On her son’s 9th birthday, Jane Fleming was completely engrossed at the thought of how she lost $51,000 to be exact, while lighting her son’s birthday cake.
It was on this day that she’s come to the realisation of having transferred the amount into a scammer’s bank account.
In May, Jane who helps in a family-owned building business, was organising to pay $51,000 to a subcontractor. Jane said, “”I thought it’s a huge [invoice]. I’ll break it up into two payments until we’ve got more funds to pay for the whole invoice,”.
Jane had worked for almost a decade with Simon O’Donnell, a concreter and have been making numerous payments to him since then only to find out a couple of days later that the money hasn’t gone through to Simon, prompting him to ring Jane’s husband. Simon said he had his bank account on his computer screen right in front of him and that there was no money there. Jane could be heard in the background telling his husband who was on the phone with Simon that Simon was the one that changed his bank details and that’s when Simon fathomed the scam.
Simon said, “Such a substantial loss of money was a kick in the guts in an already difficult period. You feel completely helpless. I’ve, from my angle, done nothing wrong. I finished a good job for someone, he was happy with the job, and I’m a lot of money out of pocket for six months, which during COVID hasn’t been ideal.”
But the money had already been missing so Simon and Jane strived to get it back.
Jane did notice that Simon’s bank account and details had been changed before the money was transferred when she received the invoice of $51,000 from Simon.
Jane was under the impression that Simon had possibly changed the details within the six month duration as they hadn’t used Simon within the time period.
There was nothing out of the ordinary with the email Jane had received showing a detailed record of the completed job until in after having compared the email Simon sent and the one Jane received, it was lucid that something wasn’t right.
Upon checking Simon’s outgoing messages, the invoice was sent to Jane on a Friday at 4:56pm but didn’t come through to Jane’s inbox until Saturday, 7:30am.
Associate Professor and Associate Dean for Computing and Security at Edith Cowan University, Paul Haskell-Dowland said, someone had acquired access to either Simon or Jane’s computer, and was waiting for such opportunity.
“So potentially having direct access to the computers and monitoring them, perhaps keeping an eye on them for a while, getting a feel for the kind of invoices that are being sent that way. It’s that control that has allowed the attackers to manipulate and modify emails between the two parties in this particular case, “ said Dr Haskell-Dowland.
Dr Haskell-Dowland added that the hackers may have long been accessing the computer and a late-afternoon invoice became their main target.
According to Dr Haskell-Dowland, “an end-of-day invoice coming through where they know that the receiving company isn’t going to look at their email … that opens up an opportunity and it gives them time to analyse the email, to examine the [attached invoice].”
Businesses being stolen millions from by scammers
Simon and Jane fell victim to a clever Business Email Compromise (BEC) scam.
Jane added that she didn’t know that an invoice could be intercepted between a supplier and themselves and altered.
Scamwatch said, BEC scams netted $5.3 million across Australia last year but when data from other government agencies were combined with the big four banks, it was recorded to sum up to $132 million.
This year, 1,099 BEC scams worth $3.7 million in losses were reported to Scamwatch.
Kate Carnell, Small Business Ombudsman said, the average amount businesses lost per transaction was $10,000.
Carnell said, “just recently, a survey was done of nearly 2,000 small businesses and 62 per cent of them had been hit by some level of cybersecurity breach, and this one, the invoice interception is now one of the most common. What we’re seeing is a significant increase and some of that increase we think is because people are working from home with less secure systems.”
Finding out who’s behind the keyboard
Finding out how the scammers did it was easier compared to the complexity of tracking down who’s behind it.
Jane and Simon’s computers were examined for malware indications and nothing came up.
Dr Haskell-Dowland said “It is quite possible that the malware has been removed by the attackers because the attack has been successful. They’ve achieved their goal. They’ve taken the money and they are now erasing their tracks.”
Even though it did appear as Simon’s email address who sent both the fraudulent $51,000 and $804 invoice, metadata displayed that each invoice was actually sent by a different email address.
The person who owned one of the email addresses was tracked down by ABC and found out he too had been hacked. His email was used by the scammers to target others and managed to successfully scam $20,000 out of a Canberra builder.
Practically powerless: Police
The investigation with what transpired between Simon and Jane was done by Victoria police, but justice is nowhere near.
The site associated with the hack of the builder’s website was based in Singapore – according to the investigation established by Associate Professor Haskell-Dowland. The investigation was further hampered, as police believe the scammers have withdrawn money in west Africa.
