Cybercrime post COVID-19: Authorised push payment fraud in the world of investments
By Wian Steyn, Senior Associate, and Rui Lopes, Associate, Dispute Resolution, Baker McKenzie
COVID-19 has led to an immense increase in online business dealings and transactions, catapulting the world head-first into the Fourth Industrial Revolution.
This rapid migration into the world of virtual dealmaking, however, has also caused a steady rise in instances of cybercrime, with criminals using techniques such as authorised push payment fraud (APP fraud) to steal large sums of money from unsuspecting individuals and entities, including investors.
In many instances, the origin of APP fraud, as it pertains to investments, involves the perpetrator gathering information through the hacking of an investor's email account. This enables the perpetrator to obtain a better understanding of their victim's relationship with their investment manager, the nature and extent of their investments (including access statements and reports) as well as past instructions and withdrawals (including frequency, patterns, method of instruction and writing style).
Once this information has been obtained, the perpetrator then falsely portrays themselves as their victim, instructing the investment manager to cause the victim's investments to be released and directing that the funds be paid into a bank account designated by the perpetrator, which often has an account name resembling that of the victim. This practice usually occurs through the perpetrator carefully constructing email instructions that largely mimic those previously sent by their victim.
In order to give effect to this, the perpetrator may create a new email account with an address which is as close as possible to that of their victim's, making it difficult for the investment manager to detect the fraudulent email address. Alternatively, the perpetrator may send emails from the victim's email account, and then delete or carefully hide such emails, with any future email correspondence from the investment manager being intercepted and/or redirected.
South Africa's anti-money laundering legislation, the Financial Intelligence Centre Act, 38 of 2001, requires accountable institutions, such as banks, to ensure that proper documentation is provided by a party prior to opening a bank account, which, in theory, ought to prevent a party from being able to open a bank account in another party's name. This is, however, not always the case. Further, if a perpetrator is not able to open a bank account in their victim's name, they often overcome this hurdle by simply manipulating bank account confirmation letters to reflect the investor’s name, whereas the bank account in question actually belongs to them or an accomplice.
Typically, once the funds have been deposited into the perpetrator's specified bank account, the funds are swiftly withdrawn or dispersed across multiple (often foreign) accounts, with the perpetrator laundering the funds over time. This means that the prevention of APP fraud is crucial, as the tracing and recovery of stolen funds is in many instances not possible. However, as instances of APP fraud commonly occur only once and over a very short period of time, identifying and preventing it from happening can be extremely difficult.
This clearly creates a large amount of potential liability for an investment manager who falls victim to such instances of APP fraud, and inadvertently causes their client's funds to be released to a third party. Investment managers are required to comply with the provisions of, inter alia, the Financial Advisory and Intermediary Services Act, 37 of 2002, which imposes various obligations and duties on them with regard to their clients. Arguably, these obligations are considered to be implied terms in investment management mandates entered into between the client and the investment manager.
These obligations and duties include, but are not limited to:
(i) being required to act honestly and fairly, and with due skill, care and diligence, in the interests of their clients and the integrity of the financial services industry;
(ii) having, and effectively employing at all times, resources, procedures and appropriate technological systems that reduce (and eliminate as far as possible) the risks of falling victim to cybercrime such as APP fraud; and
(iii) providing their employees with frequent and up to date training, which would allow such employees to effectively identify fraudulent instructions and apply the appropriate security checks, prior to causing the release of any funds.
In turn, these obligations require investment managers to, inter alia:
(i) stay up to date with the most recent trends in cybercrime;
(ii) always be on the lookout for unusual behaviour that is not in line with past practices of their clients;
(iii) consider each payment instruction carefully, scrutinising the bank account details, wording used and identifying any irregularities. Commonly, APP fraud instructions are riddled with grammatical and punctuation errors, and contain inconsistencies in style and font throughout the email;
(iv) undertake an additional authentication step (i.e. a two-step verification protocol) via a medium other than email, to ensure that an ostensible instruction from their client, is in fact from their client, prior to causing any payments to be made; and
(v) undertake verification steps, once the payment has been made, via a medium other than email, to ensure that the payment was executed in accordance with their client's instructions, and ensure that no further payments are made until such a verification has been conducted.
It is important that investment managers comply with these obligations, as failure to do so could, among other things, result in liability for the losses suffered by their clients as a result.
Similarly, investors should ensure that they implement measures that safeguard their investments, including changing their email account passwords regularly, having a two-step verification protocol in place for accessing their email account(s), requesting regular statements from their investment managers and ensuring that their investment managers follow due process when provided with any instructions.
Where investors and/or investment managers suspect they have been victims of APP fraud, a quick reaction is vital to ensuring the best chance of recovering the stolen funds. Accordingly, investors and/or investment managers should immediately:
(i) inform all banks involved telephonically that the transactions are fraudulent, as their email systems may have been compromised, and request the funds to be paid back should the funds still be available in the designated account, alternatively for the account to be frozen until further notice;
(ii) confirm whether any other payments have been compromised;
(iii) open a criminal case; and
(iv) seek legal advice on the next steps available to trace, preserve and recover the stolen funds, which includes freezing the bank account if necessary.
Further, investors should immediately:
(i) change their email account passwords and possibly deactivate their account or cease using the compromised email account; and
(ii) request that their internet service provider places a litigation hold on the compromised mailbox and provides log-in and activity logs for the relevant period, to assist with any investigation.
The key to effectively dealing with APP fraud is a speedy response and ensuring that the right course of action is taken. The failure to do so could result in victims not being able to recover their funds and having to resort to costly and time-consuming litigation against their investment managers and, in some instances, the banks.