Category: News

The latest from ESA Risk and related industries, plus current affairs commentary.

Duty of directors – a stark reminder

Posted on by Admin Admin

Cristina Angelica Tasca, from Arbroath, has been banned “from directly or indirectly becoming involved in the promotion, formation or management of a company without the permission of the court” after failing to produce company accounts or records during the liquidation of her Angel Tas Limited construction business.

The 27-year-old was unable to explain more than £716,000 of expenditure, which included £16,000 of cash withdrawals from her company’s bank account, according to a press release from the Insolvency Service.

Liquidators were called in following a winding-up petition from the UK’s tax authorities, after Ms Tasca failed to make obligitary tax payments from 2019 and further failed “to respond to repeated requests for payment”. The liquidators made “numerous requests” to see Angel Tas Limited’s company accounts and records, but Ms Tasca was unable to provide either. As a result, it was impossible to identify the purpose of expenses totalling over £716,000. In addition, liquidators could not “confirm whether the receipts of nearly £700,000 were a true representation of all the company’s sales”.

Ms Tasca’s case was heard in Forfar Sheriff Court on 7th July 2021, following an investigation by the Insolvency Service. The hearing led to the construction boss – whose company specialised in plastering and rendering – being disqualified for 7 years, effective from 27th July 2021.

Such cases act as a stark reminder of the duty of directors, and a warning of the consequences when duties are not upheld. “All directors have a duty to ensure their companies maintain proper accounting records”, commented the Insolvency Service’s Chief Investigator, Rob Clarke, in relation to Ms Tasca’s disqualification. “This includes delivering them to the office-holder in the event of an insolvency.” He referred to the director’s lack of record keeping as a potential “cloak for impropriety”.

A disqualification order is strict and wide-ranging. As well as placing a ban on holding a directorship, disqualification “stops you acting as if you were a director”. The order cannot be avoided through a change of job title/description, nor by instructing other people in the running of a company. In Ms Tasca’s case, her company was incorporated in Scotland, but her disqualification applies across the UK and to businesses with a “sufficient connection” to the UK.

Do you need support with your company accounts?

If you need advice about or support with your company’s accounts and records, ESA Risk can help. Our Consulting and Risk Management teams include experienced chartered accountants, business managers and advisors. ESA Risk consultant Kevin Bennett has held in-house and consultancy positions in a wide range of industries. He specialises in all matters of accounting, including book-keeping and corporation and personal tax returns. Contact Kevin today for the advice and support you need.

Did Prince Andrew see chalk dust?

Posted on by Admin Admin

On 26th August 2021, legal papers were attempted to be served upon Prince Andrew, Duke of York, by a process server. The case began when Virginia Giuffre took legal action against the prince for an alleged sexual assault when she was a teenager. However, the process server was turned away and the papers were not accepted on behalf of Prince Andrew, who has previously denied the allegations against him.

Since “Prince Andrew’s security had been told not to allow anyone onto the property to serve court documents”, the papers could not be served on him in person. Instead, upon returning to the address for a second time, the process server left the documents with a police officer at the main gates of Prince Andrew’s residence, The Royal Lodge.

Was this good service?

BBC News has stated claims from the prince’s legal team that, since the legal proceedings are to take place in New York, the British legal procedures “require that a valid request for assistance from UK court officials must come from a judicial officer in the US”.

Prince Andrew was also served by Mrs Giuffre’s English solicitors via Royal Mail, which complies with Rule 6.3 (1) (b) of the Civil Procedure Rules for England and Wales, as long as the papers are sent to arrive on the next business day. However, this too becomes complicated if going by the US federal court rules which require service by mail to be evidenced by a signed receipt.

Eventually, Prince Andrew conceded that he had been served with the papers via his US attorneys.

My colleague, Nicci Ashby, Litigation Support Consultant, has commented that when serving evasive defendants, process servers must attempt by all means possible, and within reason, to effect service. Using companies like Royal Mail to deliver the documents is not ideal, as it is then difficult to prove that the defendant has actually received them. However, the UK courts will accept this as good service in certain circumstances.

She recommends to “stay on the side of caution and use experienced process servers, as they are independent, impartial and provide specific evidence to the courts detailing the method of service.”

Nicci goes further to say that in Prince Andrew’s case, only the judge can decide if it was ‘good service’.

