The focus of our firm’s investigation and law practice is fraud recovery. We only act for victims of fraud. In this context, we frequently file applications for “tracing” orders – referred to “Norwich” orders in the civil law context, and “production” orders in the criminal setting. Tracing stolen funds is often, but not always, the first step in a fraud recovery project.

Most of the judgments we receive from the Courts with respect to tracing applications are not published in reported decisions. This is true for almost all tracing applications brought by any lawyer. This is often because tracing / Norwich applications are part of the investigation phase, and we seek to have the contents of the court file sealed while the investigation is ongoing.

The story explained in this post is the subject of an ongoing investigation where the court file is sealed. The story published in this post is told for the benefit of our legal peers and the public seeking information on these types of cases. Pseudonyms are used for the victims and our investigation targets to maintain the confidentiality of the ongoing investigation.

The First Attack

Our client, the applicant for the tracing order, is a real estate developer. We will refer to the applicant as “RED”. The applicant has a long-standing carpet flooring supplier that we will refer to as “CFS”.  Both RED and CFS are located in Toronto. As was their usual business practice, CFS sent RED emails enclosing their invoices.

“Rogues”, being unknown fraudsters, or ‘phishers’, infiltrated the emails of RED’s staff through nefarious means. The rogues used malware to monitor the business dealings of RED with its suppliers. Once the rogues were familiar with how RED’s business transactions were electronically conducted between RED and its suppliers, the rogues created email addresses for various CFS employees which were almost identical to the legitimate email addresses that would be recognized by RED staff – the domain for these imposter email addresses was one letter off the authentic CFS business email domain.

Staff with RED did not pick up on the nefarious CFS email addresses. Staff at RED believed they had received an authentic invoice of CFS and acted upon it by way of their usual business practice – a wire transfer of funds. The rogues provided RED’s staff with the transit and account numbers for a Canadian Bank[1] account held in Toronto. As instructed, RED wired the funds to what they believed was the CFS bank account.

In most “business email compromise scam”[2] cases, the rogues set up bank accounts in fake names and provide the unsuspecting victims with bank transit and account numbers that match the beneficiary name. In this case, the rogues made an error in that the transit and account numbers did not match the account holder name, and the Canadian Bank that held the rogue’s account rejected the transfer. In other words, the rogue’s recipient account was not in the name of CFS or something so close that the recipient bank would accept it.

When the rogues learned that RED’s transfer to them had been rejected by their bank, they emailed RED using their spoof CFS email account and instructed RED staff to make the wire transfer to another bank account that they controlled held at JPMorgan Chase in New York. RED staff, without questioning the change of account information, wired $850,000 to the JPMorgan Chase account. Either JPMorgan Chase staff did not verify that the beneficiary name (CFS) matched with the bank account number, or the rogues set up an account in the CFS name at JPMorgan Chase. In any event, the rogues successfully received RED’s $850,000 into a JPMorgan Chase account that they controlled and CFS in Toronto was not paid.

Eventually CFS made inquiries with RED to inquire about the timing of payment. RED advised CFS that they had sent payment to CFS’ JPMorgan Chase account. CFS advised RED that it did not have such an account. RED and CFS investigated the emails at the heart of the transaction and learned that the email accounts of CFS staff had been spoofed and that RED’s funds were lost through fraud.

RED immediately contacted its bankers to request a recall of their $850,000 wire. RED’s bankers in turn contacted JPMorgan Chase. Remarkably, $500,000 was returned by JPMorgan Chase to RED’s account, resulting in a net loss to RED of approximately $350,000. This is a strange story in itself, which is beyond the scope of this post. JP Morgan Chase refused to disclose the account holder identity used by the rogues, or any other information related to the use of one of their accounts by rogues.

So far, this story is of the typical “business email compromise scam” fraud variety, except that in most cases the victims do not make a partial recovery as RED did. What occurred next makes the story of this particular Norwich / tracing application somewhat novel.

The Second Attack

RED shared its server with a related business entity which we refer to as BLUE. As the rogues had access to RED’s computer’s system through its malware attack, they were also able to monitor business emails of BLUE. The rogues spoofed the email address of a BLUE accounts payable employee. After this BLUE employee sent a legitimate email to a supplier enclosing an invoice for payment, the rogues intercepted this email correspondence and sent a follow up email to the supplier from the spoofed email of the BLUE employee enclosing payment instructions directing payment to a different account at the same Canadian Bank involved in the fraud on RED.

Thereafter the rogues sent fraudulent payment instructions to two BLUE suppliers – each directing payment to a different account at the Canadian Bank. Unlike the case with Red, BLUE was alerted to the fraud by one of the suppliers prior to either supplier having transferred any money to the accounts at the Canadian Bank. As the format and wording of the payment instructions from the rogues were the same in all cases, and because BLUE and RED used the same server, there was an evidentiary link to the same rogues using the second account at the Canadian Bank.

Should Canadian Financial Institutions be held Liable for Accounts used by Rogues?

As JPMorgan Chase refused to disclose the account holder information to RED, an application was made by RED as against the Canadian Bank for the account holder information used by the rogues. Lawyers from the Canadian Bank advised our office that they would not oppose our tracing / Norwich application, but were of the opinion that the Court in Toronto would not issue a tracing / Norwich order because the accounts of the Canadian Bank did not receive any funds directed there by the rogues.

