transfers.

At trial the High Court ordered the repayment of the stolen money, awarded damages of around £7m and subsequently enforcement action ensued.

Philip Young, partner at dispute resolution firm Cooke, Young & Keidan (CYK), had advised CMOC on its legal action and told the court that cyber threats were growing in sophistication, with billions of pounds being lost each year.

What corporate victims needed, he said, was a means to fight back. Never before granted in cyber fraud cases like this, the ‘persons unknown’ jurisdiction is a tool that English civil courts have in their toolbox to pursue the alleged perpetrators and, potentially, resolve disputes globally.

Speaking to ESA Risk, Young says that the claimant’s overriding aim was not only the worldwide freezing injunction but the related disclosure orders, which required the banks to say who the purported customers of the accounts were and to hand over documents to show what the account holders had done with the stolen money.

“It is ‘persons unknown’ until you know who they are and then you start naming them and bringing them in as defendants, which is what we did,” he says.

This approach enabled his team to pursue the alleged fraudsters, and, as required, issue domestic orders in the courts of overseas jurisdictions to recover some of the losses.

For reasons of client confidentiality, Young says it is not possible to disclose how much CMOC recovered after the ruling. However, he does disclose that, even after the legal costs were taken into account, CMOC came out with a substantial recovery, with the recovered sums being more than enough to justify the litigation using the ‘persons unknown’ jurisdiction.

Since this landmark ruling, Young notes that the use of ‘persons unknown’ jurisdiction for cyber fraud has been adopted as an approach by the courts in Hong Kong and Malaysia, both of which have seen cases to test the legal waters, relying on the English judgment as precedent.

Lloydette Bai-Marrow, Serious Fraud and Economic Crime Consultant at ESA Risk, believes the ruling may be the start of a trend, which could result in more commercial courts being willing to grant these types of freezing injunctions.

She says that CMOC v Persons Unknown [2018] EWHC 2230 (Comm) is significant because it shows that the courts are starting to wrestle with this issue, adding that the courts recognise that the world is changing, and that the legal landscape needs to be agile enough to respond.

“The way these freezing orders work is that they open a further avenue of recompense for those who have been the victims of fraud,” she says.

However, she doesn’t believe that in the UK the “floodgates” will open. The judiciary, she believes, will still approach worldwide freezing injunctions with a great deal of caution, in part because they are not easy to enforce.

“There are challenges in terms of enforceability and in terms of what seems like the transfer of investigative responsibility over to the banks and other institutions deemed to be responsible for complying with the order,” she explains.

It’s also important to remember that, although a freezing injunction places a responsibility on banks to act and freeze the money, making an application to the courts to apply for one is not a quick process.

Bai-Marrow warns that businesses need to be mindful that there are limitations in the speed it takes to secure one, which can then be enforced or served on parties to enforce. This is especially important to bear in mind because when fraud is involved, targeted businesses need to move quickly to minimise their losses.

Mike Wright, Risk Management and Investigations Consultant at ESA Risk, concurs. He says that when fraudsters move stolen money into overseas bank accounts, it can be channelled into other accounts instantaneously. Chasing the money can be like chasing your tail.

“If fraudsters get a sniff that someone is after a freezing order, they can move the money into three different continents in 15 minutes,” he warns.

Should the alleged fraudsters pour the stolen money in assets, this can be traced more easily, he adds.

“It’s a lot harder and a lot slower to move assets and there is also a trail,” he says. “Even if someone has sold a property or transferred it into their spouse’s name, you can still go after it.”

However, like the worldwide freezing order on bank accounts, the difficulty in freezing assets is that some overseas jurisdictions will have no compulsion to co-operate.

Even before the pandemic struck in early 2020, cyber fraudsters were upping their game, employing ever more ingenious and ruthless measures to defraud businesses.

In recent years, business email compromise schemes (BECs) like the one used in the CMOC v Persons Unknown [2018] EWHC 2230 (Comm) case have increased in prevalence globally, says Bai-Marrow.

“The fraudsters will be watching the flow of information between two parties and will then identify potential transactions that could then be used to divert money from the business into their own accounts,” she explains.

“They will then replicate an email that appears to have come directly from the business they intend to defraud or the other parties. As they’ve seen the pattern of information, they’ll know who to say they are to the recipient.”

