FRAUD: An Introduction to UK-wide
Chambers Overview: Digital Fraud Trends
By Jane Colston, Jessica Lee and Imogen Winfield
14 September 2021
The Telephone Crime Survey for England and Wales indicated an increase of 36% in fraud and computer misuse offences as at the end of March 2021, compared with the year ending March 2019.
Hacking and phishing
We are all alive to the perils of hacking (where fraudsters force their way into computer systems or accounts) and phishing (where online users are baited into providing personal information such as account credentials to the fraudster, typically by clicking on links in bogus emails or text messages posing as legitimate sources) but still, given the data which shows their substantial increase, too many fail to spot what is happening in time to counter it.
Email accounts are easily spoofed such that they appear to be from a recognisable source, and carefully tailored phishing emails tend to reference details relevant to an individual or organisation following a period of monitoring. Business email compromise fraud was the subject of CMOC v Persons Unknown [2018] EWHC 2230 (Comm) in which the first worldwide freezing order was made by the courts of England and Wales (E&W Courts) against ‘persons unknown’ after a director’s email account was hacked and purported payment instructions were sent to and processed by the company’s bank.
Social media and online scams
Another trend seen throughout the pandemic was the increase in retail investors engaging directly with online trading and investment platforms, with social media often playing a role in promoting investment opportunities and facilitating these activities.
These social media platforms and online bulletin boards are increasingly favoured by fraudsters to execute phishing scams. Online promotions of investments that sound too good to be true are a particular danger to consumers, who may be lured by misleading associations with reputable brands and purported endorsements by influencers who may or may not be in on the scam.
An example of this was seen last summer where the Twitter accounts of numerous high-profile individuals and household names were hacked and their followers were invited to send Bitcoin to a particular address, enticed by the promise that their contributions would be doubled and returned to them.
Pump-and-dump schemes rely on social media and online communities, where messages are posted creating an artificial hype around a particular security or cryptoasset, temporarily inflating its value before those behind the scheme cash out, leaving newer investors to shoulder the losses.
Ransomware attacks
Phishing emails and bogus online adverts are often used as gateways to malware attacks, where the user is prompted to click on an attachment or link which will covertly download malicious software. One notable example of this was the WannaCry ransomware attack in 2017, which encrypted and held hostage the data of organisations worldwide, including the NHS, causing immense disruption and demanding payment in Bitcoin. A ransomware attack also formed the backdrop to the decision of the E&W Courts in AA v Persons Unknown [2019] EWHC 3556, which concerned a cyberattack whereby the hacker installed malware and demanded payment in Bitcoin in return for the decryption tool to enable the company to re-access its systems. The company’s insurer paid the ransom via transfer of Bitcoin. Having subsequently identified (through forensic tracing) that some of the Bitcoin was transferred to wallets held with crypto exchange Bitfinex, AA brought applications before the E&W Courts seeking: (a) Bankers Trust and/or Norwich Pharmacal orders against two exchanges; (b) freezing and proprietary injunctions in respect of the Bitcoin and accounts held with the exchanges; and (c) consequential orders for service by alternative means and out of the jurisdiction.
Cryptocurrency fraud
Digital fraud is particularly prevalent within the cryptocurrency market, a largely unregulated sector which is seeing rapid growth and technological innovation, with increased interest and participation among consumers and institutions. Naturally, sophisticated fraudsters have managed to innovate at a similar pace, and various methods of crypto-related fraud continue to come to light. Concerns have been raised by the UK’s Financial Conduct Authority (FCA) over the promotion of cryptocurrencies by social media influencers (many of whom are targeted by scammers to run fake promotions). The FCA’s new “investment harm” campaign plans to use these same channels to help inform consumers considering high-risk investments.
Cryptocurrency frauds come in many different guises including fake coins, initial coin offerings and tokens; spoofing and phishing attacks to steal personal information, passwords and private keys associated with cryptocurrency wallets; social media scams and fraudulent investment schemes; and hacking and ransomware attacks. Recent examples include:
1. The sale of a non-fungible token (NFT) for USD300,000 which purported to be an NFT in a Banksy work but transpired to be a fake.
