Act fast to recover assets after cyber fraud

Targeted scams that cause organizations to redirect payments is resulting in billions of dollars in losses each year, and often recovery of those lost assets is very difficult. In April 2019, for example, a church in Ohio was scammed out of $1.75 million after it came to light that it had been paying construction fees into a fraudulent account. In the UK, a Glaswegian law firm is suing one of its own employees after she paid almost £200,000 [$250,000] to scammers under instruction by someone pretending to be the firm’s managing director.

Often a far cry from the 419 scams of old, scamming groups such as London Blue have become increasingly adept at infiltrating and hijacking payment processes. They conduct reconnaissance on CFOs and other financial roles and send highly targeted phishing emails, before impersonating senior business leaders and demanding payments are made.

According to the FBI’s latest IC3 report, financial losses due to scams such as business email compromise (BEC), extortion, tech support fraud and payroll diversion  totaled more than $2.7 billion across the 350,000 complaints it received in 2018. Given that many cybercrimes go unreported, the true figure is likely much higher.

In the UK, a Proofpoint report suggested that over three-quarters of companies had suffered at least one BEC attack in the last year, with just under 40% being targeted multiple times. Data from Lloyd’s Bank and Get Safe Online found that one in five companies hit by a successful BEC attack has had to make redundancies because of the financial impact.

However, it is sometimes possible to recover lost assets in such situations. The IC3 report also says that the FBI’s Recovery Asset Team (RAT) – set up to help recovery of money sent under false pretenses such as BEC attacks – helped recover $192 million of the $257 million that was lost to domestic accounts across 1,000 incidents in 2018, including a town in New Jersey that was able to recover the entirety of $1 million that was lost through a BEC scam.

To recover assets, think fast, move fast

While tracing lost data that has been exfiltrated by remote attacks can be incredibly difficult, if not impossible in some cases, there is always an initial trail of breadcrumbs to follow if money has been taken. “You don’t know who the fraudster is,” says Steven Richards, partner in the Dispute Resolution group at UK legal firm Foot Anstey, “but what you will know, first and foremost, is where the money went to in that first instance. You would have had to pay it to a certain bank, and you would have had the account details. You know where the money’s gone and you can always follow the money through the banking system.”

After realizing a fraud, Richards says, companies should go to that bank (usually through the business’s legal counsel) and notify them that you have been the victim of fraud and request that the bank immediately shuts down or suspends that account. This may trap some or all the money that was taken if the request is made quickly enough.

Once the suspect accounts have been frozen, you can then get a court order requiring the bank to give you details of the account’s statements to tell you owns it and where the money has gone, and then request it is returned.

While different countries or trading areas – such as the UK and European Union – will often have reciprocal agreements when it comes to legal enforcement on court orders, tracking and recovering assets is much easier domestically. Money being transferred abroad will likely require the input of legal counsel in that territory.

“The reality is that most external cybercrime is perpetrated from outside the UK, and it becomes exponentially more complicated, difficult and costly if it goes abroad. Unless you act quickly and are lucky, you can kiss goodbye to your money generally,” says Richards.

Organized groups running such compromise attacks will be keen to avoid triggering banks’ internal alerts around fraud or money laundering, so will rarely withdraw large amounts in one payment. They are more likely to spread money around in smaller amounts to multiple mule accounts. This makes tracking and recouping harder, so acting with urgency is key during such situations.

Richards explains he had one case where a company only came to the firm six days after it had lost £300,000. The bank was contacted, and the fraudulent account was suspended, but the bank admitted that had the same process been done three days earlier, 90% of the money would have been saved.

“If you get there quick enough, you can try and cut that off and close the account down, but it’s a matter of days, if not hours, to deal with this,” says Richards. “Every day and every hour lost increases the chance that you’ll get your court order, but there’ll be no money in the pot.”

Recovering assets from insiders

When it comes to recovering assets from insiders – whether data or money – things can be simpler, as you know who the suspect is and can take more direct action. “If someone’s stolen money or data, criminal action ordinarily would be instigated and run by the police, and that may result in that person going to prison; The police will take it through the criminal justice system and someone may get imprisoned or fined, and then compensation orders made in the process,” says Richards.

“But it’s out of your control, you have no control over that process, and it might not necessarily result in you, the victim, getting your data or money back,” he adds. In the UK, for example, of the £144 million collected by law enforcement in 2018, $30 million was paid in compensation to victims (although these figures include all types of crimes).

“If you’re trying to get money or data back, it’s much better to take civil action than criminal action,” says Richards. “There are lots of great remedies in civil courts for trying to get your money back or your asset back.”

These include:

• Search and seizure orders to enter and seize computers that could house stolen information
• Computer imaging orders to copy the images of seized devices
• Disclosure orders requiring the individual to hand over documents
• Passport delivery orders to prevent people going abroad whilst during such processes
• Gagging orders preventing them talking to other parties about the information they’re alleged to have taken.

Richards recalls a time he helped an investment management company recover a trading algorithm from an employee. “We acted for a very large, very successful hedge fund investment manager which bought and sold shares for clients using an algorithm. At the heart of it this is a very, very sensitive, expensive and valuable bit of software, it was the crown jewels of the business,” he says. “It was continually being tinkered with and updated by a team, and one of the employees emailed the code to himself and was then looking for job with one of their competitors.”

Luckily for the company, this employee was suspended for other reasons relating to behavior, and when they looked over his records, found that he had been accessing the code and at the same time emailing large amounts of data to personal Gmail and Hotmail accounts. While the contents of the emails were encrypted, the company was worried enough to take action.

Without telling the employee, the company took out injunctions against the employee. “We were able to get all his computer equipment and passwords to Gmail and Hotmail accounts. He encrypted everything and denied he had taken it. We had images of all his computers, but we weren’t able to access the underlying data,” says Richards. “We then engaged forensic specialists try and get behind that, but he cracked anyway. We ended up finding that he had taken the information and were able to take strong steps to make sure that every conceivable copy that he had of this data was deleted, and that it’s very difficult for him to pass it on to anyone else.”

One of these steps included writing to the individual’s new employers, warning that if the company  comes into possession of that confidential information, it too will be in breach of the relevant court orders and liable to be fined.

Preparation is key for any recovery

Having detailed incident response and disaster recovery plans in place can help speed recovery. “Make sure that your business has a response plan in place now for that eventuality,” advises Richards. “A lot of businesses take too long to work out that a fraud has been committed, and then work out what their response is before any action actually is taken and the right people are contacted. Have an action plan in place so you know who to call and what to do on day one.”

Insurance should also be something companies should look at as an option. “Quite often, your insurance may cover a loss, which is often the easiest way out of all this. Your insurance pays up and then they will try and pursue it,” says Richards.

Beyond that, being proactive can be the best way to deal with data theft. User education and ensuring awareness around fraud and suspicious behavior should be embedded into the  business’s culture. “Most frauds we see come about because of some form of human error. Make sure you’ve got your own house in order, and you’re doing what you can to shut out the fraudster in the first place.”