What Covid-19 has done is create the perfect conditions for fraudsters to prey on vulnerable businesses, whether they are high-profile operations or small enterprises.

Graeme McGowan, Cyber Risk & Security Consultant at ESA Risk, notes that one development that has worked to the fraudster’s advantage is the move to remote working.

“You’ve got people who are in senior positions in banks working at home on the laptop or PC, accessing the corporate system. It’s a recipe for disaster,” he warns. “At the moment, it’s a hacker’s and criminal’s playground with lockdown.”

Taking into consideration the very serious and growing threat that cyber fraud poses businesses of all sizes; the practical considerations involved in applying for a worldwide freezing order; and the difficulty in enforcing it effectively, what is the best course of action for businesses to take?

Arguably, the most effective safeguard against cyber fraud is prevention. BECs and other types of fraud occur because there are vulnerabilities in IT systems and staff may not be sufficiently trained to identify scams. Bai-Marrow says that businesses should adopt a two-part approach.

“Strengthen your cyber defences and ensure you’ve invested in all the relevant online protection tools but also ensure the individuals in the key areas of your business who are most susceptible to being a victim of a scheme like this are effectively trained to recognise the warning signs,” she explains.

“Even with BECs, before they proceed with paying that money out, call the company up and just double check, have a process in place, and review your procedures when it comes to how your business pays out funds.

“For example, if a vendor you are using changes its details, have a process in place that that bank account must be verified. Processes can be tedious and boring but they are absolutely the right thing in order to protect your business. So, for example, if you notify us of a change of bank account, it will take us seven days to change that. In that time, we will verify that bank account with intended recipient through a variety of means to ensure authenticity.”

It’s also about training staff in important, albeit vulnerable, positions, she says. “Don’t just click on an email response and not check who the email is really from. There are things that companies can do to sensitise their staff, especially those in critical roles, to ensure they don’t inadvertently become facilitators of fraud.”

McGowan has written extensively about the growing sophistication in cyber crimes, including providing practical steps on how best to enhance security on business and personal accounts.

He argues that IT system improvement is a priority, not just as a deterrence against hackers but also to minimise the risk that regulators will potentially impose a fine on a business for failing to protect its clients’ confidentiality.

“You need to have a full structured IT assessment done, checking out all of your policies and procedures, including ISO 27001,” he argues.

“If you’ve got everything in place and you’ve got a good training regime in place, accidents will still happen because hackers are clever at what they do. However, if you do get hacked, GDPR comes in and the ISO won’t fine you because you’ve taken the necessary steps.”

With the move to remote working, McGowan also argues that businesses must tighten up their employees’ home security. One option is a firewall, which sits between the router and IT devices. It monitors all incoming and outgoing traffic and prevents any malicious activity.

“A lot of people probably don’t want to do that but they don’t understand that it is a good solution,” he says.

“You need some means of monitoring incoming and outgoing traffic. You need up to date security software to protect you. You need to be working possibly through a VPN [virtual private network] 100% of the time.”

McGowan also warns about the huge increase in the use of ‘deepfakes’, a type of identify fraud that leverages artificial intelligence to create convincing fake images, videos and voice recordings.

Although deepfakes are not a new threat, this type of fraud is becoming increasingly convincing and difficult to identify, he says.

McGowan admits that the chances of a fraudster using a deepfake to impersonate a CEO in a financial institution to extract funds is slim but there has been at least one case involving a less sophisticated approach.

“In October 2019, it was reported that a top executive in a UK-based energy company had been duped into transferring £200,000 to cyber fraudsters,” he says.

“The perpetrators used AI voice technology to mimic the executive’s boss, who was based at the German HQ. The executive was instructed to move the funds immediately to a Hungarian bank account and was told they would be returned later. They never were.”

In most fraud cases, it is rare for businesses to retrieve the stolen money. Often businesses will chalk up the loss and move on, says Bai-Marrow. This is because it’s more damaging to their reputations to come out publicly and declare the financial loss.

Fraudsters know this and may even be encouraged to hack into systems because they are confident they will not be pursued. What’s more, they recognise that speed of response is critical, so preventative steps are undoubtedly the best protection to minimise any financial losses and protect reputations.

One of the services that ESA Risk will be looking to offer clients in the future is a blockchain fraud software solution, says McGowan.

