Hong Kong: Email Fraud and the Con Game in Business

In summary

In Hong Kong, there has been a recent rise in fraud cases, especially in the background of the covid-19 pandemic. In this article, we explore the typical scenarios of email fraud in a business context – where the financial losses have been the most detrimental, and how to mitigate the financial losses by strategising, managing and coordinating work streams with multiple parties in a race around the clock with fraudsters.

Discussion points

• Background to email fraud cases
• Steps that should be taken by directors and senior management
• Banks’ duties and responses
• Regulatory obligations and directors’ duties in instances of fraud

Referenced in this article

• Theft Ordinance (Chapter 210 of the Laws of Hong Kong)
• Crimes Ordinance (Chapter 200 of the Laws of Hong Kong)
• Telecommunications Ordinance (Chapter 106 of the Laws of Hong Kong)
• Joint Financial Intelligence Unit
• Organized and Serious Crimes Ordinance (Chapter 455 of the Laws of Hong Kong)
• Rules of the High Court (Chapter 4A of the Laws of Hong Kong)
• Evidence Ordinance (Chapter 8 of the Laws of Hong Kong)
• The Rules Governing the Listing of Securities on The Stock Exchange of Hong Kong Limited
• Securities and Futures Ordinance (Chapter 571 of the Laws of Hong Kong)
• Companies Ordinance (Chapter 622 of the Laws of Hong Kong)

So far, in 2020, in the context of the worsening covid-19 situation, particularly in Hong Kong, being one of the main global financial centres in Asia, fraudsters have increased the intensity of their con games. Among the various restrictions imposed by the different governments around the world, most businesses have introduced a working-from-home policy, where feasible. Regrettably, this also means that the main form of communication, as well as approval methods, have shifted to emails. With less human-to-human interaction, this has created more opportunities for fraudsters to exploit loopholes online. In the first quarter of 2020, the number of fraud cases reported to the police in Hong Kong was 4,200.^[1] Compared with the same quarter in 2019, which only saw 1,954 cases reported,^[2] the increase in 2020 attributes to an increase of approximately 115 per cent year-on-year.

In Hong Kong, fraud is a criminal offence under the Theft Ordinance (Chapter 210 of the Laws of Hong Kong) involving deceit that, with intent to defraud, induces someone to either do or not do something that benefits or prejudices someone else.^[3] However, that is not the one and only offence that fraudsters may be prosecuted for. Depending on the facts of the case, fraudsters may also be prosecuted for other offences, including conspiracy to defraud,^[4] theft,^[5] deception,^[6] forgery and falsifying instruments,^[7] and unauthorised access by telecommunications.^[8]

Even with so many offences that fraudsters may be prosecuted for, fraudsters do not seem to be deterred from entering the game, and are becoming more and more sophisticated. Email fraud cases are on the rise and have been causing severe losses to businesses. In 2019, 752 cases of business email fraud were reported to the police, the relevant losses of which amounted to HK$2.5 billion, which averages out to a loss of HK$3.4 million in each case.^[9]

In this article, we explore the different parties involved in the con game – the culprits, the victims and the innocent third parties, and address the issues from the perspective of the victims – the public company and its directors and senior management. But most importantly, we will explore the practical and legal options that are available to the directors and senior management and how to investigate through the unfortunate event, so they are better equipped to handle the situations that may arise.

The culprits in the con game

Fraudsters usually start off by hacking into the email system of their target company. They will remain dormant to watch and observe the correspondence that comes in and out, waiting for that perfect opportunity. For the more sophisticated fraudsters, they may use this opportunity to learn the tone and writing styles of the person they intend to impersonate and to obtain other information such as email signatures or footers, to make their emails as convincing as possible. Alternatively, but also more unfortunately, the other possibility is if the fraudster is an ‘insider’ or has an ‘insider’ at the target company. This may involve the fraudster learning the specific details of a particular transaction or payment approval process of the target company.

There are three techniques that fraudsters commonly like to adopt in email fraud: the fake-but-similar, the business ‘supplier’ and the ‘manager’. Each technique may be used on its own, but also in combination with another.

