When most people think about “cyber-incidents” they think of and see in the media reports of ransomware. In fact, an equally common but perhaps less newsworthy attack involves “payment diversion fraud”, otherwise known as authorized push payment (APP) fraud. This occurs when criminals, including hackers, use email to deceive the victim into transferring money to a third party instead of the intended recipient.
Often APP fraud involves two victims, the person or entity who holds the funds and will transfer it and another person or entity who receives the money under false pretenses and then transfers it again. For example, an employee at Bank ABC receives an email from a client requesting a funds transfer from their own account and provides wire details. The employee, believing they are acting on good authority, effects the transfer and the funds are deposited into an account.
At the same time, the fraudster is also posing as a customer of XYZ Co. and places an order. They receive an invoice and then purport to pay the invoice but subsequently alert XYZ Co. that they have transferred too much money in error and could they please transfer the funds back to their account. XYZ Co. checks the company account, sees the funds are there as the customer described and transfers the money, believing they are returning funds. Once this process is complete, the fraudster has succeeded in stealing money from Bank ABC’s client, filtered it through XYZ Co.’s account and taken the money into an account that is likely outside the country.
Mitigating against the risk of APP fraud is possible and, generally speaking, involves two things:
- Employee training to ensure that they are double checking email addresses that appear to be from clients or supervisors providing instructions and considering whether the text of the email raises suspicions due to grammar, spelling or tone, and
- Using “double authentication” by also calling to confirm the direction when an email or email address looks suspicious.
More technology-based systemic safeguards can include spam filters and warnings on emails received from external sources.
Despite these strategies, which many businesses have already employed, APP fraud still occurs. In part, this is because not all fraudsters are using the simpler method of creating fake email addresses that look similar enough that a casual glance would seem to confirm the source. (Think jhunter@lerners.ca vs jhunter@learners.com). With increasing frequency, hackers are targeting prime suspects and using cyber-based techniques to uncover passwords and gain access to the email accounts of individuals with the authority to effect the transfer of funds in an amount that makes the endeavour worthwhile. This constitutes so-called “whaling”, named as such because of the relative ‘size’ of the target and amount of effort that goes into the operation as opposed to phishing.
Unfortunately, human error cannot be entirely prevented and APP fraud can still happen and potentially large (or very large) sums of money can be lost when it does. The question is, what to do?
- First, act fast. Encourage employees, including or especially senior management as they are more likely to be targeted, to come clean as quickly as possible since time is, literally, money.
- As soon as possible, contact your bank, report a fraudulent transfer and ask for the transfer to be reversed. If this cannot be done, and it rarely can, ask your bank’s fraud department to get in touch with the receiving bank’s fraud department as quickly as possibly to try and freeze the receiving account.
- If you can, simultaneously report the incident to your local police service’s financial crimes unit and provide them with the receiving account information. The police can then contact the bank, have the account frozen, and begin to investigate the crime.
The most important response to APP fraud is to immediately take steps to prevent the money from being dispersed from the receiving account. Once that occurs, the chances of having the funds returned are significantly lowered.
Obviously, the primary concern is going to be getting the money back. This is not done through the police investigation but can be done with the assistance of a lawyer and a court application. In this respect, it is important to have counsel who is experienced in the types of applications that can be required for retrieving funds lost due to APP fraud and who understands the cyber-elements. Such counsel will communicate with the bank and any other interested parties (for example, XYZ Co. in the case study above). If necessary, they will assemble the required evidence and present it to the court in an efficient manner to quickly obtain an order that provides for the return of whatever funds are left in the account.
Cyber-crimes, financial fraud, business email compromise and authorized push payments can result in significant losses to a company or organization. However, having the assistance of experienced counsel can help in determining whether the funds are retrievable and, ultimately, get some or all of it back.
