a hand holding a guitar

Insights

ARTICLE

Recovering stolen money after a business email compromise scam

Business email compromise (BEC) scams are increasingly prevalent in Canada and can inflict significant financial damage on companies and organizations victimized by these attacks.

In many cases, the fraudster can quickly remove the stolen money from the Canadian banking system, or otherwise transfer the funds in a way that makes tracing and recovery nearly impossible.  However, in some cases, if the victim acts quickly, decisively and with the right legal advice, the stolen money can be identified, traced and recovered through remedies available under federal banking legislation and the Court.

This bulletin provides a broad overview of the steps and remedies involved to recover money stolen through a BEC scam.

BEC and social engineering fraud

BEC scams can take a variety forms, but commonly, they involve the fraudster using a spoofed email account or website to fool a company’s staff member into thinking that a payment is being requested by a legitimate vendor.  BEC scams may also involve the fraudster infiltrating the company’s network, gaining access to legitimate email threads about billing and invoices, and then changing recipient payment information to direct payment to the fraudster’s bank account.

Since BEC scams typically involve the re-direction of payments into a bank account controlled by the scammer, the fraud victim will usually have fraudster’s banking information, including the name of the bank, the transit number (i.e. branch location identifier) and account number.  This information provides the foundation to start tracing and recovery efforts.

Section 437(2) of the Bank Act

The immediate first step is to notify the fraudster’s bank about the victim’s claim to the funds.  This can be done by the victim’s banker contacting the recipient bank, through the victim’s legal counsel notifying the in-house legal department at the recipient bank, or preferably, both.

Section 437(2) of the Bank Act, S.C. 1991 allows a chartered bank holding a deposit to refuse to immediately pay the funds to the accountholder if the bank has notice of a competing claim to the funds.  This section gives the bank the right to continue to hold the funds pending further order of the Court or to interplead the funds into Court.

There is some debate as to whether the section can be invoked by claimant in anticipation of commencing litigation or only after litigation has been commenced and the chartered bank is named as a defendant on the basis that it is in possession of trust funds belonging to the plaintiff.

The victim should clearly notify the recipient bank of the victim’s claim to the funds, invoke section 437(2) and ask the recipient bank to temporarily freeze the funds pending a formal freezing order from the Court.

The bank holding the fraudster’s account may or may not be willing to indicate whether there are funds available for recovery.  Even if the financial institution is willing to indicate that funds are available for recovery, they are prohibited under applicable privacy legislation from providing any particulars about the account, including the account balance, the identity of the accountholder, or contact information for the accountholder.  To obtain that information, the fraud victim will have to apply to Court for a Norwich order, as outlined below. 

There is no similar provision applicable with respect to deposits held at provincial credit unions, although some standard form account agreements used by credit unions give them the right to refuse immediate payment to an accountholder if the credit union is put on notice of a competing claim to the fund.

Court applications: Tracing, recovery and judgment

The Court has remedies available to victims of fraud to obtain documents and information about the deposit account from the recipient bank (known as a Norwich order) and freeze the account pending final order of the Court (known as a Mareva injunction).  Applications for both orders are typically made on a without notice basis, which allows the fraud victim to appear before a judge and apply for the orders as quickly as possible.

Once the applicant obtains information about the account, including the name of the accountholder and amount of money in the account, and obtains an order freezing the funds in the account, then the applicant will have to obtain judgment for payment of the funds, typically by default judgment or summary trial.  Each of those steps are summarized below.

Mareva injunction

The Mareva injunction, otherwise known as a freezing order, is one of the most powerful remedies available to victims of fraud.  The order will freeze some or all of the fraudster’s assets, typically at the very start of a civil litigation action and before the fraudster has notice of the litigation.

Since it is an extraordinary remedy, the Court will expect the applicant to provide detailed evidence of the fraud and corresponding payment into a bank account within the jurisdictional reach of the Court.  Importantly, since the application is often brought without notice to the fraudster or other affected parties, the Court will require legal counsel for the applicant to provide “full and frank” disclosure about all material facts concerning the order sought, including those facts that may harm the applicant’s case for a Mareva injunction.  Failure to provide full and frank disclosure can provide a basis for the defendant to later apply to set side the order.

Since a Mareva injunction restrains the defendant from dealing with its assets until final order of the Court, the applicant must provide the Court with an undertaking to pay any damages that may be suffered by the defendant from the freezing order if the Court later dismisses the plaintiff’s case on the merits.