The fake-but-similar

One of the most common techniques is the use of a fake-but-similar email address to someone from within the target company, usually someone quite senior. This technique is a form of email spoofing, being the fabrication of an email message from a forged sender address. Often, the fraudster will use letters (or numbers) that look alike, such as in the example below:

• Real: Joe Black < [email protected]>.
• Fake: Joe Black < [email protected]>.

People today are particularly susceptible to fraudsters using this technique as some devices (especially mobile devices) will only show the sender’s display name, which will be set by the fraudster to be the same as the real email.

The business ‘supplier’

If, from the hacked emails of the target company, the fraudster sees and starts following transactions for a current trade deal with a supplier or service provider (the Business Supplier), the fraudster may pose as someone from the Business Supplier and start liaising with the target company with regard to payment. Often it is the case that the fraudster will notify the target company that the Business Supplier’s bank account had changed, followed by a request for the funds to be transferred to the ‘new account’ (ie, the Fraudster’s Bank account).

The ‘manager’

In a typical scenario, the fraudster will take over the email accounts of members of the senior management or the CEO, or use the fake-but-similar technique mentioned above, to instruct an employee in the accounting or human resources department to wire money to an account related to the fraudster. The same also often occurs in subsidiaries with headquarters or parent companies overseas. Owing to the time difference with the CEO or maybe a hierarchical culture of the organisation, or a combination of both reasons, the victims may be less likely to verify the identity of, or instructions from, the fraudster.

Over time, the above techniques have been known in several variations by several names – wire fraud, invoice scam, sale contract scam, CEO scam, spear-phishing, etc. Regardless of the technique or techniques used by fraudsters, target companies are always hit when they least expect it and may not realise they have been defrauded until much later. Upon the money being transferred out of the target company’s account and into the fraudster’s account, it is usually dispersed into various second (and even third or fourth) level accounts within a very short time frame. Goodbye money, for now.

The victims: directors and senior management

Once the fraud is detected by the target company, the directors and senior management are usually in a state of confusion or shock. The directors and senior management usually have very little time to react because (1) various obligations they owe, as discussed below, dictate that they act immediately and (2) the longer the reaction time, the longer the fraudsters will have to disperse the money.

All directors, regardless of whether they are executive directors, non-executive directors or independent non-executive directors, have the same duty under common law, under Hong Kong legislation^[10] and under the Listing Rules^[11] to act honestly, in good faith and to exercise reasonable care, skill and diligence. These duties are usually owed towards the company. In the context of fraud, it is vital that directors take immediate steps to mitigate losses while discharging their duties as directors. This includes taking one or more of the steps we discuss below. If it is found that any director has breached his or her duty, or acted negligently or not in the best interest of the company, there are avenues under common law or the Companies Ordinance^[12] for the company or the shareholders of a company to bring lawsuits against the director. Hence, it is necessary for directors to respond quickly and act appropriately.

From our experience and from what we have seen in these email fraud cases, the longer the period between when the fraudulent transfers occurred and when they are detected and acted upon by the directors or senior management, the more difficult and less likely it that the money will be recovered. It is, therefore, imperative that the directors and senior management approach legal advisers as soon as possible. As is discussed in the sections below, there are various work streams with multiple parties, which should be handled concurrently and hastily. Often, legal advisers are best placed to strategise, manage and coordinate these multi-work streams together with the directors and senior management, to increase the chances of recovering the defrauded funds and ensure that the directors and senior management fulfil their duties and responsibilities.

The first 72 hours: the golden opportunity

We have handled cases where the fraud was discovered within 72 hours of the money being remitted out of the victim’s account as well as cases discovered after the 72-hour window passes – there is a vast contrast between the funds that are recovered from the two categories. Hence why we call this window the ‘golden opportunity’.

Upon discovery of the fraud, as the very first step, it is vital for the victim to contact his or her bank immediately (the Victim’s Bank). Among other things the bank may do internally, it may place administrative ‘holds’ on the transaction and contact the bank that the fraudster maintains its account with (the Fraudster’s Bank) to see if they can implement a similar ‘hold’. At the same time, legal advisers can also issue written notice to the Fraudster’s Bank. Once the Fraudster’s Bank is on actual notice of suspected fraud, it will have additional obligations under Hong Kong law, which are discussed in the sections below.

