How we combined a Norwich Pharmacal order against HSBC with OSINT to identify the people behind an international email fraud
This case study is about how we acted for a US-based multinational client that fell victim to an invoice fraud. Someone, posing as a colleague at the group's UK subsidiary, emailed our client's accounts department to notify them of a small change to the UK company's bank details. Without realising they had been defrauded, our client transferred more than US$200,000 to the new UK account at HSBC.
Our client wanted three things from us. To trace the funds. To identify the people behind the new HSBC account. And to find out whether any of their own employees, in the USA or the UK, had been complicit in the fraud.
The matter called for both a Norwich Pharmacal order against HSBC and a layer of open-source intelligence (OSINT). This case study sets out how we obtained the order on paper without a court hearing, how the bank disclosure and the OSINT work fitted together to identify the people behind the fraud, and how the matter is now with the Metropolitan Police where the criminal investigation is ongoing. The same identification toolkit drives our wider work on how to unmask someone behind anonymous online posts.
What happened to our client
Our client is a US-based multinational food-products distributor with operations across North America, Asia and Europe. Some details of the case have been changed to protect the privacy of our client.
The fraudster's first move was to register a domain name that closely resembled the company's own. The difference was a single character that would be easily missed; to a casual reader the addresses looked identical. From that lookalike domain, the email to our client was sent under the name of a real senior employee at the UK subsidiary, complete with the company's standard letterhead, accurate invoice numbers and matching payment figures.
When our client's accounts team rang to verify the new banking details, the fraudster had thought of that. They had set up a phone number presented as the UK subsidiary's accounting line, but which in fact rang straight to the fraudster, who confirmed the false account details on the call. Reassured, our client transferred more than US$200,000 to the new HSBC account. By the time the company realised what had happened, the money had gone and the fraudster had disappeared behind the anonymity of the receiving bank account.
Why a Norwich Pharmacal order was the right remedy
When a fraud of this kind is discovered, the victim faces an obvious problem. They know the money has been stolen. They know which bank account it was paid into. What they do not know is who actually controls that bank account.
The bank itself is not the wrongdoer. It has been used by the fraudster as the route for the money, but it has done nothing wrong. The bank holds the information that would identify the fraudster, including the name on the account, the address given when the account was opened, the identification documents provided when the account was opened, and a record of where the money went after it arrived. Without that information, the victim cannot bring civil proceedings against the fraudster, cannot make a credible report to the police, and cannot begin to trace the funds.
A Norwich Pharmacal order is the legal route into that information. It is a court order that requires a third party who has become innocently mixed up in someone else's wrongdoing to disclose what they know about the wrongdoer. In fraud cases, the third party is very often a bank. The order is named after the case that established the principle, Norwich Pharmacal Co Ltd v Customs and Excise Commissioners [1974] AC 133, decided by the House of Lords in the 1970s and developed by the courts in many cases since. The original case was pre-internet; the modern application of the principle is exactly the kind of online fraud our client faced.
To obtain a Norwich Pharmacal order, a victim has to show the court a number of things. There must be a good arguable case that wrongdoing has taken place. The third party must have become caught up in that wrongdoing, even innocently. The third party must hold information that the victim genuinely needs. The order must be a proportionate response, in the sense that the information is not easily available in any other way. The court has a discretion and weighs these factors before deciding whether to grant the order.
In our client's case, every one of those requirements was clearly satisfied. The fraud was obvious. HSBC was the bank through which the stolen funds had passed. The information needed to identify the fraudster was held only by HSBC. The company could not realistically obtain that information through any other route. There was a strong case for the order to be made.
Obtaining the order without a court hearing
We have established a process under which, in suitable matters, we are able to obtain a Norwich Pharmacal order on paper without a court hearing. That saves the client a great deal of money. More importantly, it lets us act with the kind of speed fraud matters tend to require, where every day the funds remain in the recipient account is a day in which they may be moved on.
The route is not available in every matter. Where the bank does not oppose the order, where the evidence is well presented and where the application is well drafted, the court can be invited to decide the application on paper. The judge reads the papers in private and either grants the order or refuses it, without anyone having to attend court.
We approached HSBC before we issued the application. HSBC has experience of Norwich Pharmacal applications and is generally cooperative with them, although for proper reasons it cannot hand over information about its customers voluntarily without a court order. HSBC agreed not to oppose the application, which meant the court could be invited to grant the order without a hearing.
The order was granted on paper. HSBC then began the process of disclosure.
