Page 20 – ESA Risk

Financial due diligence

Posted on August 13, 2021July 13, 2022 by Admin Admin

“Due diligence is a strategy to reduce the risk of failure”

– Herrington J. Bryce, Nonprofit Times

By conducting research into a business, or stock, or investment, individuals can confirm basic information and evaluate the potential of their investment before completely committing to it.

Financial due diligence may include the following:

Reviews of financial records, including cash flow generations and capital expenditure.
Asset examination.
Analysis of financial risks.
Financial projections.
Information on management and current policies.
Potential liabilities and risks to cash flow post-transaction.
Company valuation range estimation.

It is also beneficial for sellers to conduct their own due diligence before meeting with buyers, so they can be prepared for the examination and increase the likelihood of making a successful transaction. There may be accounting discrepancies, or conflicts over intellectual property rights, for instance, that can hinder or halt the selling process. Vendor due diligence thereby enables companies seeking investment to provide a detailed report of everything an investor needs to know, reducing the likelihood of price negotiations if the buyer finds flaws in the business through their own due diligence.

For investors, due diligence provides security when it comes to the transaction process. Buying shares, investing in a company, or buying it out, requires knowing about what you are getting into. The acquisition process often involves detailed due diligence to ensure that the buyer is comfortable with the financial agreement they are entering.

It involves an analysis of taxes, working capital requirements, historical financial performance and forecasts, all of which should be addressed before payment is made. Financial due diligence can be used to estimate a valuation range of the target business, which can be compared to the heads of terms negotiated between the buyer and the seller prior to due diligence. This can provide comfort to the potential buyer that the price they intend to pay appears reasonable.

Financial due diligence requires cooperation between both parties and transparency in providing the right information. Experts are often needed to check financial accounts or taxation, to ensure financial risk areas are investigated thoroughly. Any risks found may be advised on and can lead to negotiations on the buying price, which can influence the process of acquisition.

When investing in new companies, for instance, experts must look at various factors such as a company’s net income and trends in profits, volatility in revenue streams, target market size and the total valuation of the company. It is also important to analyse competition within the industry, aligning company profits against those of competitors. Due diligence can help compare the finances of various companies within an industry to determine which is most successful and predict the direction the entire industry is going in.

Looking into the management is also useful in determining levels of expertise and experience in a company. If a company’s management to shareholder ratio is low, there may be reason to be cautious. Shareholders tend to be best served when managers or company directors have also invested in stock performance. Company debt is also something to look out for, especially in comparison to other businesses in the same industry.

Investors should remember that it is better to be cautious than overly optimistic, in order to make careful and informed decisions about where to place their money. Having an exit strategy is also useful when going into business with a company that has not performed well on their due diligence. Even for companies that performed well; past performance does not guarantee future financial stability, so it is better invest in stocks that are not volatile, or businesses that are not at risk of a sudden decline.

Long-term and short-term financial goals can be forecast by undertaking due diligence on a company, monitoring whether cash flows have been steady, the pattern of profit margins and whether said company plans on issuing more shares. By making sure you know specific risks to the assets you plan on investing in or buying, you can avoid regulatory or legal issues from arising in the future. It reduces the risk of unexpected surprises post-transaction and enables you as a buyer to implement future strategies.

Financial due diligence is thereby vital in ensuring that both parties involved in a transaction are holding the same information regarding the assets being sold. It helps to reduce risk and assure buyers that they are investing their money wisely. By identifying both strengths and flaws, investors are given a holistic account of their investment and can make a fully informed decision thereafter.

Cyber fraud and ‘persons unknown’

Posted on August 4, 2021March 9, 2022 by Admin Admin

Unknown individuals had hacked in to CMOC’s systems and sent forged payment instructions to CMOC’s bank, resulting in the fraudulent diversion of millions of pounds into bank accounts held by a large number of international and overseas banks, operating across multiple jurisdictions.

CMOC v Persons Unknown [2018] EWHC 2230 (Comm) is a landmark case because it is the first time that the High Court has granted a worldwide freezing injunction against alleged anonymous perpetrators involving cyber fraud in England and Wales. Up until this point, injunctions against ‘persons unknown’ had rarely been granted and even then only for cases like online libel.

According to the Law Gazette’s coverage of the ruling, the High Court’s injunction ultimately required 35 international and overseas banks in at least 19 jurisdictions to freeze the assets of the individuals and the alleged stolen funds, and to reveal the identity of the alleged fraudsters as well as the details of any onward transfers.

At trial the High Court ordered the repayment of the stolen money, awarded damages of around £7m and subsequently enforcement action ensued.