The applicant must establish through admissible evidence that there is a good arguable case of fraud, that the defendant has assets within the Court’s jurisdiction and there is real risk of their disposal or dissipation, so as to render nugatory any judgement.  A party may obtain an injunction as security for damages sought in the litigation without showing that there is a real risk the defendant will dissipate assets, but in most cases a real risk of dissipation must be established before a Mareva injunction will be granted.

That said, if a strong prima facie case of fraud against the defendant has been established, the Court can make an inference that there is a risk that assets in British Columbia will be removed or dissipated.

The overarching consideration in the granting of a Mareva injunction is the balance of justice and convenience between the parties.  The balancing of factors include the potential of harm to either party, the strength of the applicant’s case, the potential effect of the order on third parties, and the defendant’s conduct.

Where there has been a transfer of funds based on a fraudulent misrepresentation arising from a BEC scam, the applicant should be able to satisfy the Court’s requirements to grant a Mareva injunction in the majority of cases.

The applicant should serve the Mareva injunction on the target bank immediately after the order is granted by the Court.

Norwich order

The Court has jurisdiction to order the production of documents in the possession or control of third parties to the litigation (e.g. financial institutions) both under provincial rules of court and also at common law under the principle of an equitable bill of discovery (also known as a Norwich order).

If the fraud victim does not have sufficient evidence about the fraudster’s bank account to apply for a Mareva injunction, then the applicant may first apply for a Norwich order, obtain the necessary evidence from the bank, and then apply for a Mareva injunction.  However, in practice, most BEC scam victims will have sufficient email and wire transfer documentation regarding the fraud and location of the recipient bank account to bring both applications at the same time.

The test that the applicant must meet on an application for a Norwich order is as follows:

  1. The applicant must establish a bona fide claim against the alleged wrongdoer;
  2. the person from whom discovery is sought must be in some way involved in the matter under dispute (e.g. a bank that holds a bank account belonging to the wrongdoer);
  3. the person from whom discovery is sought must be the only practical source of information available to the applicant;
  4. the person from whom discovery is sought must be reasonably compensated for their expenses arising out of compliance with the discovery order; and
  5. the public interest in favour of disclosure must outweigh the legitimate privacy concerns of the wrongdoer.

The Court may consider other factors to determine whether to grant a Norwich order, but where the applicant is a victim of fraud, the Court will require the applicant to show a bona fide fraud claim, provide evidence that the proceeds of fraud were deposited into a Canadian bank account and that the bank is the only practicable source of information available about the account.

Where the applicant has been the victim of a BEC scam and can provide evidence showing proof of fraud and corresponding payment into a Canadian bank account, the applicant should be able to satisfy the Court’s requirements to grant a Norwich order.

Service and judgment

After the Mareva injunction order has been served on the recipient bank and the applicant has received account opening documents and account statements from the bank pursuant to the Norwich order, the fraud victim can proceed to judgment and payment of its stolen money.

The account opening documents will identify the name and address of the accountholder, which may or may not be the actual fraudster.  In some cases, fraudsters use stolen identity or fictitious identity documents to open bank accounts using the name and address of someone else or a completely fake name and address.

The plaintiff must first attempt to personally serve the Court materials on the accountholder.  If personal service is not possible because the accountholder is fictitious or for other reasons, then the plaintiff will then apply for an alternative service order to effect proper service of the Court materials by mail, email, social media or other means.  Since one of the essential elements of a BEC scam is the fraudster’s use of an email address, in most cases, the Court should be willing to allow the plaintiff to effect alternative service by email.

After the accountholder has been properly served, the plaintiff can then apply for default judgment or judgment by summary trial.  In most cases, the fraudster will not respond to the lawsuit, and the plaintiff can proceed to apply for an order for default judgment.  In rare cases, the fraudster or the accountholder will respond to the lawsuit, in which case the plaintiff will need to apply for judgment by summary trial on affidavit evidence.

The order for judgment should include a declaration that the funds held by the recipient bank are impressed with a trust in favour of the plaintiff and an order that the bank pay the funds to the plaintiff.

Conclusion

The key to full or partial financial recovery of stolen money following a BEC loss is to decisively execute a coordinated plan among the company’s IT department, insurer, banker and legal counsel to quickly notify the bank holding the fraudster’s account of the pending claim, marshal the evidence necessary to prove the fraud and payment into the fraudster’s account, and then apply to the Court for the necessary orders to trace, freeze and recover the stolen money.

At BLG, we have a significant breadth of experience in providing counsel and representation to victims of financial fraud, including investigations and recovery actions arising from BEC scams and other forms of cyber fraud.  If you have any questions about fraud investigation and recovery, please reach out to any of the key contacts below.

Key Contacts