What HSBC was required to disclose
The order required HSBC to disclose the information it held about the account into which our client's money had been paid. That kind of disclosure typically includes the name and address given when the account was opened, the date the account was opened, the identification documents provided to the bank, transaction records showing where the money went after it arrived, and any other contact details on file for the account holder.
The disclosure matters for two reasons. First, it identifies, or helps to identify, the people behind the account. Second, it begins the process of tracing the stolen funds. Where the money has been transferred onwards to other accounts, the disclosure can be the start of a chain that eventually leads to where the funds ended up.
From bank disclosure to identification: the OSINT layer
The disclosed bank data is rarely the whole answer on its own. The name on the account may belong to a mule recruited online rather than to the architect of the fraud. The address given when the account was opened may be a short-term let or an accommodation address. The phone number on file may have been swapped out by the time the disclosure comes back. In our experience, the value of the bank disclosure is what it sets up next.
That next stage is open-source intelligence, or OSINT. We took the name, address, identification documents and onward transaction details from HSBC and cross-referenced them against what was publicly available. Companies House records, directorship history, registered addresses, social media profiles and the registration footprint of the lookalike domain were all part of the picture. The phone number the fraudster had supplied for the "verification" call had its own history that could be traced. The disclosed onward transfers gave us further accounts to look at and, in turn, further names. Each new data point was checked against the others until the picture of who was behind the scheme was firm enough to act on.
Part of what our client wanted to know was whether the fraudster had inside help. The level of company-specific detail in the fraudulent email (real invoice numbers, accurate payment figures, the correct internal letterhead) meant someone had access to the company's billing records or had been able to obtain them. As part of the OSINT layer we cross-referenced the disclosed account holder data and the onward transaction trail against the people known to be in contact with the relevant accounts teams in both the US and the UK. That analysis fed into the wider picture of who was behind the scheme, and it remains one of the lines of inquiry the criminal investigation continues to consider.
For more on how the open-source layer fits alongside court-ordered disclosure, see our note on how to get a disclosure request through to Google, which sets out the same three-stream approach in a different platform context.
Challenges we worked through
Even in a case that ultimately went well for our client, the process was not entirely smooth. There were two main difficulties.
The first was that HSBC's initial disclosure was incomplete. Some of the information required by the order had been left out. The omission was not deliberate. When we wrote to HSBC explaining what was missing, the bank acknowledged the oversight and provided the further information promptly. That kind of issue is common in Norwich Pharmacal disclosure, and it is one of the reasons why a careful review of the bank's response is so important. A lawyer who does not check the disclosure against the order may not notice that anything is missing. We do not let that happen.
The second difficulty was the court system. At the time of our application the court was working through a backlog, and our application was taking longer than it should have done to reach a judge. The court itself was not opposed to the order. It simply could not get to it as quickly as the urgency of the situation required. We wrote to the court to explain the urgency, and to ask that the case be assigned to a Master so the application could be considered without further delay. That intervention worked. The application was placed in front of a Master and the order was granted shortly afterwards.
In a case where stolen funds are at risk of being moved on, every day of delay matters. Knowing how to push the court politely but firmly is part of the value a specialist firm brings to this kind of work.
Handing the matter to the police
Once we had a firm view on who was behind the fraud, the next step was the criminal route. We prepared detailed reports for Action Fraud, the Insolvency Service and the Metropolitan Police on our client's behalf, setting out the chain of events, the evidence we held, the disclosed bank data and the conclusions our open-source work had reached. The matter is now with the police, and we continue to assist with supplementary material as the investigation moves forward.
The bank disclosure identifies the account. The open-source work identifies the people. The criminal route is what follows, and it works best when the civil disclosure has already done the heavy lifting.
What this case shows about Norwich Pharmacal orders in fraud cases
Three points from this case are worth taking away for anyone in a similar position.
The first is that Norwich Pharmacal orders are not a theoretical legal tool. They are used regularly and they work. In this case the order produced the information our client needed to identify the people behind the scheme and to take the next steps in dealing with what had been stolen.
The second is that UK banks, while usually cooperative with these applications, still need the order before they can act. HSBC and the other major UK banks are familiar sith Norwich Pharmacal applications, and many have specialist teams that respond to them. That does not mean they can simply hand over information about their customers when asked. They cannot, and they should not. The customers of a bank have a reasonable expectation that their information will not be disclosed to third parties without proper legal authority. The order is what provides that authority. Once it is in place, the bank can comply without breaching its duties to its customer. The applicant usually pays for the bank's reasonable costs of compliance, which is worth factoring into the budget at the outset.