Philip Young, partner at dispute resolution firm Cooke, Young & Keidan (CYK), had advised CMOC on its legal action and told the court that cyber threats were growing in sophistication, with billions of pounds being lost each year.

What corporate victims needed, he said, was a means to fight back. Never before granted in cyber fraud cases like this, the ‘persons unknown’ jurisdiction is a tool that English civil courts have in their toolbox to pursue the alleged perpetrators and, potentially, resolve disputes globally.

Speaking to ESA Risk, Young says that the claimant’s overriding aim was not only the worldwide freezing injunction but the related disclosure orders, which required the banks to say who the purported customers of the accounts were and to hand over documents to show what the account holders had done with the stolen money.

“It is ‘persons unknown’ until you know who they are and then you start naming them and bringing them in as defendants, which is what we did,” he says.

This approach enabled his team to pursue the alleged fraudsters, and, as required, issue domestic orders in the courts of overseas jurisdictions to recover some of the losses.

For reasons of client confidentiality, Young says it is not possible to disclose how much CMOC recovered after the ruling. However, he does disclose that, even after the legal costs were taken into account, CMOC came out with a substantial recovery, with the recovered sums being more than enough to justify the litigation using the ‘persons unknown’ jurisdiction.

Since this landmark ruling, Young notes that the use of ‘persons unknown’ jurisdiction for cyber fraud has been adopted as an approach by the courts in Hong Kong and Malaysia, both of which have seen cases to test the legal waters, relying on the English judgment as precedent.

Lloydette Bai-Marrow, Serious Fraud and Economic Crime Consultant at ESA Risk, believes the ruling may be the start of a trend, which could result in more commercial courts being willing to grant these types of freezing injunctions.

She says that CMOC v Persons Unknown [2018] EWHC 2230 (Comm) is significant because it shows that the courts are starting to wrestle with this issue, adding that the courts recognise that the world is changing, and that the legal landscape needs to be agile enough to respond.

“The way these freezing orders work is that they open a further avenue of recompense for those who have been the victims of fraud,” she says.

However, she doesn’t believe that in the UK the “floodgates” will open. The judiciary, she believes, will still approach worldwide freezing injunctions with a great deal of caution, in part because they are not easy to enforce.

“There are challenges in terms of enforceability and in terms of what seems like the transfer of investigative responsibility over to the banks and other institutions deemed to be responsible for complying with the order,” she explains.

It’s also important to remember that, although a freezing injunction places a responsibility on banks to act and freeze the money, making an application to the courts to apply for one is not a quick process.

Bai-Marrow warns that businesses need to be mindful that there are limitations in the speed it takes to secure one, which can then be enforced or served on parties to enforce. This is especially important to bear in mind because when fraud is involved, targeted businesses need to move quickly to minimise their losses.

Mike Wright, Risk Management and Investigations Consultant at ESA Risk, concurs. He says that when fraudsters move stolen money into overseas bank accounts, it can be channelled into other accounts instantaneously. Chasing the money can be like chasing your tail.

“If fraudsters get a sniff that someone is after a freezing order, they can move the money into three different continents in 15 minutes,” he warns.

Should the alleged fraudsters pour the stolen money in assets, this can be traced more easily, he adds.

“It’s a lot harder and a lot slower to move assets and there is also a trail,” he says. “Even if someone has sold a property or transferred it into their spouse’s name, you can still go after it.”

However, like the worldwide freezing order on bank accounts, the difficulty in freezing assets is that some overseas jurisdictions will have no compulsion to co-operate.

Even before the pandemic struck in early 2020, cyber fraudsters were upping their game, employing ever more ingenious and ruthless measures to defraud businesses.

In recent years, business email compromise schemes (BECs) like the one used in the CMOC v Persons Unknown [2018] EWHC 2230 (Comm) case have increased in prevalence globally, says Bai-Marrow.

“The fraudsters will be watching the flow of information between two parties and will then identify potential transactions that could then be used to divert money from the business into their own accounts,” she explains.

“They will then replicate an email that appears to have come directly from the business they intend to defraud or the other parties. As they’ve seen the pattern of information, they’ll know who to say they are to the recipient.”

What Covid-19 has done is create the perfect conditions for fraudsters to prey on vulnerable businesses, whether they are high-profile operations or small enterprises.

Graeme McGowan, Cyber Risk & Security Consultant at ESA Risk, notes that one development that has worked to the fraudster’s advantage is the move to remote working.

“You’ve got people who are in senior positions in banks working at home on the laptop or PC, accessing the corporate system. It’s a recipe for disaster,” he warns. “At the moment, it’s a hacker’s and criminal’s playground with lockdown.”

