Hackers target Cayman bank accounts

| 17/10/2013

(CNS): The Financial Crime Unit is investigating a new email fraud involving Cayman Islands banks. The RCIPS’ finance cops say there have been a number of incidents where fraudsters have acquired bank details by hacking email accounts and sending fraudulent wire instructions to various local banks. The on-line scammers have used legitimate wire instructions sent by the victims to respective banks via email. Hacking into that electronic correspondence, the internet crooks have got the account numbers, bank balances, scanned signatures and other confidential information. 

The hackers then sent subsequent emails from the victims' addresses instructing the local banks to wire more funds to various destinations all over the world. 

The police said that hundreds of thousands of dollars have been fraudulently wired from the Cayman Islands to the US, Hong Kong, Singapore, Malaysia, Denmark and other jurisdictions. By the time attempts are made to recall the fraudulent wires, the funds have been collected and it is too late. 

“The Financial Crime Unit does not recommend sending banking details via email,” an RCIPS spokesperson said. “A telephone call to the bank could save hundreds of thousands of dollars and heartache in the long run.”

The FCU said it was available for advice should any member of the community require it and officers can be contacted on 949-8797.

Category: Crime

Comments (15)

Trackback URL | Comments RSS Feed

  1. Not A Banker says:

    Like a said, I'm not a lawyer either. Instead simply an ordinary citizen who was concerned with the legal rights and protections of deposit holders who may or may be targeted next in these sort of scams. If it is the opinion of the commentators herein that banks can legally get off with wiring out my hard-earned cash using fraudulent & unverified instructions with no penalties or obligagations, then I would vertainly believe Cayman does not deserve to be ranked among the top 10 financial services jurisdictions! Reminds me off the Wild West…

  2. Not A Banker says:

    Dear readers, any funds obtained from the execution of fraudulent wire transfer will most obviously be considered theft, henceforth defined as " Proceeds of Crime", you will note the law's title.

    In most cases of these occurrances the Bank will usually make every effort to make the client whole again, if for no other reason than to protect their reputation. 

    However, should the Bank take a defensive stance and the matter were to move to litigation, the plaintiff (client) might also consider suing for damages for any interest that would've ordinarily been earned in addition the principal amount.  Also, in the bigger scheme of what is known as Anti-Terrorism Financing (ATF), depending on the jurisdiction, if the Bank is found to have acted negligently, the court may also impose a ruling or order an investigation referring to the Bank being complicitous in the aiding of said terrorist financing. 

    To avoid this, the bank's defence would have to satisfy the court that it employed every available measure to establish the veracity of the wiring instructions, and that they've identified that the instructions came from the signing/trading authority of record for that account, pursuant to the applicable regulation/law.  Now if the Bank had not performed a simple & industry-standard, callback procedure do you really think a Judge in his/her right capacity would rule in favour of that bank?  Of course I see that the law does not state verbatim, "must perform telephone callback" but it can be easily extrapolated from the wording, especially if all the other banks do it.

    At no point did I infer that the act of using fax or email instructions, in & of themsleves, constituted negligence.  Many clients opt for this and in most cases sign indemnity agreements protecting the bank from responsiblity for interception of private and confidential information.  However this doesn't indemnify them from loss of funds by negligence.

    Anyway, I REALLY hope this clears things up for you…

    • Anonymous says:

      Except the regulations govern criminal matters and don't provide a civil remedy of the type you imply.  Rather the rights and obligations between the bank and its customer covering the type of behaviour you are writing about will be in the mandate.  And if you think "every available measure" is the touchstone of negligence then perhaps you should buy Nutshells On Tort and start at page 1.

  3. Not A Banker. says:

    I submit for your review and subsequent interpretation, as well as for the informational and educational benefit of the readers & commentators hereto;

    The Cayman Islands "Proceeds of Crime Law, 2008 – Money Laundering Regulations" which can be accessed from CIMA's website http://www.cimoney.com.ky/AML_CFT/default.aspx?id=136#PCL

    Part VII-Identification & Record Keeping Requirements Relating to Wire Transfers

    Regulation 18 "Information accompanying transfers of funds and record-keeping." on page 22 states thusly:

    18.(1) Subject to regulation 19, a payment service provider of a payer shall ensure that transfers of funds are accompanied by complete information on the payer. 
    (2) The payment service provider of the payer shall, before transferring the funds, verify the complete information on the payer on the basis of documents, data or information that meet the requirements of regulation 11(1). 
     