“This allows us to not just identify the chain of what might have happened, it allows us to get inside the details and that would allow us to advise the banks.”

Cases of fraud in the pandemic

Posted on by Admin Admin

Cases of fraud reached a concerning high during the Covid-19 pandemic. Various types of fraud have been committed by false phone calls, email, text message or in-person visits. Healthcare fraud, in particular, has risen in light of the development of coronavirus vaccines, as individuals have attempted selling a false vaccine by impersonating NHS officials and going in-person to administrate it. Not only is this fraudulent but potentially endangers people’s health also, alongside the selling of fake Covid-19 tests, defective surgical masks and medical supplies.

Social media is another medium used to commit fraud, especially through clickbait and the sale of misbranded products. The national lockdown has meant more people are online shopping, which has opened the door to higher cases of retail fraud and false selling on Instagram and other websites. Action Fraud has reported that over 16,352 online shoppers have fallen victim to fraud since the pandemic started, alongside the vast amount of people that have been lured by fake online auctions and false online advertising of trading and investing schemes that are unwittingly promoted by celebrities on social media.

The changing restrictions on travel have also given way to instances of fraud that involve bogus refund offers and travel deals. Individuals have been stealing personal information and banking details through these scams, leaving many people seeking bank refunds and filing online reports to get their money back.

One example of a Covid-related scam was a text message claiming to offer government refunds as a response to the pandemic, reading ‘UKGOV: You are eligible for a Tax Refund as a result of the Covid-19 pandemic. Please fill out the following form so that we can process your refund.’

Further example cases of fraud in the pandemic include:

  1. Criminals sending fake emails designed to look like they are from government departments offering grants of up to £7,500. The emails contain links which steal personal and financial information from victims.
  2. Fraudsters sending scam emails which offer access to ‘Covid-19 relief funds’ encouraging victims to fill in a form with their personal information.
  3. Criminals targeting people with official-looking emails offering a ‘council tax reduction’. These emails, which use government branding, contain links which lead to a fake government website which is used to access personal and financial information.
  4. Fraudsters preying on benefit recipients, offering to help apply for Universal Credit, while taking some of the payment as an advance for their “services”.
  5. Criminals sending phishing emails and links that impersonate the NHS Track and Trace system, claiming that the recipient has been in contact with someone diagnosed with Covid-19. These lead to fake websites that are used to steal personal and financial information or infect devices with malware.

How to avoid being targeted

Be mindful of the vendors you trust and buy from. Scammers are selling unapproved products that claim to treat or prevent Covid-19. Offers to purchase Covid-19 vaccination cards are scams, as these can only be obtained through legitimate providers. If a company or individual is asking for an image of your vaccination card for ‘proof’ of something, do not share it, as this is how they achieve identity fraud.

Be diligent on the phone. Official suppliers will not be calling around offering Covid tests or medical supplies. Furthermore, the government will not be offering payment schemes to move you to the front of the queue for a vaccine, or require personal information in order for you to receive the Covid-19 vaccine, so beware fraudulent phone calls in relation to this. Any caller that is asking for your personal information, medical history or banking details should not be trusted without due diligence checks.

Be wary of email hyperlinks or text messages from unknown senders related to Covid-19. Fraudsters may send false offers advertising Covid-19 testing but make sure that any appointments made are at an official testing site. Scammers might also pretend to be contact tracers; remember that legit tracers won’t ask for personal information.

Further steps to take to avoid Covid-19 related fraud

  • Only share personal health information with known medical professionals.
  • Be wary about work from home scams and ‘opportunities’ circulating on social media.
  • Don’t respond to robocalls that are selling medical supplies, or companies that are demanding advance payments.
  • Be mindful of fraudulent emails asking for donations to healthcare, or any unexpected communications that require you to enter your bank details and contribute money.
  • Be mindful that some ‘free’ healthcare offers will ask for your personal information and then use it for fraudulent purposes. Don’t give out personal details unless it is to a trusted source.
  • Hyperlinks related to healthcare services might be infected with malware or viruses that can infect or hack your computer. You can check links by using ‘Scan URL’ or using a secure browser such as Norton Safe Web.
  • Be aware of government imposter schemes and campaigns that are offering pandemic relief money or refunds.