Taking into consideration the very serious and growing threat that cyber fraud poses businesses of all sizes; the practical considerations involved in applying for a worldwide freezing order; and the difficulty in enforcing it effectively, what is the best course of action for businesses to take?

Arguably, the most effective safeguard against cyber fraud is prevention. BECs and other types of fraud occur because there are vulnerabilities in IT systems and staff may not be sufficiently trained to identify scams. Bai-Marrow says that businesses should adopt a two-part approach.

“Strengthen your cyber defences and ensure you’ve invested in all the relevant online protection tools but also ensure the individuals in the key areas of your business who are most susceptible to being a victim of a scheme like this are effectively trained to recognise the warning signs,” she explains.

“Even with BECs, before they proceed with paying that money out, call the company up and just double check, have a process in place, and review your procedures when it comes to how your business pays out funds.

“For example, if a vendor you are using changes its details, have a process in place that that bank account must be verified. Processes can be tedious and boring but they are absolutely the right thing in order to protect your business. So, for example, if you notify us of a change of bank account, it will take us seven days to change that. In that time, we will verify that bank account with intended recipient through a variety of means to ensure authenticity.”

It’s also about training staff in important, albeit vulnerable, positions, she says. “Don’t just click on an email response and not check who the email is really from. There are things that companies can do to sensitise their staff, especially those in critical roles, to ensure they don’t inadvertently become facilitators of fraud.”

McGowan has written extensively about the growing sophistication in cyber crimes, including providing practical steps on how best to enhance security on business and personal accounts.

He argues that IT system improvement is a priority, not just as a deterrence against hackers but also to minimise the risk that regulators will potentially impose a fine on a business for failing to protect its clients’ confidentiality.

“You need to have a full structured IT assessment done, checking out all of your policies and procedures, including ISO 27001,” he argues.

“If you’ve got everything in place and you’ve got a good training regime in place, accidents will still happen because hackers are clever at what they do. However, if you do get hacked, GDPR comes in and the ISO won’t fine you because you’ve taken the necessary steps.”

With the move to remote working, McGowan also argues that businesses must tighten up their employees’ home security. One option is a firewall, which sits between the router and IT devices. It monitors all incoming and outgoing traffic and prevents any malicious activity.

“A lot of people probably don’t want to do that but they don’t understand that it is a good solution,” he says.

“You need some means of monitoring incoming and outgoing traffic. You need up to date security software to protect you. You need to be working possibly through a VPN [virtual private network] 100% of the time.”

McGowan also warns about the huge increase in the use of ‘deepfakes’, a type of identify fraud that leverages artificial intelligence to create convincing fake images, videos and voice recordings.

Although deepfakes are not a new threat, this type of fraud is becoming increasingly convincing and difficult to identify, he says.

McGowan admits that the chances of a fraudster using a deepfake to impersonate a CEO in a financial institution to extract funds is slim but there has been at least one case involving a less sophisticated approach.

“In October 2019, it was reported that a top executive in a UK-based energy company had been duped into transferring £200,000 to cyber fraudsters,” he says.

“The perpetrators used AI voice technology to mimic the executive’s boss, who was based at the German HQ. The executive was instructed to move the funds immediately to a Hungarian bank account and was told they would be returned later. They never were.”

In most fraud cases, it is rare for businesses to retrieve the stolen money. Often businesses will chalk up the loss and move on, says Bai-Marrow. This is because it’s more damaging to their reputations to come out publicly and declare the financial loss.

Fraudsters know this and may even be encouraged to hack into systems because they are confident they will not be pursued. What’s more, they recognise that speed of response is critical, so preventative steps are undoubtedly the best protection to minimise any financial losses and protect reputations.

One of the services that ESA Risk will be looking to offer clients in the future is a blockchain fraud software solution, says McGowan.

“This allows us to not just identify the chain of what might have happened, it allows us to get inside the details and that would allow us to advise the banks.”

Cases of fraud in the pandemic

Posted on August 4, 2021July 13, 2022 by Admin Admin

Cases of fraud reached a concerning high during the Covid-19 pandemic. Various types of fraud have been committed by false phone calls, email, text message or in-person visits. Healthcare fraud, in particular, has risen in light of the development of coronavirus vaccines, as individuals have attempted selling a false vaccine by impersonating NHS officials and going in-person to administrate it. Not only is this fraudulent but potentially endangers people’s health also, alongside the selling of fake Covid-19 tests, defective surgical masks and medical supplies.

