Cyber-enabled fraud: an imminent threat to business in Azerbaijan
The former CEO of Cisco Systems, John Chambers, once famously stated: ‘There are only two types of companies: Those that have been hacked and those don’t know that they have been hacked’. Be it for cross-border or national transactions, web-dependency of commerce is booming, which makes the business increasingly vulnerable to cyber-enabled crime. Amid growing number of new cases almost daily, various organizations around the globe have been issuing recommendations for governments on actions to be taken to combat cybercrime. On the other hand, since May 2021 the United Nations member states have been negotiating an international treaty on countering cybercrime, as well as 156 countries have enacted their cybercrime legislation at national level.
However, the above measures, despite meant to serve the greater good, are not enough to protect the business from becoming the next victim due to the advanced technology that is catalyzing the cyber-enabled crime and the organized, as well as de-centralized structure of criminal syndicates. Business organizations to a greater extent are suffering from the Cyber-enabled fraud (‘CEF’), one of the most viral types of the cybercrime along with theft.
Types of CEF that business should beware of
The Financial Action Task Force (FATF)
, among others, focuses on the following types of cyber-enabled criminal activities with higher possibility of occurrence where business is exhibited:
- Business Email Compromise (BEC) fraud: Victims receive email instructions that purport to be from their clients or suppliers’ asking victims to transfer funds to new payments accounts. A prominent client (‘Client’) of our firm fell victim of this scam and wired payments to wrong bank account in UAE. The intruder(s) had accessed the server of the supplier in UAE and modified the content subject to email exchange between the parties. In the end the cyber criminal(s) were able to withdraw the full amount that was channeled by the Client from their bank account and vanish. More and more BEC fraud cases are being reported from various business industries in Azerbaijan.
- Phishing fraud: Victims are deceived into revealing sensitive information such as personal data, banking details or account login credentials. This information is used to funnel the victim’s funds from their payment accounts, open new payment accounts, or make fraudulent transactions. In most cases the criminals send emails to business entities and request information to participate in attractive but bogus biddings, etc.
The immediate steps
1. Notifying the originating bank
In case of any CEF or attempt to commit CEF businesses should immediately contact with the bank holding the payment account (‘Originating Bank’) and notify about the already occurred or attempted CEF case. Under the scenario where the wrongfully transferred amount is not withdrawn or transferred to another account yet, the bank might be able to alert the intermediary bank and the beneficiary bank to block the anticipated withdrawal or transfer.
2. Local law enforcement
This year the government of Azerbaijan established the Main Directorate for Combating Cybercrime under the Ministry of Internal Affairs. The specialized cybercrime unit is equipped with skilled experts to investigate the cyber-enabled crime. It is vital for the business to report any cases of crime or attempt to crime. This is also important regarding the regulatory compliance.
Hence, the police report on the cybercrime must be submitted to the Central Bank of the Republic of Azerbaijan considering that at the end of the expiration of two-years deadline an administrative penalty will be initiated against the business that failed to declare goods (services) to the custom authorities.
3. Law enforcement and FIUs of country where the crime was recorded.
If cybercrime occurred due to a leakage within the vendor’s infrastructure that is resided abroad, businesses should file complaints with law enforcement and Financial Intelligence Units of the same country. This was the case with the Client, where our firm submitted a report to law enforcement, various FIUs and even the Central Bank of the UAE to accelerate the investigation.
- Despite implementing enhanced security measures, banks alone cannot provide sufficient safeguards to prevent CEFs. All the originating, intermediary, and beneficiary banks that processed the transaction initiated by the Client were not able to detect the fraudulent invoice and prevent the withdrawal of cash by intruder(s) in UAE.
- In as much as the cyber-enabled fraud cases often involve more than one jurisdiction, one question to be addressed is where the criminal investigation will be opened. National law enforcement rejected to launch a criminal case because of the Client’s report since it became evident that the CEF had not taken place in Azerbaijan. Nor the law enforcement of UAE opened any investigation until the moment that victim personally files criminal complaint in UAE.
We recommend the business to consider taking following measures to encounter CEF:
- To include robust indemnity clauses within agreements with the vendors that will oblige them to increase cybersecurity measures against criminal syndicates.
- To multi-verify the vendor’s bank account details in with the beneficiary bank, and the vendor through means other than the possibly compromised email.
- To regularly train employees on phishing fraud, multi-verification process, and measures to prevent cyber-enabled fraud.
- To build advanced cybersecurity infrastructure, also by virtue of involving a third-party IT security consultant.
- Victim reporting. In BEC and phishing frauds the victims relatively quickly discover that they’re defrauded, since the counterparty begins to question the payment. Victim reporting to relevant authorities is important considering that it might help to trace the criminal proceeds and possibly to recover the loss.
About the author
Ruslan Bayramov is a Founding Partner at Legalize Law Firm. He is specialized in corporate law, eCommerce, and AML/CFT Compliance. Ruslan is advising clients on asset recovery as a result of cyber-enabled fraud. For further info about the author and Legalize Law Firm please visit https://www.legalize.az/en