Scam emails are emails which solicit personal information such as login details or personal identification information from individuals and entities by posing as trustworthy senders. Scam emails may also contain malicious codes which damage the recipients’ computers when the recipients click on the links or open the attachments.
Since the outbreak of COVID-19 in early 2020, cyber fraud cases involving email scams have increased significantly worldwide (with more and more professionals (including law firms), feeling a sense of invincibility and falling victims as a result).
It may be because hackers took advantage of the pandemic and send fraudulent emails to workers working from home. Therefore, it is important that individuals and entities be alert to such risks and avoid falling victims to email fraud.
5 key elements indicating a scam email
Scam emails may take many forms. However, there are some general clues which may help one identify scam emails.
1. Emails sent from a public domain: It is always prudent to look at the email address of the sender and not just the signature block of the sender. Fraudsters may create bogus email addresses which may show in recipients’ inboxes with display names which do not raise suspicion.
Legitimate organisations always have their own email domain and company accounts. For instance, Google sends emails with the domain name “google.com” instead of “gmail.com”. If the domain name matches with the organisation which the sender represents he/she represents, the email is likely to be legitimate.
2. Generic greetings: Generally, scam emails include generic greetings such as “Hi Customer” instead of personalizing the emails using the recipient’s actual name. Therefore, it is advisable not to reply to any emails which seems to be automatically generated by computer systems.
3. Requests for personal information: Phishing emails often request recipients to provide personal information such as entering login credentials or personal identification information by clicking on a link to a website. Please bear in mind that legitimate companies never ask their customers to do so as a safety measure to protect customers from falling victim to fraudulent emails.
4. Requests for an urgent response: Most email scams involve messages which induce recipients to fear that there are some problems with their accounts and tricks them to take action urgently. If any such email is received, contact the sender via alternative means of communication such as calling or texting him/her to verify the legitimacy of the email. Not only does this help ascertain the authenticity of the email, but it may also bring the issue of fraudulent emails to the attention of the sender in that there may be a scam using their names so that the alleged sender may take actions to warn its contacts and users of potential phishing attempts.
5. Emails with suspicious links and/or attachments: Phishing emails often include links to bogus websites and/or attachments containing malware. Recipients should always look at the links carefully to see if it includes irrelevant words or phrases. Always look for URLs beginning with “Https” as the letter “s” indicates that the website uses encryption to protect users’ page requests, and that it’s from an authorized certificate authority. Do not click on any of such links to find out what website the link actually leads the recipients to. It is advisable to hover the cursor over the link to check and verify the actual website address. As for email attachments, never download and open email attachments unless the recipients are confident that the source of the email is trustworthy.
Where losses are incurred due to email scams, the first step is to notify the recipients’ bank in Hong Kong immediately to avoid dissipation and report to the police to facilitate investigation. The next step is often to commence legal proceedings.
- Pre-action discovery: Where the identity of the fraudsters were uncertain, pre-action discovery actions may be required to identify the wrongdoer(s). The first option is to apply for a Mareva injunction, which prevent wrongdoers from dissipating assets before the victims obtain a judgment against the fraudsters. The second option is to apply for a proprietary injunction, which aims to preserve assets by declaring that the recipients hold the assets on constructive trust in favour of the claimant. The third option is to apply for a Banker’s Trust order. Bankers’ Trust orders compel banks to disclose documents of recipient bank accounts, including account opening documents and transaction records, which enables tracing of stolen funds deposited to the recipients’ bank accounts.
- Causes of action: Various causes of action may be used to commence legal action against fraudsters who received money from victims. Fraud is an obvious choice but it should be noted that strong evidence is required to prove the element of fraud. Victims may also sue the recipients of the amount for unjust enrichment on the basis that the recipients retain the benefit of any part of the sums received as they never had any valid or legitimate entitlement to receive or retain the same. Victims may also claim that the recipients held the stolen funds on constructive trust in favour of the victims and are liable to return the stolen funds to the victims. Last but not least, subsequent layer(s) of recipients may be used to have dishonestly assisted in the breach of the constructive trust by the primary recipients of the stolen funds in that they lent themselves as a conduit to receive and/or channel the stolen funds.
- Possible remedies: If fraud is not pleaded, victims may apply for summary judgment against the defendants. On the other hand, if the defendants fail to acknowledge service and/or file defence, the plaintiff may apply for a default judgment (with claim for injunctive relief being abandoned) and then for a garnishee order for recovery of the stolen funds. Victims may also apply for proprietary relief, i.e. asking the Court to declare that the defendant(s) held the stolen funds or all such assets derived from the stolen funds on constructive trust or resulting trust for the victims. For an application for proprietary relief to succeed, victims should adduce evidence to prove that the property to which he/she lays claim is still in the ownership of the defendant(s) without having mixed with other funds or has not been withdrawn and/or transferred. Another controversial remedy which victims may seek is vesting order, in which the Court orders the bank to return the traceable proceeds of stolen funds to the plaintiff. However, the case law on vesting orders is inconsistent and it may not be the most cost-effective remedy to obtain in email fraud cases.
Email fraud has become increasingly common in Hong Kong. The legal redress suggested above often involve a significant amount of legal costs and victims may not recover all their losses, especially where the fraudsters and/or recipients are not in Hong Kong.
As the cliché “prevention is better than cure” suggests, companies should regularly review their internal authorisation protocols and train its employees on how to recognize malicious emails to prevent sensitive data loss. This article shed light on 5 key elements which may help recipients identify scam emails. However, this list is by no means exhaustive.
Employees should always be alert to potential phishing attacks and protect critical company and personal data.
In the unfortunate event that information and money is lost due to such phishing emails, time is always of the essence in minimizing loss. Apart from reporting to the police and informing the bank, victims should consider seeking legal recourse promptly to identify wrongdoers and recover losses.