“It is slightly complicated, because the paperwork was issued internationally and is required to be served in accordance with local laws, which can be different from the country of issue. Even in the UK, there are different rules of service concerning different types of documents and, in each case, it is important for the process server to understand which procedures are relevant for the documents.”

So, what is a process server?

A process server is an individual who is instructed to serve documents, usually court papers such as claims, petitions and injunctions. Their clients are usually legal professionals, but documents can be drawn up by lay clients, too.

The ultimate role of the process server is to personally serve the documents upon the defendant(s) and thereafter evidence all that they have done in order for the courts to accept that service has been effected. A judge may need this evidence to allow proceedings to commence and may call the process server as a witness if service is disputed. In difficult circumstances where personal service has not been effected, after reading the evidence, a judge may make an order to allow service by other means, or might accept that all reasonable efforts have been made and that the proceedings can continue.

In some cases, judges can use their discretion to enable application for other forms of service, such as via Facebook or WhatsApp, or by leaving documents at the defendant’s last known address.

When serving high-profile people, such as Prince Andrew, it’s unlikely a process server will be able to hand over the paperwork in-person, due to tight security measures placed around these individuals. The process server’s role is to attempt to serve the documents by whatever legal means possible, and to inform the defendant of the nature and basic contents of the documents.

When defendants try to evade service, investigations including covert surveillance may be used to try to catch them off guard.

What to do when you need a process server

When looking to instruct a process server, we recommend the following:

  • As process serving is not a regulated activity, it is better that you instruct a firm that is a member of a recognised trade association such as the Association of British Investigators (ABI) or the World Association of Detectives (WAD).
  • In certain countries, only court staff and court-appointed bailiffs can serve documents, so make sure you check the relevant laws within that jurisdiction when attempting to serve documents abroad.
  • Always provide the process server with a photograph or good description of the defendant – something you should be able to obtain from the claimant.
  • Provide the process server with all contact details you have for the defendant.
  • Inform the process server if the defendant has a history of violence and has access to firearms or vicious animals. Personally, I’ve had death threats made against me and encountered violent attacks by both people and animals while effecting personal service of documents. Good process servers will, at times, have to put themselves in difficult situations and need to be prepared to face aggressive behaviour.
  • Only experienced firms should be instructed to conduct the service, as process serving is a vital part of the legal process. At ESA Risk, our process serving teams are led by professionals with decades of experience, legal sector qualifications and industry body memberships.

Instruct ESA Risk today

If you’re looking for an experienced company to reliably serve documents, look no further than ESA Risk. Our extensive network of process servers covers the whole of the UK (as well as overseas locations).

Whether you require us to serve relatively straightforward, standard documents or to organise complex time-synchronised, multi-location services, either in the UK or overseas, we’ll work with you to understand your specific requirements and tailor our services and fees accordingly.

Need to confirm an address before sending documents? We also provide tracing services, ensuring you serve the right people in the right place at the right time.

Email us at process.serving@esarisk.com, or call us on +44 (0)343 515 8686.

Government proposal to reform data protection regulation

Posted on by Admin Admin

The UK Government has invited responses from stakeholders within an evidence-based approach to developing a risk-based data protection framework fit for the future.

As data is considered to be the driving force of the modern economy and one of the most important resources in the world, the aim of the process is to seize the opportunity from new regulatory freedoms following Brexit to build a framework of laws based on common sense, not a box-ticking exercise. The aim is to build on key elements of GDPR, not to water down the current legislation. The clear message is that protection of personal data must remain at the core of any new regime to maintain public trust.

The plan has been described as bold, well thought out and much needed in the context of criticism from businesses who have found the existing regulations to be complex and unclear creating uncertainty and a barrier to data access. The reforms will introduce a more flexible regime and encourage organisations to use data responsibly.

The key changes proposed include removing the need to:

  • Appoint a DPO, either in all cases or just in public bodies
  • Conduct a data protection impact assessment (DPIA)
  • Consult the Information Commissioner’s Office (ICO) regarding high-risk processing
  • Keep records of processing activities.

The wider reforms include the creation of an ‘exhaustive’ list of situations where the legitimate interest test will apply without having to conduct a balancing exercise, aimed at creating greater certainty for business when complying with the legitimate interest test without a detailed analysis.

The regime will also allow the use of data for AI projects and other innovations. There are specific provisions for AI, such as allowing the use of data to monitor bias in AI systems and allowing the use of personal data for research by widening the situations where data can be used for new purposes.