    Regulation 11(1) page 15 "Identification Procedures; Supplementary Provisions" 
     
    11.   (1)   For   the   purposes   of   these   regulations,   evidence   of   identity   is
    satisfactory if-
    (a)    it is reasonably capable of establishing that the applicant is the person he claims to be; and
    (b)   the person who obtains the evidence is satisfied, in accordance with the procedures maintained under these regulations in relation to the relevant financial business concerned, that it does establish that fact,
    __________________________________________________________________________
     
    Therefore, to recoup the stolen funds, the legal recourse of the client in a court of law, would be to prove negligence on the part of the Bank, which did not call-back to verify the instructions, which also constitutes a breach of contract under the terms of the Client's account agreement(a legally binding document).   By the way; all CIMA regulated Class A banks consider it good practice and implement the call-back procedure by way of Internal Policy, so that they may receive a favourable practice & conduct review/audit from CIMA.
     
    Kindest Regards,
    Still Not A Banker and Not A Lawyer either….
     
    • Anonymous says:

      I'm not defending the banks, they can defend themselves. The  law quoted doesn't really indicate the bank cannot use email to issue instructions, as foolish as that may or may not be. The law speaks to ensuring you know who you are doing business with.

      It would be hard to prove negligence if the client had indicated they wanted to be able to provide instructions via email, and had done so previously. Not all email Is equal, but most email isn't that much different than a fax. That has legal precident. But I'm not a banker or lawyer either.

      i think the lesson here is people, and businesses, need to understand how crafty crooks are, and  you need to protect yourself and your clients. In this case I will guess both the person and the bank are victims. Simply blaming one or the other won't prevent it from happening again.

    • Anonymous says:

      Cannot see how a criminal statute designed to prevent money laundering can fom the basis of a civil action for breach of statutory duty.

  4. Anonymous says:

    I'm interested in knowing what law "Not a banker" is referring to?

     

  5. IT smart says:

    Well, the technology of today has most of the banks using best practice email protection, but my old job had an ego maniac who only thought his IT solutions were best and bespoke. I hope it was he who was hacked and now sacked. Why the Directors let these one person computer kingdoms exist is beyond me? Fresh blood and new technology is the answer!!

  6. Anonymous says:

    Well, I'm interested even it is Class B.  Cayman is a huge centre for investment / mutual funds and it is with Class B banks that these entites maintain their bank accounts! 

  7. Not A Banker says:

    I would think the public would be interested in knowing which Licensed & Operating banks in Cayman have actually wired out funds, which were later found to be sent under fraudulent instructions… 

    In the case that these scenarios occurred from accounts held with Class A licensed banks, then it certainly should be cause for alarm among the general public!

    Wire Instructions are commonly received by retail banks via e-mail or fax and where the funds are being sent to a 3rd party (not the accountholder) then signatures are required, to then be verified against what's on file. If the accountholder is sending funds to their own account in another location, i.e. same name,  then signature is not requisite.  However in both cases and by law, a verbal confirmation, telephone call-back must be performed by a bank officer familiar with the client & the telephone # used must be documented on the instructions prior to executing the wire.  Again this by law.

    Now if these occurrences are from Class B banks here (who are not allowed, under the terms of the license, to take deposits from entities resident in the jurisdiction.) then I shouldn't think this article should be much cause for concern among the readers of this site.

    So which is it FCU?

    • Anonymous says:

      Don't write about something you have no knowledge about

      There's no law to obligate banks to make call backs….

      And B banks provide services to Cayman entities who don't conduct local business, such as hedge funds

      The only thing I do agree with you on is that this alert shouldn't be any cause for alarm for the local retail business

  8. Anonymous says:

    Please inform us which institutions were affected. The public has a right to know.

    • Anonymous says:

      Probably of more importance is the email provider that seems to have been compromised, either that or everyone gave out their login details willingly.

      • Anonymous says:

        There is no mention of "login details". This appears to simply be a case of email hacking. We should all know by now that NO financial information should be sent by email to anyone. This includes account numbers, signatures, credit card numbers, bank codes, etc. All types of financial instructions should be given securely via Online Banking portals and your login credentials MUST be kept secure. Our give your instructions verbally when your identity can be verified.