Cyber criminals are indiscriminate, with any business fair game – from football clubs to charities – as Police Scotland reminded us this week in revealing that in the last year Scottish businesses had suffered losses of £7 million in cyber scams.
Victims included Hamilton Accies FC, which unwittingly transferred close to £1m to criminals posing as the Royal Bank of Scotland’s fraud team, Hearts FC which lost £80,000, and a despicable case where the Highland Hospice in Inverness was duped out of £500,000.
In UK terms, financial fraud costs the economy an estimated £193 billion a year, 74 per cent or £144bn of which is in the private sector, according to a 2016 report by the University of Portsmouth.
Quickly identifying a cyber breach and reporting it to Police Scotland or Action Fraud, the UK’s national fraud and cyber crime reporting centre, is vital, but all-too often businesses are slow to respond, and perhaps also unaware of a range of civil actions and interventions that can be taken to minimise losses and to prevent further incidents.
The swift deployment of civil remedies can assist in quickly tracing stolen funds, lessen the risk of dissipation and improve the chances of tracing the fraudster. For example, court orders can be obtained to freeze a fraudster’s assets that may be held in bank accounts.
In addition to financial loss, a cyber fraud attack can expose businesses to non-criminal liabilities. Customers who suffer disruption to their business or financial loss may be inclined to pursue claims, for example, in negligence (for failure to prevent the attack), or breach of contract. There may also be a duty on businesses to report to the Information Commissioner’s Office (ICO) particularly in light of General Data Protection Regulation, effective from May, which gives extended powers to the ICO.
Authorised Push Payment scams, (APP) where individuals or businesses make an electronic payment in good faith, but the monies are diverted into a fraudster’s account, is a massive issue and Pinsent Masons has been at the forefront of helping to combat this, recently submitting a consultation paper to the Payment Systems Regulator.
Part of the consultation covers the introduction of a compensation method for APP victims, but debate is ongoing on whether banks should shoulder all of the financial burden. It may be the case that the financial services industry needs to consider some type of insurance scheme – similar to the Royal Mail model for posting valuable goods – to mitigate against the alarming growth in APP fraud.
Pinsent Masons’ Civil Fraud and Asset Recovery Team regularly advises clients who have fallen victim to APP scams, invoice hijacking and other cybercrimes. In our experience, before our clients consult with us they will have either reported the crime to Action Fraud or the police, but often have heard nothing in response other than an email acknowledging the client’s report.
Law enforcement normally fails to adequately engage with the victim. This is usually because they are overwhelmed with the number of reports and have inadequate resources. Unfortunately, the current trajectory suggests that law enforcement will never be able to cope with the number of reports they receive and this is not aided by continual government cutbacks in funding.
UK businesses must, in view of a growing epidemic in cyber-related incidents, improve their ability to deal with cyber fraud attacks and prevention is vital in mitigating against the risks.
However, when the worst happens, firms should defer to a pre-prepared agreed response plan, which should include engaging legal advisors as soon as possible to advise on the potential liabilities – as well as the options available to them to recover monies.
Jennifer Craven, lawyer and civil fraud and asset recovery expert at Pinsent Masons