There will be no change to the central principles of GDPR; the data protection principles and the lawful bases for processing remain intact. The division between controller and processor will also stay.

The strict requirements within GDPR will be replaced by a more flexible obligation to implement a ‘privacy management programme’. The changes will not amount to a bonfire of the GDPR regulations as there will remain obligations to create defined roles and responsibilities for data protection including a designated individual to take responsibility for the programme and be a contact point for the ICO. The move is intended to encourage organisations to invest effectively in the process of governance, policies, people and skills that protect personal data with an outcomes-based focus.

The proposal also aims to reform the ICO and its powers, including measures to move the ICO away from handling high-volume, low-level complaints to dealing with the most serious cases.

Within its impact assessment, the government anticipates the changes will create cost benefits of £1.04 billion over 10 years by removing the barriers to responsible data use. That figure could rise to £1.45bn if adequacy status with the EU is retained. The changes are expected to benefit small and medium sized businesses proportionately more.

It remains to be seen whether the responses from stakeholders encourage the government to go further in reducing the burden on business of the existing GDPR regime towards a more radical reform without jeopardising its adequacy status with the EU, which is vital to the free transfer of data between the EU and the UK.

If you need further advice and support on compliance issues, look no further than ESA Risk. Our risk management and business consulting teams are here to help your business manage risk, excel and grow. Contact Mike Wright, Risk Management and Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Birmingham networking event

Posted on by Admin Admin

ESA Risk’s Marketing Director and Roger Dugan from our co-host Asertis were joined by accountants, insolvency practitioners, lawyers and more for a private wine tasting at Loki Wine Merchant & Tasting House in Birmingham’s historic Great Western Arcade.

This was the first in-person networking event many of our guests had attended since the start of the Covid-19 pandemic, so we were pleased to be returning some sense of normality to Birmingham’s professional community.

And Loki gave us a real treat with Champagne followed by a guided tasting of 5 excellent wines with some unexpectedly delicious choices, such as a white Bordeaux and a subtly complex red from Turkey. There were a few of us making notes of bottle labels at the end of the evening.

The conversation was flowing as easily as the wine, and that’s what these events are all about – connecting like-minded professionals for good conversation in a relaxed setting.

The 500 Club is an event series jointly hosted by ESA Risk and Asertis. The invitation-only networking events are usually held twice a month at locations across the UK, including London, Manchester, Birmingham, Leeds, Liverpool and others.

We’re in London next week, followed by Liverpool in mid-October.

If you’d like to be added to our invite list, please contact us.

Temporary insolvency measures to end announces The Insolvency Service

Posted on by Admin Admin

The Insolvency Service has signalled the end of temporary insolvency restrictions in England, Scotland and Wales from Friday 1st October 2021. (Northern Ireland will follow with “similar legislation”). However, some protections for businesses facing insolvency will remain until at least 31st March 2022, with new “targeted measures to support small business and commercial tenants” due to be introduced from next month.

Business Minister Lord Callanan believes “the time is right to lift the insolvency restrictions that were needed during the pandemic”, as “we are seeing life and the economy returning to normal with a strong rebound”.

What are the new insolvency restrictions?

Under the new legislation, winding up petitions will only be issued for debts of £10,000 or more – a significant increase on the £750 debt threshold pre-pandemic. However, this higher figure may be deceiving, as the £10,000 threshold doesn’t need to apply to a single debt, but can be the sum of multiple debts owed to 1 creditor or of debts owed to a group of creditors.

The second measure to be introduced will give debtor businesses 21 days to submit a payment proposal to creditors before the creditors can take winding up action.

In addition, the 16th June announcement that commercial tenants will be protected from eviction until the end of March next year is being upheld. The Insolvency Service notes that “businesses should pay contractual rents where they are able to do so.” The extended protection is designed to stop commercial landlords from liquidation of limited companies to repay “arrears built up during the pandemic”.

The Insolvency Service expects these new measures “will particularly benefit high streets, and the hospitality and leisure sectors”.

Which insolvency restrictions are ending?

The measures which are ending include the suspension of serving statutory demands and wider-ranging restrictions on winding up petitions. The suspension of the wrongful trading rules, which temporarily removed the threat of personal liability from directors for wrongful trading, was lifted at the start of July 2021. All 3 of these temporary measures were put in place in June 2020, with the restrictions on statutory demands and winding up petitions applying to the period 1st March 2020 to 30th September 2021, as part of the Corporate Insolvency and Governance Act 2020.

