Cyber-enabled fraud: an imminent threat to business in Azerbaijan

The former CEO of Cisco Systems, John Chambers, once famously stated: ‘There are only two types of companies: Those that have been hacked and those don’t know that they have been hacked’. Be it for cross-border or national transactions, web-dependency of commerce is booming, which makes businesses increasingly vulnerable to cyber-enabled crime. Amid a growing number of new cases almost daily, various organizations around the globe have been issuing recommendations for governments on actions to be taken to combat cybercrime. On the other hand, since May 2021 the United Nations member states have been negotiating an international treaty on countering cybercrime, as well as 156 countries have enacted their cybercrime legislation at the national level.

However, the above measures, despite being meant to serve the greater good, are not enough to protect the business from becoming the next victim due to the advanced technology that is catalyzing cyber-enabled crime and the organized, as well as de-centralized structure of criminal syndicates. Business organizations to a greater extent are suffering from Cyber-enabled fraud (‘CEF’), one of the most viral types of cybercrime along with theft.

Types of CEF that business should beware of

The Financial Action Task Force (FATF), among others, focuses on the following types of cyber-enabled criminal activities with higher possibility of occurrence where business is exhibited:

• Business Email Compromise (BEC) fraud: Victims receive email instructions that purport to be from their clients or suppliers asking victims to transfer funds to new payment accounts. A prominent client (‘Client’) of our firm fell victim to this scam and wired payments to the wrong bank account in UAE. The intruder(s) had accessed the server of the supplier in UAE and modified the content subject to an email exchange between the parties. In the end, the cybercriminal (s) were able to withdraw the full amount that was channeled by the Client from their bank account and vanish. More and more BEC fraud cases are being reported from various business industries in Azerbaijan.
• Phishing fraud: Victims are deceived into revealing sensitive information such as personal data, banking details, or account login credentials. This information is used to funnel the victim’s funds from their payment accounts, open new payment accounts, or make fraudulent transactions. In most cases, the criminals send emails to business entities and request information to participate in attractive but bogus biddings, etc.

The immediate steps

Notifying the originating bank

In case of any CEF or attempt to commit CEF businesses should immediately contact the bank holding the payment account (‘Originating Bank’)and notify them about the already occurred or attempted CEF case. Under the scenario where the wrongfully transferred amount is not withdrawn or transferred to another account yet, the bank might be able to alert the intermediary bank and the beneficiary bank to block the anticipated withdrawal or transfer.

Local law enforcement

This year the government of Azerbaijan established the Main Directorate for Combating Cybercrime under the Ministry of Internal Affairs. The specialized cybercrime unit is equipped with skilled experts to investigate cyber-enabled crime. It is vital for the business to report any cases of crime or attempt to crime. This is also important regarding regulatory compliance. Hence, the police report on the cybercrime must be submitted to the Central Bank of the Republic of Azerbaijan considering that at the end of the expiration of the two-years deadline, an administrative penalty will be initiated against the business that failed to declare goods (services) to the customs authorities.

Law enforcement and FIUs of the country where the crime was recorded.

If cybercrime occurs due to a leakage within the vendor’s infrastructure that resides abroad, businesses should file complaints with law enforcement and Financial Intelligence Units of the same country. This was the case with the Client, where our firm submitted a report to law enforcement, various FIUs, and even the Central Bank of the UAE to accelerate the investigation.

Downsides

Despite implementing enhanced security measures, banks alone cannot provide sufficient safeguards to prevent CEFs. All the originating, intermediary, and beneficiary banks that processed the transaction initiated by the Client were not able to detect the fraudulent invoice and prevent the withdrawal of cash by intruder(s) in UAE. In as much as cyber-enabled fraud cases often involve more than one jurisdiction, one question to be addressed is where the criminal investigation will be opened. National law enforcement rejected to launch a criminal case because of the Client’s report since it became evident that the CEF had not taken place in Azerbaijan. Nor does the law enforcement of UAE open any investigation until the moment that the victim personally files a criminal complaint in UAE.

Recommendations

We recommend the business consider taking the following measures to encounters:

To include robust indemnity clauses within agreements with the vendors that will oblige them to increase cybersecurity measures against criminal syndicates. To multi-verify the vendor’s bank account details with the beneficiary bank, and the vendor through means other than the possibly compromised email. To regularly train employees on phishing fraud, multi-verification processes, and measures to prevent cyber-enabled fraud. To build advanced cybersecurity infrastructure, also by virtue of involving a third-party IT security consultant. Victim reporting. In BEC and phishing frauds, the victims relatively quickly discover that they’re defrauded since the counterparty begins to question the payment. Victim reporting to relevant authorities is important considering that it might help to trace the criminal proceeds and possibly to recover the loss.

About the author

Ruslan Bayramov is a Founding Partner at Legalize Law Firm. He is specialized in corporate law, eCommerce, and AML/CFT Compliance. Ruslan is advising clients on asset recovery as a result of cyber-enabled fraud. For further info about the author and Legalize Law Firm please visit https://www.legalize.az/en