Irrespective of the internal actions that may be taken by the banks, even after the money has been remitted out of the Victim’s Bank, there are also legal actions that may be taken to prevent the money from being successfully deposited into the Fraudster’s Bank account or to recoup the money.

As the clock ticks: the next steps

If the bank cannot stop the transaction, that is not the end of the chase; it is just the beginning. To get ready for the next steps, experienced legal advisers are able to help investigate what happened and identify the key facts within a very short period of time, and prepare the relevant documentation required for the police and for court, including documents to evidence the transactions that took place and documents to prove the actual loss. This transitional phase is particularly crucial as it affects how smoothly the following work streams will run. Generally though, not a lot of time can be afforded to get matters ready and in place – usually only a few hours.

Hong Kong Police Force

As one of the most important work streams, given the urgency of the matter, a report needs to be lodged with the police as soon as possible (usually on the same day as the discovery of the fraud). If the victim company is a foreign company with no presence in Hong Kong, an e-report can be lodged online;^[13] however, as this online portal is for non-emergency matters, from what we have seen, the online reports may not draw much immediate attention from the police. In such instances, it is important to instruct legal advisers who can articulate the key facts clearly and succinctly and have experience in dealing with the police, to physically lodge a police report on behalf of their client at a police station in Hong Kong. Apart from forming the basis for the police to act upon the consent regime, the police report would also be one of the key documents to serve as evidence in the court injunction proceedings.

In Hong Kong, it is a criminal offence to deal with property that, a person knowing or has reasonable grounds to believe, is the proceeds of an indictable offence^[14] or fails to report the relevant suspicious transaction.^[15] However, there is a defence available for persons to continue dealing with those proceeds – when an authorised officer (in this case, the police) has given consent.^[16] This is known as the consent regime. In practice, the relevant unit of the Hong Kong Police Force that handles fraud complaints, particularly business fraud involving large sums of money, is the Joint Financial Intelligence Unit (JFIU), a unit of the Hong Kong Police Force that is run jointly with the Hong Kong Customs and Excise Department.^[17]

As part of the consent regime, the JFIU can also give ‘no consent’, which notifies the Fraudster’s Bank that the JFIU does not consent to dealings with respect to the recipient Hong Kong account. There are established police internal guidelines for the issuance of letters of ‘no consent’ to the Fraudster’s Bank, which the fraudster maintains accounts with. The underlying principle for the issuance of such letter is that the operation of ‘no consent’ is to be reasonable, necessary and proportionate to the circumstance.^[18] Factors that the JFIU may consider include the reasonable likelihood of the victim obtaining an injunction within a reasonable period of time and the underlying principle that persons guilty are denied their proceeds of crime.^[19] In the circumstances, legal advisers can assist the victim to persuade the JFIU to issue the letters of ‘no consent’ and act as liaisons between the JFIU and the victims (particularly foreign companies not based in Hong Kong) in the JFIU’s criminal investigations.

Without the consent of the police, the Fraudster’s Bank would be at risk of committing an offence if it deals with the money in the fraudster’s account, even if it is merely acting on the instructions of the fraudster. Hence, although the letters of ‘no consent’ do not operate as a freezing order at law, they have been known as ‘soft freezes’, which essentially buys the victims more time to get together the relevant documents needed for a formal court order to freeze the fraudster’s account (ie, the ‘hard freeze’). Depending on the circumstances and communication with the police officers, and subject to the police officers being able to obtain such information from the Fraudster’s Bank, we have seen cases where the police may advise if the funds are still in the first level account or accounts or if they have already been dispersed into second level accounts. In such circumstances, the JFIU may also issue letters of ‘no consent’ to second (or further) level banks. It is important to note that letters of ‘no consent’ are only temporary. No action is required from the relevant bank upon receipt of a letter of ‘no consent’; however, in practice, banks will usually freeze the suspected account to avoid risks of violating its obligations under anti-money laundering legislation.