The Act introduced some permanent measures, too, which will remain in place beyond the end of the month. These permanent measures centred on rescue and restructuring plans, and were in development before the Covid-19 pandemic.

What will be the impact of the changes?

On balance, October’s changes appear to benefit creditors, while affording some level of continued protection to the most vulnerable debtors – SMEs, high street business and those in the hospitality sector. How strong those protections are in practice remains to be seen, however, as the new £10,000 debt threshold for winding up petitions may not be high enough if creditors decide to group together to take action.

Instruct ESA Risk today

If you’re looking for an experienced company to reliably serve documents, look no further than ESA Risk. Our extensive network of process servers covers the whole of the UK (as well as overseas locations).

Whether you require us to serve relatively straightforward, standard documents or to organise complex time-synchronised, multi-location services, either in the UK or overseas, we’ll work with you to understand your specific requirements and tailor our services and fees accordingly.

Need to confirm an address before sending documents? We also provide tracing services, ensuring you serve the right people in the right place at the right time.

Email us at process.serving@esarisk.com, or call us on +44 (0)343 515 8686.

What can we learn from Emotet?

Posted on by Admin Admin

Although originally intended to be a banking ‘Trojan horse’, Emotet has evolved multifariously by modular Dynamic Link Libraries (DLLs) and constantly updates itself into various versions to evade detection. Emotet was designed to steal sensitive information and personal details by infecting devices with malware that then spreads to other local and linked devices.

“In the current climate it is so fantastic to see a major triumph against such a destructive and parasitic malware such as Emotet which has wreaked havoc and has cost millions in damages over a prolonged period in the international banking sector as it infected numerous devices and stole data and money. It has taken a monumental effort from a number of different countries to achieve this and it’s definitely a step in the right cyber security direction.”

Ali Twidale, Banking & Financial Fraud Consultant at ESA Risk

The malware effectively grows by multiplying itself through a network of devices. Once it gains access to one computer, it has the means to affect many others, acting as a worm. This works via email attachments, malicious links and macro-enabled document files, usually hidden as compressed files that can spread the malware in the form of .doc, .docx and .exe files. The emails are often in regard to updates to financial information or are imitations of emails from popular shipment companies.

The malspam then spreads by ransacking your contacts list and forwarding itself into the inboxes of your friends, family, co-workers and clients. Since these emails are coming from your hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files. If a connected network is present, Emotet can also spread using lists of common passwords, finding its way onto other connected systems in a brute force attack.

Emotet is also known to arrive embedded in Word documents attached to emails, that run and install malware once the victim enables macros. These are often flagged as important, so that hackers can gain quick access into the intended device. Microsoft Outlook is also used to generate phishing emails from the infected device, continuing the cycle of malware right under the nose of the unsuspecting victim.

The rapid pace of spread is one of the most dangerous assets to Emotet, aiding the success of the malware in data theft and extortion. It is very difficult to erase from an infected computer, as attackers can update malware codes and enable the trojan to replicate itself across systems. It is undetectable by firewalls due to the nature of its encrypted channels, as well as its ability to lay dormant in a device. Emotet can evade detection from security scanners by remaining idle for extended periods of time and adapting into different versions.

The impact of Emotet

The evolving nature of the malware means it serves various functions for hackers. Notoriously, it has been used to steal banking information from individuals and companies but can also attain sensitive corporate information that is often used for ransom in exchange for a financial reward. Emotet is also often sold to other cyber criminals, extending the varieties of malware it can infect systems with.

Lotem Finkelstein of Check Point Software has revealed that Emotet has ‘sent phishing emails with more than 150,000 different subject lines and 100,000 file names for the attachments.’ Emotet campaigns have impacted global industries, including the malware TrickBot and Obot.

The impact has been enormous, with targets of Emotet including the City of Allentown in Pennsylvania which cost over $1 million to fix. The malware was initially detected in 2014 and has since enabled cyber attacks on Germany, China and Canada in particular. It tends to hide and then reappear in violent bursts, attacking in thousands of malspam messages at once.

Notable cases of Emotet attacks include that on the city of Frankfurt whereby its whole IT network had to be shut down. A similar instance was the attack on Heise Online in May 2019. The German publishing house received the typical email containing an infected Word document requesting access to edit. In turn, the domain controls were compromised so the company had to shut down IT systems in order to attempt to cleanse from infections.

