Cyprus tightens measures to combat internet fraud in the digital era
Chrysanthos Christoforou of Elias Neocleous & Co outlines how the legislative and judicial departments of Cyprus are working to fight cybercrime
The rapid expansion and use of the internet, the digitalisation of almost every available piece of information on the planet, as well as the enormous increase in the volume of transactions taking place electronically on a daily basis during the last two decades, have also brought about an increase in internet fraud cases. The term ‘internet fraud’ generally covers cybercrime activity that takes place over the internet or via email, including crimes like phishing, impersonation, credit card and identification theft, and other hacking activities designed to swindle people or businesses out of money.
The online dependency of businesses and people worldwide is creating new opportunities for cybercriminals. According to Interpol officials, since the pandemic outbreak, cybercriminals have been developing and boosting their attacks at an alarming pace. Nowadays, the internet has become one of the most popular tools used to commit fraud. Internet scams that target victims through online services account for millions of dollars’ worth of fraudulent activity every year and this figure will continue to increase as internet usage expands and cybercriminals become more sophisticated. Given that cybercriminals operate with stolen identities and bank account details (names, addresses, credit card numbers) they are often hard for the authorities to trace. Obviously, such stolen data is used by them for the planning and realisation of further crimes.
In Cyprus, the Ministry of Justice and Public Order together with the Cyprus Police are the authorities responsible for the prevention and combating of cybercrime. There is a special cybercrime subdivision in the police which is responsible for the effective investigation of cybercrime. However, the specialised body in the Cyprus Police for cybercrime investigation is the Office for Combating Cybercrime (OCC) which is responsible for the investigation of crimes committed via the internet or via computers. The OCC cooperates closely with EU authorities and third countries on the basis of bilateral and multilateral agreements including, inter alia, the Europol (EC3), Interpol, the European Network and Information Security Agency (ENISA), the European Commission and many others.
The relevant legal framework
There is an extensive legislative framework in the field of cybercrime in Cyprus.
This legislation ratifies the Budapest Convention on Cybercrime and covers hacking, child pornography and fraud committed via electronic communication and the internet. The convention is the first international treaty on crimes committed via the internet. Its main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.
This law implements Directive 2013/40/EU on attacks against information systems. The objectives of the directive are to converge the criminal law of the member states in the area of attacks against information systems by establishing minimum rules concerning the definition of criminal offences and the relevant sanctions and to improve cooperation between competent authorities, including the police and other specialised law enforcement services of the member states, as well as the competent specialised union agencies and bodies, such as Eurojust, Europol and its European Cyber Crime Centre, and the European Network and Information Security Agency (ENISA).
Other pieces of legislation in the field include:
The Law on the Retention of Telecommunication data for the investigation of serious offences (Law 183(I)/2007);
Law 26(III)/2004 which ratifies the EU Directive 2011/93/EE which covers, inter alia, child pornography;
Law 112(I)/2004 which regulates electronic communication.
The role of the Cyprus courts
There has been an increase in the number of new internet fraud cases brought before the Cyprus civil courts in recent years and it is encouraging to note that the civil courts in Cyprus have shown their readiness to adapt and to keep the pace with the cybercriminals. This is heartening because it is of the utmost importance for the courts to contribute to the fight against cybercrime. Otherwise, the scammers who tend to hide behind a veil of anonymity or false identification will always be one step ahead and the imbalance that exists between the victims and the cybercriminals will never be tackled.
Having handled numerous internet fraud cases for clients (usually for large corporations who fell victims of hackers, impersonation and the like), it can be observed that it is very common for stolen funds to be transferred immediately to multiple bank accounts (owned usually by foreign entities) in various jurisdictions around the globe. In such situations the courts can assist by granting freezing orders in order to ensure that the stolen funds are not further alienated, as well as Norwich Pharmacal relief against the banks in order to learn the identity of the account holder(s). In situations where the funds have already been further alienated, the courts can grant tracing orders in order to follow the money.
In a recent internet fraud (impersonation) case, the District Court of Nicosia granted ex parte a freezing order as well as a gagging order against the Bank whereas the Norwich Pharmacal type orders were left to be examined inter partes. The Cyprus courts have also acknowledged the difficulties in serving by conventional means anonymous defendants or defendants who do not want to be found.
Recently, the District Court of Limassol on the basis of O.5R.9 of the Civil Procedure Rules granted a novel form of alternative service, i.e. that of service via Facebook Messenger, which is definitely a step in the right direction. This is because in injunction applications made without notice the general rule is that the proceedings and the order must be served on the respondent as soon as practicable.
This type of alternative (electronic) service is not so uncommon in the UK where, for example, in LJY v. Person(s) Unknown  EWHC 3280 (QB), the court deviated from the general rule and permitted the claimant to serve the defendant by text.
It remains to be seen who the ultimate winner shall be in the fight against cybercrime. So far, both the authorities and the courts have shown good reflexes in assisting corporations and private individuals who have fallen victims of cybercriminals. However, in response, the cybercriminals have always been able to develop even more sophisticated cybercrime techniques.
Partner, Elias Neocleous & Co