It has long been our observation that the pandemic of phishing attacks and “email compromise bank frauds” would not be successful as they are but for the fact that Canadian financial institutions are not held to account by our Courts when they permit accounts to be opened in fake names by rogues. We are not suggesting, of course, that Canadian financial institutions knowingly let rogues open accounts in fake names. We are of the view that in a contest between two innocent victims, Canadian financial institutions should be presumptively liable for 50% of the loss perpetrated by third party rogues using their systems.

In the case of RED, it was an innocent victim of a malware attack. Perhaps RED could have prevented the malware attack. Typical banking contracts provide that if a bank client is subject to a malware attack, the Canadian financial institution is not liable for anything. We are of the view that such bank contract provisions limiting liability should not be held to be valid and enforceable in scenarios where the bank has opened an account in a fake name used by rogues that is used to launder funds obtained by fraud through the Canadian financial institution.

To state otherwise, the type of malware email compromise attack as befell RED is only possible if the rogues can set up bank accounts held in fake names. Typically once the victim’s funds are transferred to such a bank account, they are then transferred from the account in a fake name to a crypto currency exchange or some other account to launder their illicit proceeds – and at that point are usually unrecoverable. This is a topic for another blog – for now we continue on with this tracing story.

The Novel Norwich

The decision we received by the Court has nothing to do with the problem of rogues using accounts at Canadian financial institutions to launder stolen funds. In fact, in a Norwich / tracing application part of the legal test is that information is sought from an “innocent” third party, being a Canadian financial institution that is the only source of information for the fraud victim to attempt to recover its loss.

In our case, both RED and BLUE applied for the account holder information from the Canadian Bank where its ultimate use is to determine if there is a person in Canada that can be pursued for the loss, or alternatively for use in an application in New York to trace the remaining $350,000 loss from the JPMorgan Chase account that was used by the rogues, and hopefully preserve and recover it. 

Typical tracing / Norwich applications in Canada are used to determine if the stolen funds are still in the account used by rogues or to determine the identity of the account holder where the loss was incurred through the account which is the target of the application. We are not aware of a reported decision in Canada where a tracing / Norwich order was issued where there was no loss incurred through the target account. This is why we refer to this particular judgment as a “novel” Norwich decision.

In our application the Court decision stated the quote used in most every decision of this nature:

Disclosure of documents may be ordered where the person against whom discovery is sought has, through no fault of their own, been involved in wrongful acts of another so as to facilitate the wrongdoing: Isofoton S.A. v. Toronto Dominion Bank, [2007] 85 O.R. (3d) 780, at paras. 30-33. Financial institutions that innocently get caught up in the wrongful acts of others are under a duty to assist the Plaintiff by giving the Plaintiff and the court full information.

The Court then provided for the usual five-part test applicable to tracing / Norwich applications. The Court found that the rogues had engaged in an attempted fraud through the Canadian Bank, and then a successful fraud through the foreign financial institution JPMorgan Chase. The Court further held that the rogue’s identity could not be ascertained through a data forensics investigation by RED, and therefore the Canadian Bank was the only possible source of the rogue’s identity. The Court further held:

In circumstances of fraud, the interests of justice favour obtaining disclosure from the financial institutions to determine the location of the funds. The interests of the Applicants in obtaining disclosure over balances the interests of the fraudulent agents including their interest in privacy and confidentiality.

This is the ultimate legal contest – the “right to know” becomes more important than a rogue’s “right to privacy”. We would submit that a rogue simply has no right to privacy after their fraudulent conduct is proven and where third parties are used to perpetrate their fraud. This is not a stunning legal statement – this should be common sense – yet to some rogue sympathisers that we have to deal with, it is not.

Further Information on Tracing / Norwich Applications and Production Orders

We are aware that the chances of recovery by RED through this tracing application are low. That said, one never knows. As rogues are dealing with someone else’s funds, they often do not care what gets recovered. We have had a case where we recovered approximately $800,000 in an “email compromise bank fraud” scenario, and then recovered over $1M from the Canadian Bank for their role in not stopping it.

Our firm is a well-oiled machine for preparing and filing tracing / Norwich applications. We typically file these applications in-writing and on an urgent basis, and Courts typically issue the requested orders with days. Canadian financial institutions typically respond to such orders to within a week.

The pace at which tracing applications can be processed in the civil system is much quicker than the bankruptcy or criminal systems. Typically, bankruptcy trustees and the police take much longer to produce the required applications because they do not operate under the same motivations as we do. Further, typically Canadian banks are much quicker to respond to civil court orders than they do to orders issued in the bankruptcy courts or the criminal process. There is good reason for prioritizing civil trace orders.

The downside for fraud victims is that tracing applications in the civil court system usually need to be funded by victims given the high risks involved in recovery. We do not accept such retainers on a contingency basis. The bottom line is that tracing / Norwich applications through fraud recovery firms such as ours is the best chance for recovery. If you are a fraud victim, we welcome your inquiry.

[1] We use the term “Canadian Bank” so as not to disclose which financial institution in Canada was utilized by the rogues to perpetrate this loss – rogues use all Canadian banks for their own purposes.