The third is that a court hearing is not always necessary. Where the application is properly prepared, and where the bank does not oppose it, the court can deal with the application on paper. That is what happened in this case. The saving in legal costs can be considerable, and the time between the discovery of the fraud and the disclosure of the information needed to deal with it is significantly shorter.
For the wider follow-the-money pattern across UK banks and payment processors, see our note on disclosure orders in financial crimes.
Lawyers' thoughts on Norwich Pharmacal orders in email fraud cases
Email fraud of the kind that affected our client is now one of the most common forms of commercial fraud in the UK. The reason is straightforward. The fraud is cheap to carry out, hard to detect, and capable of generating very large sums very quickly. A single successful invoice-redirection or CEO-impersonation fraud can produce six or seven-figure losses from a business that has done nothing wrong other than fail to spot a near-perfect copy of a colleague's email address.
The legal framework has adapted to that reality. The Norwich Pharmacal jurisdiction, originally developed in a patent case in the 1970s, is now one of the central tools the courts use to deal with online and email-based fraud. The willingness of judges to deal with these applications quickly, and where appropriate without a hearing, is an important part of why the remedy works. The cooperation of the major UK banks is another. The discipline that ties it together is preparation: a well-evidenced application, a precise schedule of disclosure tied to the legal grounds, and a careful follow-up on whatever the bank discloses. None of the rest of the work has the same effect without that.
The cross-border element is the part that is least understood. Where the underlying conduct sits in another jurisdiction, the criminal investigation will often have to travel through mutual-assistance channels between police forces. That is a slower route than a UK-only investigation, and time-sensitive evidence such as IP and telephone metadata can fall outside the window in which it is still accessible. Where there is a serious cross-border element, the civil work to identify the people behind the fraud needs to start straight away. The criminal route can follow, but it follows the civil disclosure rather than the other way round.
Frequently asked questions
What is a Norwich Pharmacal order?
A Norwich Pharmacal order is a court order requiring a third party who has become innocently mixed up in someone else's wrongdoing to disclose what they know about the wrongdoer. In fraud matters the third party is very often a UK bank. The principle comes from Norwich Pharmacal Co Ltd v Customs and Excise Commissioners [1974] AC 133 and has been developed by the courts in many cases since.
Can a Norwich Pharmacal order be made against a bank?
Yes. UK banks are the most common third-party respondents in fraud-related Norwich Pharmacal applications. HSBC and the other major UK banks have specialist teams that deal with these applications and are generally cooperative, but they cannot disclose information about their customers without a court order. The order is what authorises the bank to disclose.
Do I need a court hearing to obtain the order?
Not always. Where the bank does not oppose the application, where the evidence is well presented and where the application is well drafted, the court can deal with it on paper. That saves cost and time. Where the application is contested, or where the court has questions, a hearing follows in the normal way.
How quickly can a Norwich Pharmacal order be obtained?
An application that proceeds on paper with a cooperative bank typically reaches an order within a few weeks of issue, subject to the court's availability. A contested application takes longer. In matters where the stolen funds are at risk of being moved on, we will often write to the court to explain the urgency and to ask for the case to be allocated to a Master without delay.
What information does the bank disclose?
The order will set the exact list. Typical categories include the name and address given when the account was opened, the date the account was opened, the identification documents provided to the bank, transaction records showing where the money went after it arrived, and any other contact details on file. The schedule of disclosure is tailored to what the case actually needs.
Does the disclosed name always lead to the person behind the fraud?
Not on its own. The name on the account may belong to a money mule rather than to the architect of the fraud, and the address may be short-term. The bank disclosure is the starting point. We pair it with open-source intelligence (Companies House, social media, domain registration history, onward transaction trails) to build the fuller picture of who is actually behind the scheme.
What does a Norwich Pharmacal application cost in a fraud case?
Across our disclosure work, the floor on a cooperative bank application that proceeds on paper is around £5,000, with contested applications from £10,000 and a US follow-on under 28 U.S.C. § 1782(a) from £12,000 where the trail crosses into the United States. Every matter varies, and a precise quote follows the initial assessment. The applicant also usually pays the bank's reasonable costs of compliance.
What happens after the bank discloses?
The civil disclosure feeds into two parallel tracks. The first is the substantive civil claim, which may include a freezing injunction to preserve any funds still in the recipient account, a tracing claim against onward accounts, and a damages claim against the people identified. The second is the criminal route through Action Fraud, the relevant police force and, where the conduct sits outside the UK, mutual-assistance channels between police forces. The two routes run in parallel and the civil disclosure tends to do the heavy lifting that the criminal investigation later relies on.