Lead Detective Senior Constable David Morrison, a local police officer is now trying to figure out who’s behind the chain of Australian bank accounts used to move the money overseas. In his statement, he told the ABC, “Unfortunately at this stage, I have not been able to identify the account holder of the offending account, and it is possible the account was opened online under a false name and address.”
Lead Detective Senior Constable David Morrison said he had contacted multiple banks involved in a bid to trace the money.
He added, “I have received some information as to the account holder’s details … however I am yet to receive information regarding the movement of the monies. Attempts are still being made to identify the account holder/s of the relevant accounts, however again, it is fairly probable that these accounts were opened under false names.”
Jane was told in a separate correspondence with Victoria police: “Any further investigation is unlikely to result in a successful prosecution of the party responsible.”
According to the email, it was partly because of jurisdiction issues and whether Interpol would investigate a fraud of such amount.
Victoria Police clarified that there is no minimum loss required to progress investigations to Interpol, although different countries have their own acceptance criteria and police are capable to work with the AFP and government agencies to investigate international scams.
According to Leading Senior Constable Morrison, the matter would likely be turned over to the Australian Federal Police (AFP).
AFP’s priority however is to “investigate cybercrime threats against Commonwealth Government departments, critical infrastructure and information systems of national significance”.
The Banks – What Are They Doing?
While going through the trail of foreign servers and hacked emails, cyber specialist Dr Haskell-Dowland questioned what Australian banks were doing to prevent this kind of crime.
He said, “In terms of how to improve the situation, certainly the banks would be the [place to start].”
Information must be verified when setting up bank accounts, it is a legal obligation for banks.
However, according to Victoria Police, the Commonwealth Bank account which Jane deposited the money into appeared to have been set up online with a false name and address.
Dr Haskell-Dowland added that could be prevented by strict “in-person identity checks, removing the opportunity for people to do this electronically, without undertaking some form of formal verification”.
Jane expressed that she’d been “going in circles” trying to get assistance from the banks and regulators.
According to Jane, “CBA said they weren’t negligent and then AFCA (Australian Financial Complaints Authority) said we’re not in the jurisdiction because we’re not customers of CBA. Then they said to contact ASIC, who pointed us back towards AFCA.”
Jane has since received an email from the CBA refusing her refund request, advising her to, “approach your financial institution (Bendigo Bank) and lodge a claim for these funds”.
“I’d like this to be resolved by CBA acknowledging that they are negligent and allowing criminals from overseas to operate in Australia,” Jane said.
“I feel like they’re making it really easy.” Jane, added.
“It sounds like anyone can open a bank account with any name and then I can put money into that account in another business name and there are no alarm bells going off.”
The Commonwealth Bank said it acted swiftly to block the account, which is now closed, as well as supplying information to authorities.
CBA added in a statement, “Despite the commitment and best efforts of regulators, law enforcement agencies and the banking industry, such frauds and scams sadly still occur. It is widely recognised that scams are becoming increasingly sophisticated which has prompted increased investment across the sector in resources, systems, data and intelligence to combat fraud and alert the Australian public to the risks the community faces.”
Hoping for a resolution, Jane lodged an AFCA complaint to the Bendigo Bank and in response, the bank said it tried to retrieve the money as soon as it was given notice of the situation.
The bank added, “The correct procedures were followed to notify the other financial institution (Commonwealth Bank) and to request a recall of the funds. Because of the time delay between the funds being sent and notifying Bendigo Bank of the fraud, the likelihood of recovery for any other financial institution would be very low.”
It was conferred by the bank that those efforts were eventually unsuccessful.
When asked by the ABC about Jane’s case, the Bendigo Bank declined to comment while the matter was still before AFCA.
Crosscheck your invoices
The Australian Financial Complaints Authority said it was collaborating with industry and other stakeholders in the hopes of reducing invoice hacking scams.
In a statement, AFCA lead ombudsman banking and finance, Evelyn Halls said, “To avoid falling victim to invoice hacking scams, consumers should call the supplier to confirm the correct account details before transferring large amounts of money, especially if they have received an email from the supplier saying their account details have changed,”
Both Jane and Simon are unable to quite heavily validate the advice.
Now, the concreter sends a text with every invoice he sends, while Jane calls the sender to verify the details before paying.
According to Jane, “Just any invoice that you get, check if it’s a new [account] with a new BSB and account number, just call your supplier and confirm that that is their details.”