The (in)famous Frank 'Catch Me If You Can' Abagnale committed multiple frauds in the 1960s by forging cheques...such acts would not get him far today because banking systems have moved on.
And that has led fraudsters to change tact...
Some time ago, my firm took the decision to never send clients our bank details over the internet.
Instead, we send them by post or, more often, give them over the telephone. When we initially engage with a client, we set out in writing we will never send bank details to them by email. That initial letter contains our bank details, and we ask the client to confirm they agree to never send money to us other than using those details.
The reason we do this is to ensure our requests for payment are not intercepted and altered by a third party before reaching the client. So, while we email invoices no bank details appear on them, and the clients know (because they have agreed at the beginning) only to use the details in the original letter. If this arrangement was not in place a fraudster could intercept the invoice, change our bank details for his or hers and then pass it on to the client. The client - expecting the invoice - would receive it and may pay using the amended details and so the money is diverted to the fraudster. Such offences are often called 'Authorised Push Payment' or APP frauds in the UK.
There is an important decision from the Jersey Financial Ombudsman in respect of a fraud that happened in 2018.
Pictured: "Nowadays, cyber fraud has overtaken more traditional frauds."
In summary, a Jersey resident, Mr A, had agreed to buy his sister's house in Northern Ireland. The transaction was being dealt with by solicitors in NI. He was required to make payment of £180,805 to that firm. He did so by drawing a cheque from his bank account, but the cheque was returned by the bank because it was incorrectly written. Following this, Mr A, went in person to the bank (the Ombudsman's decision in this instance requires anonymity) and explained he needed to make the payment. He showed the bank staff a message on his iPad showing the request for money and the bank account to which to transfer it. He explained the money was for solicitors in NI for a property transaction.
However, Mr A's emails had been 'hacked' by fraudsters. The account details were not for a firm of solicitors in NI, but instead an account at Barclays Bank in Milton Keynes which had been opened fraudulently to receive this payment. Mr A's bank arranged the transfer of money and accordingly, it never got to the solicitors at all but instead went to the fraudsters and Mr A lost all the money apart £1,039.33 which was recovered.
Mr A made a complaint to the Ombudsman which initially was rejected. However, he then submitted further details which caused the Ombudsman to have "second thoughts". In particular, Mr A argued that his bank should have realised, by simple reference to the sort code, that the payment details presented were for a bank in Milton Keynes and not solicitors in NI.
Pictured: The case discussed "shows how insecure electronic communications can be."
While the Ombudsman gave consideration to this point this was insufficient to make a finding that the bank compensate Mr A. The Ombudsman noted that while the bank may have noticed it was a payment to an account in Milton Keynes, a firm of solicitors could have such an account and that was not enough to ring fraud alarm bells. However, the Ombudsman went on to ask, "should [the bank], as the professional financial services provider, have recommended to [Mr A] – bearing in mind the purpose, high value, and the known risks inherent in relying on payment details received by email – that he check the payment details he had received with his solicitors before the payment was made?" The Ombudsman concluded that Mr A had sought the bank's assistance with the transaction from the start. This meant the bank had the opportunity to identify the risks of relying on payment details received by email and recommend to him he check the payment details. He went on to say:
• The bank was under a regulatory obligation to act in the interests of customers, to have in place appropriate training for its employees, and to have procedures in place to manage the risk of external fraud.
• The bank, as part of a large banking group, had access to – and, as a result, the opportunity to have had a clear understanding of – broader and ongoing developments in relation to APP fraud.
• This particular type of APP fraud was known about by the financial services industry.
• The bank was aware of the possibility that email accounts can be compromised – and, by extension, the risks of making large and/or unusual interbank payments just on the basis of an email instruction.
The bank had denied responsibility to Mr A arguing, amongst other things,
"there was nothing to have indicated to [the bank] that information on [Mr A's] iPad was anything other than genuine payment details..."
And that the bank had,
"not acted wrongly or contrary to its overarching regulatory obligations...."
The bank also said the Ombudsman should not apply UK regulation to Jersey banks and that to do so would be unfair to them and would expose them to "significant imbalanced risk".
These arguments were dismissed by the Ombudsman. In respect of the first argument, the Ombudsman found the bank should have been aware of the risks of APP fraud because, at the time of these events, the bank would not accept email instructions from customers and, in fact, the bank's own email footers noted that email communications were not secure and therefore instructions should not be sent by email. As a result, the Ombudsman imposed the maximum penalty on the bank of £150,000 but recommended it also pay to Mr A any shortfall and interest on top.
This case shows how insecure electronic communications can be. While an unexpected demand for payment would cause most people to raise questions, when a person is expecting to make a payment or receive a request for payment, they may be more ready to take the communication on face value rather than stop and think.
This article first appeared in Connect Magazine, which you can read in full below...
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.