2. The cyberattack on the Japanese exchange Liquid Global in August 2021, resulting in the theft of almost USD100 million of cryptocurrencies.
Similar crypto fraud cases and disputes have begun filtering through the E&W Courts, and a variety of decisions have successfully adapted existing legal remedies to assist victims of cryptocurrency fraud in recovering their assets. Recent developments in this area include the following:
1. In November 2019 the UK Jurisdiction Taskforce (UKJT), chaired by Sir Geoffrey Vos, Master of the Rolls, confirmed in its legal statement on cryptoassets and smart contracts (self-executing contracts run on blockchain technologies that automatically process transactions without the need for a third party) that as a general principle, cryptoassets constitute property. That proposition has subsequently been cited with approval in a number of E&W Courts’ decisions including AA v Persons Unknown; Ion Science Limited & Anor v Persons Unknown & Ors [2020]; and Fetch AI Limited & Anor v Persons Unknown & Ors [2021] EWHC 2254 (Comm). Relatedly, in Ion Science the E&W Courts also considered the lex situs or location of Bitcoin property for the purposes of determining the applicable law to apply. The E&W Courts adopted academic analysis by Professor Andrew Dickinson in his book 'Cryptocurrencies in Public and Private Law' and held the lex situs of a cryptocurrency to be the place where the owner of it was domiciled, which in that case was England.
2. The clarification over the status of cryptoassets as property has enabled a number of proprietary injunctions (in addition to worldwide freezing orders) to be obtained in order to preserve cryptoassets which have been misappropriated by a suspected fraudster. See, for example, AA v Persons Unknown.
3. Guidance has been set out in relation to the use of the persons unknown jurisdiction, including the need to ensure that specific categories of persons unknown are distinguished by reference to their allegedly unlawful conduct (Canada Goose v Persons Unknown [2020] EWCA Civ 303). In particular, the E&W Courts have emphasised that in cryptocurrency fraud cases where innocent recipients of stolen cryptoassets may be the subject of a proprietary claim or order, appropriate carve-outs ought to be included so that those recipients do not inadvertently breach any proprietary order by dealing with assets they believed were rightfully theirs (Fetch AI).
4. Following the decision of Mr Justice Teare in AB Bank Limited, Off-shore Banking Unit v Abu Dhabi Commercial Bank PJSC [2016] EWHC 2082 (Comm), two recent crypto fraud decisions (Ion Science and Fetch AI) have indicated that the E&W Courts do not have jurisdiction to grant Norwich Pharmacal relief in respect of entities located out of the jurisdiction. Those decisions have also raised questions as to whether that position extends to Bankers Trust disclosure orders. However, the E&W Courts have so far been willing to grant Bankers Trust orders against entities outside of the jurisdiction on the basis that such orders are distinguishable from Norwich Pharmacal relief, and previous authority on the Bankers Trust jurisdiction has suggested that Bankers Trust orders may be served outside of the jurisdiction in extreme circumstances, including cases of “hot pursuit” (such as tracing and preserving cryptoassets). This will be an area to keep a close eye on in relation to crypto fraud disputes and cryptoasset recovery actions given that many crypto exchanges are located outside the UK and may not therefore fall within the jurisdiction of the E&W Courts to grant disclosure orders against them, which will often be a key component in any successful cryptoasset recovery strategy.
Comment
While the continued advancement in technology is to be welcomed, fraudsters persist in finding ways of manipulating apparently secure systems to exploit individuals and organisations for their own gain. Fortunately, the English judiciary has demonstrated a willingness to apply existing legal principles to make remedies available to victims of online fraud or in relation to cryptoassets. We will increasingly see the E&W Courts responding as needed and in a meaningful way to ensure that fraudsters can be pursued across boundaries, virtual and geographical, with online court systems being used to resolve disputes.