In the wake of the pandemic, we have all realised that digitalisation is here to stay, and adapting to it is a necessity for companies if they do not want to be left behind. However, in spite of the many advantages offered by digitalisation, there is a downside: the risk of cyber-attacks, which have proliferated in recent years, both on individuals and companies.
The purpose of this article is to study cyber-attacks on companies and the options available to those that have suffered them to recover their money. These cyber-attacks on companies usually take the form of what is known as « CEO fraud », « Man in the middle » or « Invoice fraud ».
What is the modus operandi in the so-called « CEO fraud », « Man in the middle » or « invoice scam »?
The Technological Crime Unit of the Guardia Civil in Murcia explains what this fraud consists of and does so in the following terms:
« The modus operandi starts with social engineering targeting businesses, which occurs when the fraudster impersonates a supplier in order to divert the collection of invoices to other account numbers that the cybercriminal controls.
Fraudsters hack into company servers or employee email accounts to obtain related messages between the company and its suppliers, including outstanding payment details.
If only the customer/supplier relationship is known to the offender, the offender sends an email with a forged certificate of the current account of a bank with a new account number and the indication in the mail that payments are to be made to this account number in the future.
However, it can also happen that the cybercriminal has gained access to the servers with a virus and intervenes in the mails between the sender and receiver and, by impersonating the supplier, intercepting the invoices. To this end, he/she inserts certain message forwarding rules in the server, in which it appears that all messages containing words such as « invoice », « budget », « proposal » …. must be sent to an e-mail address.
In this way, he/she receives the invoices that the supplier sends to the client, modifies them with image management programs and inserts a new IBAN to which the invoice is to be paid. From there, he/she creates a new e-mail containing the supplier’s name and from there a server that does not guarantee the user’s identity, thus giving the appearance of legitimacy, but it is an e-mail specifically created to defraud.
With this e-mail, the cybercriminal contacts the company, impersonating the supplier, and sends the modified invoice. The payment method of the invoice already contains the fraudulent bank account number, to which the payment department of the defrauded company will transfer the money”.
What should a company that has been the victim of a cyber-attack and has made a fraudulent transfer do?
First of all, a company that has been the victim of a cyber-attack and has made a fraudulent transfer should immediately inform its bank in order to try to stop the transfer and recover the funds.
The next step, which must be taken almost simultaneously, is to report the incident to the security forces: Guardia Civil or National Police.
This report will lead to the opening of a police report to investigate the facts, for which the police will request the bank where the funds have been received to inform on the identity of the account holder and block the funds in the bank account. Normally, the account holder will be arrested, interrogated and brought before a court for the opening of a Preliminary Investigation in a Criminal Court of Instruction.
If the company has not been able to recover the funds, it will have to take criminal proceedings against the alleged fraudster.
Sadly, experience shows us that normally the account holder is usually what is called « a mule », i.e. a person who lends his/her identity to launder the funds, receiving them in his/her account and then transferring them to the accounts indicated by the hacker, which are usually located in other countries, making it very difficult to recover the funds from the account holder, despite obtaining a sentence where he is sentenced to do so.
This makes it necessary to consider the following action for the company that has suffered the consequences of the hacking: a study of the possible liabilities of the banking entity, both in criminal and civil proceedings.
Indeed, banks can be held liable in cases of fraudulent transfers when their conduct has been negligent. This liability of the bank may be:
- Contractual: that of the bank of the company that carried out the transfer and with which it has a payment services contract, and which will occur when the transfer was made by an unauthorised person, exceeded the agreed limits or without the use of the corresponding double authentication systems.
- Extracontractual: that of the bank where the transfer was received and with which the originator of the transfer has no relationship, but which may also be held liable if it has acted negligently and failed to comply with the regulations governing Payment Services and/or the regulations on the Prevention of Money Laundering.
What is the non-contractual liability of the bank where the transfer was received?
This liability is based on the basic premise that, as the Supreme Court has pointed out (STS of 15 July 1988), « the diligence required of a banking institution is not the diligence of a good family man, but that of an « expert merchant » who advises « great tact », « extreme care » when carrying out the client’s orders and that « at this point there is an objective criterion to be taken into account when delimiting liability, which is none other than the correct instructions given by the client ».
And the STS of 20 May 1988 adds… « The bank, as a mandatary, must carry out the customer’s instructions, with their credits and debits ».
In other words, the bank is obliged to follow the instructions and orders of its customer, and these customer instructions are those given in the transfer order, in which, in accordance with European Union Regulation 260/2012, there are a series of mandatory fields, including the name of the originator and the IBAN of the debit account, the amount of the transfer, the IBAN of the destination account and the name of the beneficiary.
Therefore, when a bank pays a credit transfer without verifying that the account holder matches the beneficiary mentioned in the transfer order received, it is not acting diligently. Consequently, it can be held liable towards the injured parties, and must reimburse them for the loss of money suffered. This has been declared in judgments of the Provincial Courts of Valencia, Madrid and Cordoba.
Although it is true that other Provincial Courts, such as those of Zaragoza or Toledo, take a different view and consider that, under Article 59 of Royal Decree Law 19/2018 on Payment Services, the receiving bank complies with its legal obligation and, therefore, should not be held liable, if it pays the transfer taking into account only the unique identifier (IBAN), included in the transfer order, even if the beneficiary does not match.
At Imont Legal Services we understand that this second interpretation is contrary to the special diligence that should be demanded of banking institutions, which are a fundamental part of preventing fraud, and to the spirit of the Law, which is none other than the effective protection of users of payment services. We therefore trust that in the not too distant future there will be a pronouncement from the Supreme Court in this regard. In the meantime, we will continue to defend the companies and individuals who have suffered these attacks against the banks before the courts and provincial courts throughout the country.
It is not in vain that banking institutions are an obliged subject in terms of Money Laundering Prevention and, both the Money Laundering Prevention Law and the Regulation that develops it, establish a series of due diligence measures that all financial institutions must apply, among which we find:
- Identification of customers and verification of the documentation and data provided by them.
- Identification of the beneficial owner when the customer is a company.
- Knowledge and verification of the professional or business activity in which customers are engaged.
- Continuous monitoring of the business relationship in order to detect, for example, unusual transactions due to their amount or sector of activity.
We recall that money laundering consists of a process or set of operations by means of which the goods or money resulting from criminal activities, concealing their origin, are integrated into the economic and financial system.
Given the special relevance of banking institutions in the prevention of this type of fraud, when the banking institution, from which the money from the cyber-attack was transferred or paid, has not complied with the due diligence measures in this area, it may be considered to be vicariously liable and, therefore, ordered to compensate the injured party for the economic loss suffered. This is the ruling of the Supreme Court in Judgment 279/201 dated 9 April 2012.
If you are an entrepreneur and have been a victim of « CEO fraud », « Man in the middle » or « Invoice fraud », please contact our firm. Our specialised prosecutors will offer you the relevant help and advice to resolve your case favourably.