Injunction and disclosure orders

Injunctions and disclosure orders reflect the defensive and offensive strategies that can be deployed concurrently against fraudsters. Injunction orders are the formal way to freeze funds in the fraudster’s Hong Kong bank account whereas disclosure orders assist with tracing the funds that were subsequently dissipated from the first level bank account. Usually, for complex commercial frauds, and for claims exceeding HK$3 million, the relevant court with jurisdiction to hear such matters is the Court of First Instance of the High Court of Hong Kong.

As the first court action, which should, to the extent possible, occur at the same time as the police work stream, the victim should apply for both a proprietary and Mareva injunction over the funds that remain in the Fraudster’s Bank account. As the case is one of urgency, the application may be made on an ex parte^[20] basis under Order 29 of the Rules of the High Court (Chapter 4A of the Laws of Hong Kong).

A proprietary injunction is a form of interim relief for plaintiffs who have a proprietary claim. Where there is risk that the funds have been dissipated, then it is prudent to apply for a Mareva injunction in aid of or as a ‘top-up’ protection in support of the proprietary injunction.^[21] In Hong Kong, it is trite law that funds deposited in a Hong Kong account as a result of fraud are prima facie held on constructive trust for the victim by the recipient, giving rise to a proprietary claim,^[22] and is able to constitute a ‘serious issue to be tried’ and a ‘good arguable case’. At the ex parte stage, the victim does not need to show that it is likely to win,^[23] but rather a good enough case for interim relief to be awarded before the substantive case is heard.

Table 1

As part of the Mareva injunction application, it is also usual practice for victims to seek orders for the defendant to disclose its assets, including the value, location and details of assets above a certain value.^[26] However, more often than not, it will not be possible to locate the fraudster and the fraudster will not comply with the disclosure orders.
Nonetheless, to assist in the next level of tracing (if the funds have already been dissipated out of the first level account), banker’s disclosure orders under section 21(1) of the Evidence Ordinance (Chapter 8 of the Laws of Hong Kong) should be sought simultaneously with the injunctions. These allow for the disclosure of information necessary for the purpose of identifying where the funds have gone and suing the next level defendants, including names, addresses, information relating to their involvement in the fraud, account opening forms and bank statements, etc.

The Fraudster’s Bank

Fraudsters are customers to the Fraudster’s Bank, and as is the case in other common law jurisdictions, the Fraudster’s Bank owes a duty of confidentiality to all its customers based upon the existence of a commercial relationship.^[27] Under this duty, banks are prohibited from disclosing information about their customers to third parties, unless under certain exceptions. One of the established exceptions to the duty of confidentiality is where disclosure is under compulsion by law, that is, as a result of a court order or a legislative provision.

Dealing with banker’s disclosure orders

From our experience, banks have usually taken a neutral position. They will neither object nor consent to victims’ applications for a banker’s disclosure order against the bank. However, it remains for the victim to satisfy the court that a banker’s disclosure order against the bank should be granted.

Once the banker’s disclosure orders are granted by the court, it is important to start negotiating a staggered production timetable with the bank to ensure that the most crucial information is obtained as soon as possible. Documents that fall within the scope of the court’s orders may be quite voluminous and require significant turnaround time from the bank to produce. However, in the context where time is of the essence, certain documents should be prioritised. Experienced legal advisers will be able to identify and request precise documents from the bank for the next level of asset tracing. In fact, we have seen many cases whereby the next level of injunctions orders and disclosure orders have been applied for and granted by the court before the bank completes its full production of the documents in the prior level.

Checkmate: obtaining judgment and enforcement

If there are funds that are still in Hong Kong at the end of the tracing exercise, it is possible to obtain a court judgment to recover the funds. Depending on the facts, particularly the flow of funds in and out of the Fraudster’s Bank account and of each of the different levels of bank accounts thereafter, there are different methods to obtain the judgment. There are various factors affecting which method would be the most suitable to the victim, such as the patterns of fund flow, the location of the defrauded funds, the likelihood of the defendant appearing in court and whether there are any competing claims. Each case is highly fact sensitive, but given the experience that legal advisers have in handling these types of cases, a tailored approach may be taken to ensure that judgment is obtained in the most efficient and effective way.