Social media is another medium used to commit fraud, especially through clickbait and the sale of misbranded products. The national lockdown has meant more people are online shopping, which has opened the door to higher cases of retail fraud and false selling on Instagram and other websites. Action Fraud has reported that over 16,352 online shoppers have fallen victim to fraud since the pandemic started, alongside the vast amount of people that have been lured by fake online auctions and false online advertising of trading and investing schemes that are unwittingly promoted by celebrities on social media.

The changing restrictions on travel have also given way to instances of fraud that involve bogus refund offers and travel deals. Individuals have been stealing personal information and banking details through these scams, leaving many people seeking bank refunds and filing online reports to get their money back.

One example of a Covid-related scam was a text message claiming to offer government refunds as a response to the pandemic, reading ‘UKGOV: You are eligible for a Tax Refund as a result of the Covid-19 pandemic. Please fill out the following form so that we can process your refund.’

Further example cases of fraud in the pandemic include:

Criminals sending fake emails designed to look like they are from government departments offering grants of up to £7,500. The emails contain links which steal personal and financial information from victims.
Fraudsters sending scam emails which offer access to ‘Covid-19 relief funds’ encouraging victims to fill in a form with their personal information.
Criminals targeting people with official-looking emails offering a ‘council tax reduction’. These emails, which use government branding, contain links which lead to a fake government website which is used to access personal and financial information.
Fraudsters preying on benefit recipients, offering to help apply for Universal Credit, while taking some of the payment as an advance for their “services”.
Criminals sending phishing emails and links that impersonate the NHS Track and Trace system, claiming that the recipient has been in contact with someone diagnosed with Covid-19. These lead to fake websites that are used to steal personal and financial information or infect devices with malware.

How to avoid being targeted

Be mindful of the vendors you trust and buy from. Scammers are selling unapproved products that claim to treat or prevent Covid-19. Offers to purchase Covid-19 vaccination cards are scams, as these can only be obtained through legitimate providers. If a company or individual is asking for an image of your vaccination card for ‘proof’ of something, do not share it, as this is how they achieve identity fraud.

Be diligent on the phone. Official suppliers will not be calling around offering Covid tests or medical supplies. Furthermore, the government will not be offering payment schemes to move you to the front of the queue for a vaccine, or require personal information in order for you to receive the Covid-19 vaccine, so beware fraudulent phone calls in relation to this. Any caller that is asking for your personal information, medical history or banking details should not be trusted without due diligence checks.

Be wary of email hyperlinks or text messages from unknown senders related to Covid-19. Fraudsters may send false offers advertising Covid-19 testing but make sure that any appointments made are at an official testing site. Scammers might also pretend to be contact tracers; remember that legit tracers won’t ask for personal information.

Further steps to take to avoid Covid-19 related fraud

Only share personal health information with known medical professionals.
Be wary about work from home scams and ‘opportunities’ circulating on social media.
Don’t respond to robocalls that are selling medical supplies, or companies that are demanding advance payments.
Be mindful of fraudulent emails asking for donations to healthcare, or any unexpected communications that require you to enter your bank details and contribute money.
Be mindful that some ‘free’ healthcare offers will ask for your personal information and then use it for fraudulent purposes. Don’t give out personal details unless it is to a trusted source.
Hyperlinks related to healthcare services might be infected with malware or viruses that can infect or hack your computer. You can check links by using ‘Scan URL’ or using a secure browser such as Norton Safe Web.
Be aware of government imposter schemes and campaigns that are offering pandemic relief money or refunds.

Covid-19 vaccines are free, so any requirements to pay for one are a scam and should be avoided at all costs. There are fraudulent ‘vaccines’ going around via a text message that reads ‘we have identified that you are eligible to apply for your vaccine’ with a link to a fake NHS page which asks for bank details.

If you think you have been contacted by an unreliable party, run the ‘scam’ test:

‘S’- seems too good to be true

‘C’- contacted out of the blue

‘A’- asked for personal details

‘M’- money is requested

London to Paris Cycle Challenge in aid of Cancer Research UK

Posted on August 4, 2021January 17, 2022 by Admin Admin

Update from Mike (13^th September 2021)

After 435km of cycling over 4 days from London, Mark Hendrick, Chris Newell, Adrian Howells (all Quantuma) and I made it to the finish line in Paris on Saturday 11^th September.

A great experience, and we were spurred on the whole way by the generous donations to Cancer Research UK. I’m pleased to say we’ve raised more than £8,000 between us. Thank you to everyone who’s given their support.

If you’d like to donate via my Just Giving page, there’s still time.

