The Forged Instruction – A New Form of Fraud a la Francaise

The following issue describes a case experienced first-hand by the author.
 
During a meeting with an executive of an international company and the managing director of its French subsidiary, an increasingly threatening risk of fraud in France that has affected dozens of companies including clients of our law firm, was brought up for discussion.  My conversational partner was listening with polite interest to stories of companies, with French subsidiaries which accounts money in the six figure range, that have been easily withdrawn by creative fraudsters.  He assured us confidently that something like this would never happen in his company (this was concerning the French subsidiary branch) and referred to the comprehensive compliance– and pre-emptive measures that would prevent this.
 
About two months after this meeting we received a call from the legal department of the same client with an urgent callback request.  As it was explained to us, almost a million euros were illicitly transferred from the accounts of the French subsidiary to offshore accounts in Asia.  A fraud ring prior conducted a meticulous research about the company’s structure and the names of people in core management positions whose orders would likely make an impression on the accountant of the French subsidiary.  The accountant was firstly informed “in absolute confidence” about a company acquisition planned by the management team until, in a series of emails, he finally received the notice that all affiliated companies must contribute to the transaction and would hence have to initiate a transaction of the aforementioned amount from the French subsidiary’s bank to an account in Hong-Kong.  Feeling honoured by belonging to the few people being privy to the secret operation and receiving orders from the top, the accountant complied and placed the remittance order after he unsuccessfully tried to reach out to his immediate superior, who had left for vacation earlier that day and was no longer reachable.  The French bank was accustomed to small remittance orders made by the employee of their client and only started getting suspicious about of the amount of money, when the funds had already been transferred to Hong-Kong.
 
The scheme that tricked the employee of our client is already known in France as “escroquerie au Président” (feigned CEO-Instruction) for a couple of years.  The name was invented when scammers cunningly pretended to be CEOs (Président) or employees holding a high rank within the company (hereinafter “CEO“).
 
The main characteristics of this kind of fraud are usually the same.  The scammer addresses an email to an employee of the local financial advisory department or an accountant of a French subsidiary, claiming to be the CEO or financial director of that company.  First of all, he entrusts the recipient with the knowledge of a highly confidential, international transaction planned by the executives.  The email address of the alleged CEO is almost identical to the real one, usually only one letter is changed, thus the difference is noticeable only through closer inspection.  It is emphasised that the CEO chose a particular trustworthy employee and strict confidentiality regarding the command structure is demanded.  In some cases, there is a follow-up phone call in which the caller imitates the voice of the real CEO and mentions further names of employees in the finance department as well as relevant information about the company.  The objective is to emphasise the exceptional nature of the transaction and build up mutual trust; the employee is supposed to feel privileged to be in direct contact with the CEO and does not dare to question the authenticity of his superior.
 
According to publicly available data some 1,500 French companies have fallen victim to this new kind of fraud, although, due to fears of considerable damage to the company’s reputation, not all cases of offence are reported.  The total damage is estimated at around 350 to 450 million euros, but again these figures are probably higher.  Amidst the victims are well-known companies such as tyre manufacturer Michelin, oil company Total or luxury group LVMH.  Since the increased coverage of this kind of fraud in the media, the scammers have improved their methods.  The new trick is the supposed update of the financial software of the company, whereby an employee of the financial department of the subsidiary is prompted by forged instructions from the management to input data during the update, which allows for the placement of transfer orders.  In another familiar case, the scammers pretended to be trusted lawyers of the corporate management (utilising forged email addresses and letterheads).  In this case, it was actually a Parisian law firm that had previously already worked for the targeted subsidiary.  An employee in the financial department was again contacted with reference to an urgent and highly confidential transaction of significant amounts. 
 
The police already put in place a special department to cope with this sort of crime.  However, the prosecution is complicated, if not even futile, since the perpetrators and their supporters are abroad.  Investigations revealed that they are based in Israel and their supporters in China; their French is fluently spoken and written– during the call, a French number is displayed.
 
Aside from the aspects of law enforcement and prosecution, this new form of fraud is posing challenges concerning labour law and the enforcement of compliance measures.  Regarding labour law, the question of disciplinary measures for the employee that served the scammers as a rather unconventional implement for their fraud arises.  This should be carefully considered, because even if the employee was acting with negligence by disregarding the internal compliance regulations – for which he could be sanctioned to the extent of termination without notice – disciplinary sanction could be counterproductive.  This is because it is also a question whether the bank acted with negligence and would therefore bear partial or full liability.  Banks themselves have their own compliance measures in place, which should prevent events like the one mentioned from happening (through signature verification, confirmations etc.).  Disciplinary sanctions imposed on the employee could be seen as an admission of guilt by the client of the bank, which would therefore be harmful if the criminally affected company pursued legal action against the executing bank (its liability insurance).
 
From the compliance aspect, these instances show that the mere implementation of compliance rules is not enough.  The risk must also be mitigated through adequate preparation of the employees that would likely be victimised by such scammers. 
 
As one can see, this does not only concern executives, but also lower ranking employees who are “easy prey” because of their low position in the company.  These employees should be continuously informed about aforementioned risks while also being trained with practical cases.  Small subsidiaries of foreign companies are especially vulnerable, since in most cases the accountant usually does not only administer the accounts but is also the contact person of the bank.  Additionally, language barriers and distance to the headquarters make further inquiries to superiors difficult.  In a lot of cases damages exceeded hundreds of thousands, if not millions, of euros (the “record holder” is a medium sized enterprise from Brittany with damages of €23 million).
 
As mentioned already, in all cases the scammers have conducted research about the inner workings of the firm and names of executives whose instructions would easily mobilise a lower rank employee.  This is facilitated through electronically accessible information about companies and their executives, which is easily accessible through the electronic network of the commercial register infogreffe in France.  Aside from official information on the companies, up-to-date contracts with signatures (partnership agreements, minutes of meeting, balance sheets, audit certificates) are also accessible.  Moreover, the companies themselves disclose relevant information for scammers on their own websites.  Executives for example have profiles on networks such as Viadeo or LinkedIn.  The more information is retrievable on the web, the easier it is for scammers to get a detailed picture of the company and its executives, which in turn is relevant for the execution of the fraud.  The “boom“ of this kind of fraud, which has been noticeable throughout the last few years, is hence also explainable by the need to disclose more and more information on the web.  Therefore the importance of pro-active employee training and provision of information through internal emails should be again emphasised to efficiently avoid falling victim to this new kind of fraud.
 
Bruno Weil has 15 years of experience as a lawyer of mid-sized or international corporations which are present or active in France.  He heads the Weil & Associes’ IP/IT department, and as such, regularly intervenes before courts for instances involving patent, trademark or copyright infringements.  His day to day practice also involves commercial court cases, for any business related lawsuits, and counseling companies having interests in France and abroad.  He can be contacted under bweil@weil-paris.fr