Covid-19 vaccines are free, so any requirements to pay for one are a scam and should be avoided at all costs. There are fraudulent ‘vaccines’ going around via a text message that reads ‘we have identified that you are eligible to apply for your vaccine’ with a link to a fake NHS page which asks for bank details.

If you think you have been contacted by an unreliable party, run the ‘scam’ test:

‘S’- seems too good to be true

‘C’- contacted out of the blue

‘A’- asked for personal details

‘M’- money is requested

Working from home and cyber threats: Keeping your company safe

Posted on by Admin Admin

Most are using remote working on a much larger scale than ever before, meaning they have had to implement new rules and improvements in technology to ensure productivity, staff wellbeing and information security to ensure that working from home is safe from cyber threats.

There are many reasons data breaches are more likely to occur while working remotely. For instance, the lack of supervision can result in employee apathy. Remote workers are less aware about cyber security, using insecure Wi-Fi networks or personal laptops that may have malware or ransomware that can then infiltrate the company network. Working from home also introduces the issue of family members sharing the same PC, or employees adding home printers to the office network and using external USB drives on office computers. This consequently puts company data at risk of being leaked, unless there are the necessary technological safeguards put in place to prevent it.

Furthermore, cyber criminality is on the rise, with hackers taking every possible opportunity to steal company or personal information. The main methods used are fake warnings on social media and pop-up links on websites that urge users to click on them. Fraudulent emails containing similar malicious links are also used to spread viruses that can infect or damage your files, so it is important to be aware of what is on your screen and in your inbox.

Solutions

1. Education

Staff must be educated on the risks of viruses, phishing or cyber attacks. Whether they come in the form of online updates, scam emails or phishing links, workers should be trained to recognise suspicious activity and filter them out. It is important to note that sudden, emergent situations that require immediate action, such as being asked to update your bank details, are to be approached with caution and that workers should be mindful at all times. Ensure that security guidelines are clear, so that workers are briefed with the necessary knowledge to avoid cyber fraud. This might include paying attention to spelling and grammar mistakes in emails or noticing unsolicited attachments. Domain emails that are replicas of genuine business emails to appear credible, as well as URLs made to look like an already established URL, are also signifiers of fraudulent correspondence.

2. Passwords

Password control plays an important role in managing the potential risks of remote working. Using password screens with strong, two-factor authentication is recommended and employees should avoid writing passwords down, keeping them out of sight of other people. Password protection avoids third parties accessing confidential files, so companies should ensure maximum protection with passwords that are at least 12 characters and include uppercase and lowercase letters, numbers and symbols, as advised by The Federal Trade Commission.

3. VPN

A VPN (Virtual Private Network) enables a secure connection to another network, over the internet. It ensures protection of private information by routing traffic through the VPN server, encrypting the connection and hiding your IP address in the process. This provides anonymity from hackers, enabling safe and private browsing online. My recommendation is to invest in Firewalla – a cyber security firewall that alerts you to and protects you from cyber threats at home. It ensures that all your connected devices become part of a virtual protective network that you can see and manage from a control centre. It is also important to use protected browsers, such as Firefox or private browsing pages to avoid your data being monitored and collected by hackers.

4. Antivirus

Viruses are one of the biggest threats to businesses operating online. These arrive in the form of spyware, malware, zero-day attacks, trojans and phishing scams. Whether employees are using their own computer at home or company property, they must have installed antivirus software, from a reputable supplier such as Bitdefender, Kaspersky or Norton, ensuring it stays up to date. Antiviral software creates a firewall against viruses and alerts you when you are visiting sites that are potentially malicious. It conducts regular vulnerability scans and checks that filter out threats to your data while detecting any irregular activity. Antivirus is paramount in privacy protection, both for business and at home.

5. Shared storage

In case of attacks or breaches of company information, it is useful to keep centralised storage so that lost files can easily be recovered. Keeping data in shared storage with cloud-based backups lessens the likelihood of irrecoverable losses. The shared storage should have a firewall installed to protect all documents within it, with regular security measures taken to ensure that confidential data is safe. If a malicious third party finds a security hole in one of these cloud-based services, a lot of information is simultaneously at risk, so make sure to add extra security through encrypted cloud storage.

Deep dive for the answers you need
TAKE A DEEP DIVE
Or contact us on +44 (0)343 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?

Take a deep dive
Continue browsing