Ways to avoid similar malware attacks

Although malware and trojans can often be difficult to detect and remove, there are measures you can take to avoid infection of your devices. First, ensure your device has cyber security systems installed, such as antivirus software and secure VPN. This software should block dangerous emails, but in cases that it does not, be diligent when checking your inbox. Avoid opening suspicious or unlikely messages or clicking on links that have come from an unrecognised source. Ensure your passwords are secure, you are making use of multifactor authentication and that you do not share devices that have confidential information on them with others.

According to ESA Risk’s Graeme McGowan, Cyber Risk & Security Consultant, the best ways to protect yourself from similar malware are:

  1. Keep your computer/endpoints up to date with the latest patches for Microsoft Windows. TrickBot is often delivered as a secondary Emotet payload, and TrickBot relies on the Windows Eternal Blue vulnerability to do its dirty work, so patch the vulnerability before the cybercriminals can take advantage of it.
  2. DO NOT download suspicious attachments or click a shady-looking link. Emotet can’t get that initial foothold on your system or network if you avoid those suspect emails.
  3. You can protect yourself by using multi-layered protection. If you suspect your device is infected, isolate it from any connected networks, then proceed to patch and clean the system.

The 500 Club in Soho

Posted on by Admin Admin

Hidden away behind a discreet door on Shaftsbury Avenue, Soho’s exclusive Century Club was the venue for last week’s installment in The 500 Club networking event series. Ali Twidale (Banking & Financial Fraud) hosted alongside Roger Dugan and J-P Pitt from our co-hosts Asertis.

Joined by guests including lawyers and insolvency professionals, we took over Century’s Club Room to talk insolvency, working practices in the post-Covid world, skiing, and much more.

The 500 Club is an event series jointly hosted by ESA Risk and Asertis. The invitation-only networking events are usually held twice a month at locations across the UK, including London, Manchester, Birmingham, Leeds, Liverpool and others.

Our aim at these events is to connect like-minded professionals. No sales presentations, only good conversation over a few drinks.

We’re back in London at the end of September. Before that, we’ll be in Birmingham for a private wine tasting at Loki Wine next week.

If you’d like to be added to our invite list, please contact us.

The 500 Club heads to Leeds

Posted on by Admin Admin

Guests including insolvency professionals and lawyers enjoyed drinks and great conversation with a backdrop of panoramic views of the city. ESA Risk’s Mike Wright (Risk Management & Investigations) hosted alongside Roger Dugan of our co-hosts Asertis.

And those conversations have continued (on the golf course, for some), which is always our aim with these events: making introductions to create lasting professional relationships.

The 500 Club is an event series jointly hosted by ESA Risk and Asertis. The invitation-only networking events are usually held twice a month at locations across the UK, including London, Manchester, Birmingham, Leeds, Liverpool and others.

We’ll be at Century Club in London for our next event in September, followed by a private wine tasting at Loki Wine in Birmingham later in the month.

If you’d like to be considered for a future event, please contact us.

Photo credit

Cyber fraud and ‘persons unknown’

Posted on by Admin Admin

Unknown individuals had hacked in to CMOC’s systems and sent forged payment instructions to CMOC’s bank, resulting in the fraudulent diversion of millions of pounds into bank accounts held by a large number of international and overseas banks, operating across multiple jurisdictions.

CMOC v Persons Unknown [2018] EWHC 2230 (Comm) is a landmark case because it is the first time that the High Court has granted a worldwide freezing injunction against alleged anonymous perpetrators involving cyber fraud in England and Wales. Up until this point, injunctions against ‘persons unknown’ had rarely been granted and even then only for cases like online libel.

According to the Law Gazette’s coverage of the ruling, the High Court’s injunction ultimately required 35 international and overseas banks in at least 19 jurisdictions to freeze the assets of the individuals and the alleged stolen funds, and to reveal the identity of the alleged fraudsters as well as the details of any onward transfers.

At trial the High Court ordered the repayment of the stolen money, awarded damages of around £7m and subsequently enforcement action ensued.

Philip Young, partner at dispute resolution firm Cooke, Young & Keidan (CYK), had advised CMOC on its legal action and told the court that cyber threats were growing in sophistication, with billions of pounds being lost each year.