If the different levels of tracing leads to a conclusion that the victim’s funds are remitted offshore, it is possible to continue the tracing exercise with the assistance of local counsel in those foreign jurisdictions. Nonetheless, each case will turn on its own facts as to the feasibility and practicality of offshore tracing – in some cases, it would be appropriate to continue the chase, and in others, not so much.

Stalemate: defendants who defend

As there is no way of knowing the relationship between the fraudster and the second (or further) level accountholders, there is a possibility that there are legitimate business relationships between them. In such cases, any recipient of the defrauded funds may appear in the court proceedings to defend their case. Hence, the more levels that the funds are dissipated to, the more accountholders are involved and the greater the risk that there will be a recipient who will defend the case. One of the most effective defences for a recipient of fraudulent funds is that if they are a bona fiderecipient for value without notice – a genuine recipient with no knowledge of the fraud and had merely received the funds in the ordinary course of business.^[28]

The court will look to the evidence surrounding the receipt of funds at each level of transactions, such as whether there is any history of the business relationship, the timing of subsequent transfers and monetary amounts of the transactions. If the recipient can establish a case, the victim may not be able to succeed in a proprietary claim over the same funds transferred by the fraudster to the second (or further) level recipient, or to recover it. In additional to managing the legal proceedings generally, legal advisers can identify and assess the associated risks.

Internal investigations, reports and announcements

For directors of public companies, they have additional regulatory obligations as public companies in Hong Kong are supervised by the Stock Exchange of Hong Kong in addition to the Securities and Futures Commission. One such obligation is that, under the Corporate Governance Code, ^[29] a code that all public companies in Hong Kong are expected to comply with, the board of directors is collectively responsible for evaluating and determining the risks of a public company, and ensuring that it establishes and maintains appropriate internal control systems. ^[30] Even if the directors delegate their duties, they cannot abrogate their responsibility entirely. ^[31]

Upon the fraudster successfully defrauding money, it is clear that the existing internal control systems have failed and puts into question whether the directors have established and maintained proper controls in the first place. Therefore, it is critical that the directors and senior management ring-fence themselves and conduct internal investigations immediately to identify whether there are indeed weaknesses. Such an exercise not only serves to show that the directors have responded quickly and acted appropriately while discharging their duties but also places comfort in the regulators that the situation is under control should the regulators come knocking on the door. Directors may also consider bringing in legal or other professional advisers (as an independent neutral third party) to assist or conduct the internal investigations to add credibility to any potential findings. To provide additional comfort to the regulators that such incidents of fraud will not occur again, commercial steps may also be taken subsequently, such as auditing and patching security loopholes in the IT system, engaging experts to review internal controls and further guidelines or manuals, and arranging for further risk management training for the employees.

In responding to an incident of fraud, regulators would expect public companies to make public disclosures (by way of announcements, press releases or otherwise) on the incident, which will inevitably draw the attention of investors as well as regulators. Both audiences would be interested in the same things: the current strength of the company’s internal controls; the steps taken to mitigate the company’s losses; and whether a similar incident would happen again. It would be important to boost investors’ confidence and satisfaction from the regulators, to be in a position to confirm that all possible measures have been taken at the first instance to stop the relevant fraudulent transactions, and to spell out the additional internal steps taken with respect to risk management.

Conclusion: lessons of the game

Falling for email fraud is one of those incidents that companies hope never happens. If it does, one would hope that it would be the first and last time it ever happens. To ensure that it doesn’t happen (or doesn’t happen again), companies can conduct regular employee training, adopt double-checking mechanisms (eg, requiring verbal and written confirmation for large transaction sums), conducting frequent IT security audits and even setting up dual controls with banks (eg, one user to initiate and one user to approve), if appropriate. This is not an exhaustive list and much more can be done, depending on the structure and nature of the business. Legal advisers and companies’ internal compliance teams should conduct the appropriate assessments and tailor action plans accordingly.

