I am sure you often read articles or have been confronted with documents on Cybercrime, providing helpful advice on Cybersecurity, steps to stop cyber theft and what not to do. However, until you have been part of cybercrime you just don’t realise how helpless you really are, how inadequate our banking system is, and the inability and lack of resources available from the police to investigate cybercrimes. We are inundated with advice on how to protect ourselves, but protection is only one piece of the picture. Preventing, Protecting and Recouping is the complete picture – We need to ensure we continuously prevent cybercrime and that when it happens, we can recoup effectively. We cannot continue to talk about cybercrime just with respect to security, we have to look at the bigger picture. I agree with ACS that despite the technical nomenclature, our approach to cybersecurity is as vital to our way of life as the technology itself. In fact, they cannot be separated: our economic health, our national security and indeed the fabric of our society is now defined by the technology we depend on every day. However, this is also true for prevention and recouping and needs to be addressed just as avidly as we are addressing security.
My story, which I am sure is like many others, is as follows. I had been renovating my house and was conversing with my builder through emails, and when the time came for payment the builder sent me a bill to my email (in the form of a PDF Invoice). This all seemed normal with no obvious issues. I paid the invoice ($30,000) into the bank account as detailed on his invoice. I notified my builder after making the payment (that afternoon) to inform him the invoice was paid. Since it was a large amount, I wanted to confirm he had received the funds and contacted him the following morning, upon which he informed me he had not. I was concerned and checked his invoice, including account number directly with him, and to my surprise, I discovered they were not his account details. This immediately raised alarms and I started to investigate, which led me back to the original email I received from the builder. I did a SMTP (Simple Mail Transfer Protocol) trace on the email and found that the email was actually spammed through two external nodes Magichandsmassage.co.uk (Magichandsmassage – by all accounts an above the board reputable financial advice bureau in the UK), and Yandex.com (a Russian multinational corporation specialising in Internet-related products and services…). After further investigation and research I realised this was a Man in the Middle Attack (MITM) – “which is an attack where the criminal secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other”. I looked at the security dashboard on my Microsoft email account, reviewing my access controls and found that my account had been accessed in Vietnam, Thailand, Russia, China and other locations – basically, the people performing the MITM hack may not have been in these countries but were using localised nodes in these places to download and retrieve my emails, read them and then respond through a secondary SMTP node in the UK as the originator or respondent.
This all happened within a 24-hour period (elapsed time since I paid the builder – which was 3pm the previous day and me following up at 9am the next day). I immediately phoned my bank to report the fraud and to recover my funds. I was put through to a call centre and explained the issue, however, the call centre was not at all helpful and lacked the urgency required. Fortunately, I have a good relationship with my bank manager and called him immediately, sending him the evidence I had. He directly alerted the payee banks internal fraud squad within the hour. I also reported the crime to the police. What happened then within the payee bank I do not know…. It’s a blank page, as the payee bank will not supply any information and refused to communicate with me directly. However, below is what actually happened based on my experience – what should have happened:
What ACTUALLY happened: The payee banks internal fraud investigators are informed through the banks process, in many cases this is still not electronic. There is no time limit for this process, the fraud team can take up to 10 days to investigate the dispute, bank accounts are only frozen only when they have gathered enough evidence.
What SHOULD of happened: The payee bank Internal fraud investigators – once informed – should have immediately frozen the account(s) in question – no funds out or in allowed! An immediate “advanced fraud analytics” instigated to capture all account activity and interactions across the accounts in question.
What ACTUALLY happened: The bank did not perform its KYC checks correctly and investigations are slow because the customers proof of authenticity (Proof of Identity, Proof of Address, etc.) and other relevant documents were fraudulent, to begin with. The funds are partially transferred to a series of mule accounts and money is lost. (Mule accounts can be either account created by criminals using stolen or synthetic identities or accounts belonging to legitimate customers who have allowed criminals to use their account for illegitimate reasons).
What SHOULD of happened: The payee bank should have immediately investigated the accounts for fraudulent use – KYC checks (Know Your Customer) would have been instigated and the account owners contacted, and appropriate authorities informed of criminal action and the criminals apprehended. If the accounts were not fraudulent then the immediate investigation would have qualified the legitimacy of the accounts.
What ACTUALLY happened: The Payee bank does not transfer funds back or only partial funds are returned.
What SHOULD of happened: The funds would have been returned to the payer.
After more than five days of no communication from the Payee bank (a well-known National Australian Bank) I had $21,700 of the $30,000 returned to my account. However, I was still missing $8,300 (I assume to this date these funds had been transferred to a mule account and transferred out of the payee bank). My bank at this point could not assist anymore to support me, and the payee bank would not deal with me directly. So, what course of action can one take to retrieve funds, besides spending huge amounts of money on a lawyer with no guarantees? The following is the action I took:
- Letter to Payee Bank CEO – There are some very useful sites that supply email addresses for corporate executives such as https://.ceoemail.com/australia-newzealand-companies.php. I wrote to the payee bank CEO as I believed they were negligent in allowing the accounts to be created in the first instance, and for the lengthy amount of time that passed before action was taken. A process called KYC (Know your customer) exists which validates whether a customer is legally opening the accounts for personal use. It is a series of specific checks – these checks are compliance regulations that the payee bank needs to adhere to. The accounts were set up specifically for fraudulent use and therefore I believe the bank technically should have been liable given the KYC process did not identify the fraudulent accounts. Reference letter below and payee banks position.
- Notify Police– I raised the awareness with the local cyber crime department. The police could not do any more as they didn’t have the resources and it seemed a general opinion anything under $10K is not considered a priority or recoverable in respect of resource and time (costs) required to recover (as the cost in police time would be worth more than the amount lost. Furthermore, it was obvious to me that police just don’t have the resources or technical capability to chase cybercriminals to the extent needed.
- Notify the financial ombudsman – I raised a case with AFCA (Australian Financial Complaints Authority). AFCA would not pursue with the payee bank because, crazy as its sounds, I was not a customer of the payee Bank. Quote “AFCA cannot consider the complaint because the payee bank has not provided you with a financial service.” This makes a mockery of our banking system as any transfers between banks or payments outside of your own immediate bank could potentially go wrong and there is no recourse.
So, there you have it, Cybercrime at its best. Clearly criminals know how to beat our banking system; our police system; they are technically astute and our financial ombudsman is as useful as a chocolate teapot.
Having been at the forefront and a victim of cybercrime, it has taught me the reality that we all need to be knowledgeable in our increasingly digital world, it is critical to our future and needs to be addressed by us all. I am writing a series of articles on the topic of Digital Identity as this has become a passion of mine over the years. Building and running my own companies, developing and running a GDPR practice in the UK and providing technical consultancy services to clients has encouraged me to research, be knowledgeable and comprehend how to contend with cybercrime, digital Identity, Identity management and our digital footprint.
My next article will addresses what I am now doing personally to combat Cybercrime and how we need to safely exchange our digital identity information, followed by further articles of compliance, social media, our digital footprint and what the future may hold for Digital Identity.