What corporate victims needed, he said, was a means to fight back. Never before granted in cyber fraud cases like this, the ‘persons unknown’ jurisdiction is a tool that English civil courts have in their toolbox to pursue the alleged perpetrators and, potentially, resolve disputes globally.

Speaking to ESA Risk, Young says that the claimant’s overriding aim was not only the worldwide freezing injunction but the related disclosure orders, which required the banks to say who the purported customers of the accounts were and to hand over documents to show what the account holders had done with the stolen money.

“It is ‘persons unknown’ until you know who they are and then you start naming them and bringing them in as defendants, which is what we did,” he says.

This approach enabled his team to pursue the alleged fraudsters, and, as required, issue domestic orders in the courts of overseas jurisdictions to recover some of the losses.

For reasons of client confidentiality, Young says it is not possible to disclose how much CMOC recovered after the ruling. However, he does disclose that, even after the legal costs were taken into account, CMOC came out with a substantial recovery, with the recovered sums being more than enough to justify the litigation using the ‘persons unknown’ jurisdiction.

Since this landmark ruling, Young notes that the use of ‘persons unknown’ jurisdiction for cyber fraud has been adopted as an approach by the courts in Hong Kong and Malaysia, both of which have seen cases to test the legal waters, relying on the English judgment as precedent.

Lloydette Bai-Marrow, Serious Fraud and Economic Crime Consultant at ESA Risk, believes the ruling may be the start of a trend, which could result in more commercial courts being willing to grant these types of freezing injunctions.

She says that CMOC v Persons Unknown [2018] EWHC 2230 (Comm) is significant because it shows that the courts are starting to wrestle with this issue, adding that the courts recognise that the world is changing, and that the legal landscape needs to be agile enough to respond.

“The way these freezing orders work is that they open a further avenue of recompense for those who have been the victims of fraud,” she says.

However, she doesn’t believe that in the UK the “floodgates” will open. The judiciary, she believes, will still approach worldwide freezing injunctions with a great deal of caution, in part because they are not easy to enforce.

“There are challenges in terms of enforceability and in terms of what seems like the transfer of investigative responsibility over to the banks and other institutions deemed to be responsible for complying with the order,” she explains.

It’s also important to remember that, although a freezing injunction places a responsibility on banks to act and freeze the money, making an application to the courts to apply for one is not a quick process.

Bai-Marrow warns that businesses need to be mindful that there are limitations in the speed it takes to secure one, which can then be enforced or served on parties to enforce. This is especially important to bear in mind because when fraud is involved, targeted businesses need to move quickly to minimise their losses.

Mike Wright, Risk Management and Investigations Consultant at ESA Risk, concurs. He says that when fraudsters move stolen money into overseas bank accounts, it can be channelled into other accounts instantaneously. Chasing the money can be like chasing your tail.

“If fraudsters get a sniff that someone is after a freezing order, they can move the money into three different continents in 15 minutes,” he warns.

Should the alleged fraudsters pour the stolen money in assets, this can be traced more easily, he adds.

“It’s a lot harder and a lot slower to move assets and there is also a trail,” he says. “Even if someone has sold a property or transferred it into their spouse’s name, you can still go after it.”

However, like the worldwide freezing order on bank accounts, the difficulty in freezing assets is that some overseas jurisdictions will have no compulsion to co-operate.

Even before the pandemic struck in early 2020, cyber fraudsters were upping their game, employing ever more ingenious and ruthless measures to defraud businesses.

In recent years, business email compromise schemes (BECs) like the one used in the CMOC v Persons Unknown [2018] EWHC 2230 (Comm) case have increased in prevalence globally, says Bai-Marrow.

“The fraudsters will be watching the flow of information between two parties and will then identify potential transactions that could then be used to divert money from the business into their own accounts,” she explains.

“They will then replicate an email that appears to have come directly from the business they intend to defraud or the other parties. As they’ve seen the pattern of information, they’ll know who to say they are to the recipient.”

What Covid-19 has done is create the perfect conditions for fraudsters to prey on vulnerable businesses, whether they are high-profile operations or small enterprises.

Graeme McGowan, Cyber Risk & Security Consultant at ESA Risk, notes that one development that has worked to the fraudster’s advantage is the move to remote working.

“You’ve got people who are in senior positions in banks working at home on the laptop or PC, accessing the corporate system. It’s a recipe for disaster,” he warns. “At the moment, it’s a hacker’s and criminal’s playground with lockdown.”