In the unfortunate event that one does fall victim, the most practical piece of advice to take on is to remain calm and to act quickly. There are multiple work streams to manage and little time in the race against the fraudsters. But, fret not, as legal advisers will have the experience and resources to manage them concurrently, and are best placed to assist victims. Just remember, keep calm and carry on.

The authors would like to acknowledge the contribution of Amanda Liu in the preparation of this chapter.

Notes

^[1] Hong Kong Police Force, ‘Crime Statistics Comparison’, retrieved on 11 June 2020 from https://www.police.gov.hk/ppp_en/09_statistics/csc.html.

^[2] ibid.

^[3] Section 16A of the Theft Ordinance (Chapter 210 of the Laws of Hong Kong) (the Theft Ordinance).

^[4] Section 159E(2) of the Crimes Ordinance (Chapter 200 of the Laws of Hong Kong) (the Crimes Ordinance).

^[5] Sections 2 and 9 of the Theft Ordinance.

^[6] Section 17 of the Theft Ordinance.

^[7] Section 71 of the Crimes Ordinance.

^[8] Section 27A of the Telecommunications Ordinance (Chapter 106 of the Laws of Hong Kong).

^[9] Cyber Security and Technology Crime Bureau, Hong Kong Police Force, ‘Business Email Scam’, retrieved on 10 June 2020 from https://cybersecuritycampaign.com.hk/fraud/email-scam_eng.html.

^[10] Section 465 of the Companies Ordinance (Chapter 622 of the Laws of Hong Kong) (the Companies Ordinance).

^[11] Rule 3.08 of the Rules Governing the Listing of Securities on the Stock Exchange of Hong Kong Limited (the Listing Rules); Rule 5.01 of The Rules Governing the Listing of Securities on GEM (the GEM Rules). See eg, sections 731 to 738 of the Companies Ordinance.

^[12] See, eg, sections 731 to 738 of the Companies Ordinance.

^[13] An online report may be lodged at https://www.erc.police.gov.hk/.

^[14] Section 25(1) of the Organized and Serious Crimes Ordinance (Chapter 455 of the Laws of Hong Kong) (OSCO).

^[15] Sections 25A(1) and (7) of the OSCO.

^[16] Section 25(2)(a) of the OSCO.

^[17] The JFIU is based in Police Headquarters in Wanchai, Hong Kong. Although any police station would be able to lodge a police report, the JFIU specialises in suspicious activity and financial crimes under the OSCO.

^[18] Hong Kong Police Force, Force Procedures Manual, paragraph 5(d) of Chapter 27–19. The Manual is not available to the public but this section is extracted at paragraph 3.6 of Interush Ltd and Commissioner of Police [2019] 1 HKLRD 892.

^[19] ibid.

^[20] Ex parteproceedings are legal proceedings conducted without the presence of the other party (or parties) affected by the relevant proceedings, regardless of whether notice was given or not.

^[21] Falcon Private Bank Ltd v Borry Bernard Edouard Charles Ltd [2012] HKEC 953, at [67].

^[22] See eg, JS Microelectronics Ltd v Achhada Dilip G [2016] HKEC 694, at [60].

^[23] Hong Kong Civil Procedure 2020, Vol. 1, §29/1/66.

^[24] Madoff Securities International Ltd & Anor v Raven & Ors[2012] 2 All ER (Comm) 634.

^[25] Hong Kong Civil Procedure 2020, Vol. 1, §29/1/65.

^[26] See Practice Direction 11.2 (Mareva Injunctions and Anton Piller Orders).

^[27] Tournier v National Provincial and Union Bank of England (1924) 1 KB 461.

^[28] See, eg, Pacific Rainbow International Inc v Shenzhen Wolverine TechLtd [2017] HKEC 869.

^[29] Appendix 14 of the Listing Rules. For companies listed on GEM, see Chapter 15 of the GEM Rules.

^[30] Section C.2 of the Corporate Governance Code.

^[31] Re Westmid Packing Services Ltd (No 2) [1998] 2 BCLC 646; followed in Re Copyright Ltd[2004] 2 HKLRD 113.