Cyber fraud risk and recovery during covid-19

Cyber fraud risk and recovery during covid-19 | China Business Law Journal

With the slowdown in economic activity globally due to covid-19, the number of cyber fraud cases from around the world has surged. The Hong Kong Police, as well as Action Fraud (the UK’s national fraud and cybercrime reporting centre), and the Australian Cyber Security Centre have all recorded a significant increase in covid-19-related incidents reported since the outbreak of the crisis.

From supply scams related to bulk purchases of personal protective equipment to business email hacking incidents targeted at companies across sectors most susceptible to supply chain disruption – fraudsters have demonstrated a high level of technical and economic sophistication as they exploit the fear and uncertainty created by the pandemic. These frauds can be significant, leading to losses of tens of millions of dollars.

Cyber fraud is a high-volume and fast-changing global phenomenon. Our team has handled well over 100 cyber fraud incidents in Hong Kong and China. This article focuses on the latest risks arising from the current situation, and how you can recover your money and manage the impact of cyber fraud.

Common cyber frauds

Some of the schemes being perpetrated include:

CEO fraud. In this scenario, individuals (often in the finance team) are pressured or misled by email imposters (often coupled with telephone contact) into transferring significant sums of money to fund typically “highly confidential” or “secret” transactions that are said to necessitate bypassing regular internal controls.

Supplier fraud or change of bank fraud. A supplier’s emails have been hacked or spoofed, misleading the victim to change payment instructions and pay actual invoices to the fraudster. Similarly, this may also apply to banks and financial institutions that accept fraudulent email instructions from a customer.

Direct theft via hacking into sophisticated systems. Typically here, the fraudster hacks into a financial institution’s system and issues fraudulent SWIFT instructions under the guise of an existing bank customer, to transfer huge sums of money to overseas accounts. This may only be discovered by the bank the next day during its daily reconciliation exercise.

The initial breach that exposed the victim corporation or bank to these scenarios may have come from a malware-embedded link or phishing email attachment that an employee inadvertently clicked into or downloaded.

New risks

Beware of a variety of new scenarios arising out of the covid-19 outbreak, such as:

Fake vendors. These schemes relate to non-delivery of bulk purchases of personal protective products such as sanitizer gels and face masks, in which millions of dollars have been paid to the fraudsters.

Fraudulent charities. Using phishing emails that mimic non-government health agencies soliciting donations to help fight covid-19.

False government tax refunds. These schemes use phishing emails containing information relating to false tax rebate initiatives by governments, designed to trick individuals into clicking onto a malware embedded link (dressed up as a link that can access rebate funds) and providing personal financial and tax-related information to the fraudsters.

Other “click here” scams. Many phishing scams are designed to extract valuable information from victims, which can then be misused for financial gain or otherwise. A common tactic in these schemes is luring individuals to click on a link or document to access relevant and topical information regarding cures/vaccines/protective measures and precautions/industry disruptions, from what appear to be trustworthy sources such as NGOs, medical or industry experts. Once clicked, malware that gives the fraudster easy access to information stored on the victim’s computer will be automatically downloaded.

Companies also need to stay vigilant and be aware of potential phishing scams relating to the latest release of multibillion-dollar economic relief packages by governments.

The following practical tips may help minimize risk or maximize the prospect of recovery in the unfortunate event of a cyber fraud incident:

  • React quickly. This is vital to maximizing the chances of recovery: (1) inform your bank; ask it to reverse the transaction and notify the recipient bank to return/freeze the funds; (2) file a police report; and (c) contact a qualified law firm that can follow through with the necessary steps including court action to recover the proceeds.
  • Staff training and IT system enhancement. These are fast-changing risks. Roll out internal training on the risks involved in cyber fraud, and enhance IT systems to safeguard against the latest threats. Prepare protocols to follow in the event of a suspected fraud to help minimize the loss for the company. Test the efficiency of cybersecurity measures with mock phishing tests and baseline risk assessments.
  • Contracts and insurance policies. Factor in these risks when negotiating contracts and considering the suitability of insurance policies. For example, if a vendor is hacked, who bears the loss?
  • Consider regulatory obligations. Apart from financial loss, other major implications of cyber fraud are the potential loss of valuable and important data, and unwarranted attention from regulators. Companies should keep front of mind the range of regulatory obligations to which they are subject, such as those imposed by privacy, securities, monetary and other authorities.

The covid-19 crisis is changing the way we work. In an already technology-driven world, these unprecedented times are amplifying the risks posed by cyber fraud. Fraudsters are eager to capitalize on fallibilities and on flaws in IT systems. Fraud may be detected less swiftly as people work remotely. It is imperative that companies are well prepared to manage the impact of cyber fraud.

Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Danian Zhang (Shanghai) at