Taking into consideration the very serious and growing threat that cyber fraud poses businesses of all sizes; the practical considerations involved in applying for a worldwide freezing order; and the difficulty in enforcing it effectively, what is the best course of action for businesses to take?

Arguably, the most effective safeguard against cyber fraud is prevention. BECs and other types of fraud occur because there are vulnerabilities in IT systems and staff may not be sufficiently trained to identify scams. Bai-Marrow says that businesses should adopt a two-part approach.

“Strengthen your cyber defences and ensure you’ve invested in all the relevant online protection tools but also ensure the individuals in the key areas of your business who are most susceptible to being a victim of a scheme like this are effectively trained to recognise the warning signs,” she explains.

“Even with BECs, before they proceed with paying that money out, call the company up and just double check, have a process in place, and review your procedures when it comes to how your business pays out funds.

“For example, if a vendor you are using changes its details, have a process in place that that bank account must be verified. Processes can be tedious and boring but they are absolutely the right thing in order to protect your business. So, for example, if you notify us of a change of bank account, it will take us seven days to change that. In that time, we will verify that bank account with intended recipient through a variety of means to ensure authenticity.”

It’s also about training staff in important, albeit vulnerable, positions, she says. “Don’t just click on an email response and not check who the email is really from. There are things that companies can do to sensitise their staff, especially those in critical roles, to ensure they don’t inadvertently become facilitators of fraud.”

McGowan has written extensively about the growing sophistication in cyber crimes, including providing practical steps on how best to enhance security on business and personal accounts.

He argues that IT system improvement is a priority, not just as a deterrence against hackers but also to minimise the risk that regulators will potentially impose a fine on a business for failing to protect its clients’ confidentiality.

“You need to have a full structured IT assessment done, checking out all of your policies and procedures, including ISO 27001,” he argues.

“If you’ve got everything in place and you’ve got a good training regime in place, accidents will still happen because hackers are clever at what they do. However, if you do get hacked, GDPR comes in and the ISO won’t fine you because you’ve taken the necessary steps.”

With the move to remote working, McGowan also argues that businesses must tighten up their employees’ home security. One option is a firewall, which sits between the router and IT devices. It monitors all incoming and outgoing traffic and prevents any malicious activity.

“A lot of people probably don’t want to do that but they don’t understand that it is a good solution,” he says.

“You need some means of monitoring incoming and outgoing traffic. You need up to date security software to protect you. You need to be working possibly through a VPN [virtual private network] 100% of the time.”

McGowan also warns about the huge increase in the use of ‘deepfakes’, a type of identify fraud that leverages artificial intelligence to create convincing fake images, videos and voice recordings.

Although deepfakes are not a new threat, this type of fraud is becoming increasingly convincing and difficult to identify, he says.

McGowan admits that the chances of a fraudster using a deepfake to impersonate a CEO in a financial institution to extract funds is slim but there has been at least one case involving a less sophisticated approach.

“In October 2019, it was reported that a top executive in a UK-based energy company had been duped into transferring £200,000 to cyber fraudsters,” he says.

“The perpetrators used AI voice technology to mimic the executive’s boss, who was based at the German HQ. The executive was instructed to move the funds immediately to a Hungarian bank account and was told they would be returned later. They never were.”

In most fraud cases, it is rare for businesses to retrieve the stolen money. Often businesses will chalk up the loss and move on, says Bai-Marrow. This is because it’s more damaging to their reputations to come out publicly and declare the financial loss.

Fraudsters know this and may even be encouraged to hack into systems because they are confident they will not be pursued. What’s more, they recognise that speed of response is critical, so preventative steps are undoubtedly the best protection to minimise any financial losses and protect reputations.

One of the services that ESA Risk will be looking to offer clients in the future is a blockchain fraud software solution, says McGowan.

“This allows us to not just identify the chain of what might have happened, it allows us to get inside the details and that would allow us to advise the banks.”

Cases of fraud in the pandemic

Posted on by Admin Admin

Cases of fraud reached a concerning high during the Covid-19 pandemic. Various types of fraud have been committed by false phone calls, email, text message or in-person visits. Healthcare fraud, in particular, has risen in light of the development of coronavirus vaccines, as individuals have attempted selling a false vaccine by impersonating NHS officials and going in-person to administrate it. Not only is this fraudulent but potentially endangers people’s health also, alongside the selling of fake Covid-19 tests, defective surgical masks and medical supplies.