The challenge

At ESA Risk, we get involved beyond the risk landscape. Mike Wright, Investigations and Risk Management Consultant, will be embarking on a cycling challenge from 8^th to 11^th September 2021 as part of a campaign to raise money for charity. The cycle will take place across an impressive 435km, from London to Paris. Mike has been training intensively for weeks, taking his bike for weekly trips across the North West’s countryside, in preparation for this challenge. He will be cycling alongside Mark Hendrick, Adrian Howells and Christopher Newell from Quantuma.

The challenge is in aid of Cancer Research UK, an ever-important cause, which all donations and proceeds from the fundraiser are going towards. Cancer Research UK is about making a difference to those who need it. Although the challenge will be both physically and mentally difficult, the fundraiser will enable the funding of treatments that could be life-changing for someone.

Find out more, including how to make a donation, on Mike’s Just Giving page.

Credits

Working from home and cyber threats: Keeping your company safe

Posted on August 4, 2021July 13, 2022 by Admin Admin

Most are using remote working on a much larger scale than ever before, meaning they have had to implement new rules and improvements in technology to ensure productivity, staff wellbeing and information security to ensure that working from home is safe from cyber threats.

There are many reasons data breaches are more likely to occur while working remotely. For instance, the lack of supervision can result in employee apathy. Remote workers are less aware about cyber security, using insecure Wi-Fi networks or personal laptops that may have malware or ransomware that can then infiltrate the company network. Working from home also introduces the issue of family members sharing the same PC, or employees adding home printers to the office network and using external USB drives on office computers. This consequently puts company data at risk of being leaked, unless there are the necessary technological safeguards put in place to prevent it.

Furthermore, cyber criminality is on the rise, with hackers taking every possible opportunity to steal company or personal information. The main methods used are fake warnings on social media and pop-up links on websites that urge users to click on them. Fraudulent emails containing similar malicious links are also used to spread viruses that can infect or damage your files, so it is important to be aware of what is on your screen and in your inbox.

Solutions

1. Education

Staff must be educated on the risks of viruses, phishing or cyber attacks. Whether they come in the form of online updates, scam emails or phishing links, workers should be trained to recognise suspicious activity and filter them out. It is important to note that sudden, emergent situations that require immediate action, such as being asked to update your bank details, are to be approached with caution and that workers should be mindful at all times. Ensure that security guidelines are clear, so that workers are briefed with the necessary knowledge to avoid cyber fraud. This might include paying attention to spelling and grammar mistakes in emails or noticing unsolicited attachments. Domain emails that are replicas of genuine business emails to appear credible, as well as URLs made to look like an already established URL, are also signifiers of fraudulent correspondence.

2. Passwords

Password control plays an important role in managing the potential risks of remote working. Using password screens with strong, two-factor authentication is recommended and employees should avoid writing passwords down, keeping them out of sight of other people. Password protection avoids third parties accessing confidential files, so companies should ensure maximum protection with passwords that are at least 12 characters and include uppercase and lowercase letters, numbers and symbols, as advised by The Federal Trade Commission.

3. VPN

A VPN (Virtual Private Network) enables a secure connection to another network, over the internet. It ensures protection of private information by routing traffic through the VPN server, encrypting the connection and hiding your IP address in the process. This provides anonymity from hackers, enabling safe and private browsing online. My recommendation is to invest in Firewalla – a cyber security firewall that alerts you to and protects you from cyber threats at home. It ensures that all your connected devices become part of a virtual protective network that you can see and manage from a control centre. It is also important to use protected browsers, such as Firefox or private browsing pages to avoid your data being monitored and collected by hackers.

4. Antivirus

Viruses are one of the biggest threats to businesses operating online. These arrive in the form of spyware, malware, zero-day attacks, trojans and phishing scams. Whether employees are using their own computer at home or company property, they must have installed antivirus software, from a reputable supplier such as Bitdefender, Kaspersky or Norton, ensuring it stays up to date. Antiviral software creates a firewall against viruses and alerts you when you are visiting sites that are potentially malicious. It conducts regular vulnerability scans and checks that filter out threats to your data while detecting any irregular activity. Antivirus is paramount in privacy protection, both for business and at home.

5. Shared storage

In case of attacks or breaches of company information, it is useful to keep centralised storage so that lost files can easily be recovered. Keeping data in shared storage with cloud-based backups lessens the likelihood of irrecoverable losses. The shared storage should have a firewall installed to protect all documents within it, with regular security measures taken to ensure that confidential data is safe. If a malicious third party finds a security hole in one of these cloud-based services, a lot of information is simultaneously at risk, so make sure to add extra security through encrypted cloud storage.