Inside the boiler room: Two weeks of scamming the scammers

Modern phone and online scams are becoming increasingly sophisticated and difficult to spot.

After two weeks of phone and email conversations where I was walked through an alarmingly elaborate charade of a bank investment, I had to come clean.

"I'm wondering if you've googled me or not. I'm an investigative journalist, and last month I wrote a story about a boiler room investment scam. And this is pretty much what I think is happening here."

The English-accented voice calling himself Citibank employee John Bishop seemed somewhat taken aback.

"It's a shame," he stammered, "that you've come to this conclusion."

"I'm just wondering how did you get into this business? Because it's pretty well-run in that I can't figure out where you guys are based, but this is a pretty strange way to earn a living."

"John Bishop" - who, according to Citibank's head office in Australia does not work for the bank, and nor did any of the other aliases I'd spoken to over the previous fortnight - did not wish to engage further and terminated the call. The constant stream of daily phone calls and emails from him and his colleagues in their boiler room abruptly ceased.

After reporting on the case of a New Zealand couple who sent $400,000 offshore - with the sum belatedly returned by Australian banks after the Herald began making inquiries - an examination of IP addresses, email headers and browser histories revealed the scammer's honeypot.

Exploring how their scam first finds, and then lures in, its victims shows an evolving and surprisingly sophisticated strategy that is becoming more difficult to spot and avoid.

With people naturally suspicious of cold-callers, this operation has its potential targets self-select. A slick website pitched as a way to compare fixed-rate returns asks for users to provide contact details. Three days after doing this, the calls begin.

"My name is Jim Rose and I'm calling you from Citibank, and you had requested some information regarding an investment?" the first call started.

Beyond confirming details to enable the sending through of a prospectus, "Jim Rose" did not yet press for money and misleadingly stressed his institution was covered by an Australian government scheme guaranteeing the investment.

"Your money is never at risk. This is very important in this day and age," he said.

Such a scheme does exist - although the scammers seemed alarmingly unclear of its details when pressed - but obviously the Australian Government does not insure frauds run out of boiler rooms.

The prospectus, when it arrived the following day from a specially-registered email domain with Citibank in the address and a legitimate-seeming bank email signature, bore striking similarities with a document the scammers were using earlier in the year pretending to be from Westpac.

These documents are reasonably polished, but imperfect. The Westpac iteration provided an alleged statement from a CEO who had departed the bank a year prior, while the Citibank documentation managed to misspell the name of its own chief executive when doing the same.

Popular advice about being wary of offers that seem too good to be true also seems to be being taken on board by scammers. While the Westpac iteration made promises of well-above-market returns of 6.9 per cent, the Citibank variation was a more modest - and almost believable - 5.2 per cent.

In January, Westpac issued a warning about the earlier version of the scam describing it as "sophisticated".

For their part, Citibank representatives in Australia told me they did not offer financial products or services to New Zealand retail clients, and strongly distanced themselves from the investment proposal being touted.

"Citi confirms that this is not a Citi-issued product, or offering, and investors should be vigilant when they receive unsolicited offers from unknown parties," a Citi spokesman said.

Over the next two weeks, the scammers were persistent but polite. Most days they would call, but only once. Their process seemed designed to build trust and a relationship, with requests to transfer money coming only later and after theatre involving the filling in of Know Your Client forms stamped with the Citibank logo.

It is still unclear who is behind this operation, but the accents of those making the calls were almost all from the United Kingdom. Website domain registrations for the contact-detail harvesting honeypot site and the addresses used to spoof bank emails each used a different registration service - one was based in Iceland - chosen seemingly because they scrub details of who owns the sites.

Bank security experts told me their phone numbers - while showing up as an Auckland area code - were obtained through a number portability service by operators almost certainly based offshore.

My findings were discussed with the Financial Markets Authority, who noted the Westpac and Citibank operations were remarkably similar to schemes they've previously warned about

"It can be hard to know when you are being scammed, especially when the scammers show this level of sophistication to impersonate legitimate providers," an FMA spokesman told me.

"That's why it's so important to pause and do some further checks before handing over large sums of money."