Social media is another medium used to commit fraud, especially through clickbait and the sale of misbranded products. The national lockdown has meant more people are online shopping, which has opened the door to higher cases of retail fraud and false selling on Instagram and other websites. Action Fraud has reported that over 16,352 online shoppers have fallen victim to fraud since the pandemic started, alongside the vast amount of people that have been lured by fake online auctions and false online advertising of trading and investing schemes that are unwittingly promoted by celebrities on social media.

The changing restrictions on travel have also given way to instances of fraud that involve bogus refund offers and travel deals. Individuals have been stealing personal information and banking details through these scams, leaving many people seeking bank refunds and filing online reports to get their money back.

One example of a Covid-related scam was a text message claiming to offer government refunds as a response to the pandemic, reading ‘UKGOV: You are eligible for a Tax Refund as a result of the Covid-19 pandemic. Please fill out the following form so that we can process your refund.’

Further example cases of fraud in the pandemic include:

  1. Criminals sending fake emails designed to look like they are from government departments offering grants of up to £7,500. The emails contain links which steal personal and financial information from victims.
  2. Fraudsters sending scam emails which offer access to ‘Covid-19 relief funds’ encouraging victims to fill in a form with their personal information.
  3. Criminals targeting people with official-looking emails offering a ‘council tax reduction’. These emails, which use government branding, contain links which lead to a fake government website which is used to access personal and financial information.
  4. Fraudsters preying on benefit recipients, offering to help apply for Universal Credit, while taking some of the payment as an advance for their “services”.
  5. Criminals sending phishing emails and links that impersonate the NHS Track and Trace system, claiming that the recipient has been in contact with someone diagnosed with Covid-19. These lead to fake websites that are used to steal personal and financial information or infect devices with malware.

How to avoid being targeted

Be mindful of the vendors you trust and buy from. Scammers are selling unapproved products that claim to treat or prevent Covid-19. Offers to purchase Covid-19 vaccination cards are scams, as these can only be obtained through legitimate providers. If a company or individual is asking for an image of your vaccination card for ‘proof’ of something, do not share it, as this is how they achieve identity fraud.

Be diligent on the phone. Official suppliers will not be calling around offering Covid tests or medical supplies. Furthermore, the government will not be offering payment schemes to move you to the front of the queue for a vaccine, or require personal information in order for you to receive the Covid-19 vaccine, so beware fraudulent phone calls in relation to this. Any caller that is asking for your personal information, medical history or banking details should not be trusted without due diligence checks.

Be wary of email hyperlinks or text messages from unknown senders related to Covid-19. Fraudsters may send false offers advertising Covid-19 testing but make sure that any appointments made are at an official testing site. Scammers might also pretend to be contact tracers; remember that legit tracers won’t ask for personal information.

Further steps to take to avoid Covid-19 related fraud

  • Only share personal health information with known medical professionals.
  • Be wary about work from home scams and ‘opportunities’ circulating on social media.
  • Don’t respond to robocalls that are selling medical supplies, or companies that are demanding advance payments.
  • Be mindful of fraudulent emails asking for donations to healthcare, or any unexpected communications that require you to enter your bank details and contribute money.
  • Be mindful that some ‘free’ healthcare offers will ask for your personal information and then use it for fraudulent purposes. Don’t give out personal details unless it is to a trusted source.
  • Hyperlinks related to healthcare services might be infected with malware or viruses that can infect or hack your computer. You can check links by using ‘Scan URL’ or using a secure browser such as Norton Safe Web.
  • Be aware of government imposter schemes and campaigns that are offering pandemic relief money or refunds.

Covid-19 vaccines are free, so any requirements to pay for one are a scam and should be avoided at all costs. There are fraudulent ‘vaccines’ going around via a text message that reads ‘we have identified that you are eligible to apply for your vaccine’ with a link to a fake NHS page which asks for bank details.

If you think you have been contacted by an unreliable party, run the ‘scam’ test:

‘S’- seems too good to be true

‘C’- contacted out of the blue

‘A’- asked for personal details

‘M’- money is requested

Deep dive for the answers you need
TAKE A DEEP DIVE
Or contact us on +44 (0)343 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?

Take a deep dive
Continue browsing