Scams targeting businesses have hauls ranging upwards of five figures - a close eye on the details of all digital communications is essential. Photo / 123RF
Scams targeting businesses have hauls ranging upwards of five figures - a close eye on the details of all digital communications is essential. Photo / 123RF
It was only after he’d $1.6 million lost in a Pittsburgh bank account that John* realised they’d been watching him for some time.
In mid-December John was juggling work and the approaching holidays and the final stages of an equity investment in a tech startup. His contact at the SiliconValley-based company had finally got in touch with deposit details.
Included in the email was an appropriately branded stock agreement and wire transfer instructions. These were different than earlier rounds, but this was addressed directly in the email.
“The major and notable change is the wiring instructions, we have elected for the Series B Preferred Stock to be funded directly to our US$ bank account held at PNC Bank,” the December 13 email concluded.
“I’m thinking, ‘okay, this is my mate - it’s unusual, but I know him,’” John said of the email.
John forwarded the US$1m payment as requested. It was only weeks later, when his actual contact at the company got in touch to discuss the upcoming deal, that the penny dropped.
“The real one comes back to me. He sent me emails which I never got: They’d blinded me too. Not only was I out of the loop, but I was separated from my business partners,” he said.
It was only later John realised the email in question was slightly different - an “.online” suffix instead of “.io”, and with a different phone number provided for contact, albeit the right area code - and he had been done over.
“I’d noticed my concentration was falling off at the end of the year: there were red flags, and I missed them.”
It is now clear that first email did not come from his contact and it appears all communications between the pair had been intercepted for some time. And for some period - particularly when John was presented with bogus payment details - legitimate email communication had been blocked entirely to prevent the scam from being discovered.
“When it happens, you get a bit dumbstruck and you don’t know what to do,” John said.
What John did do was call Bronwyn Groot, a registered private investigator who used to work for both BNZ and the Commission for Financial Capability.
“The biggest thing all of us need to remember is that all of us can be defrauded. The right scam just needs to find the right person at the right time,” she said.
This scam involved three moving parts and processes, all three needing to work together in concert to succeed. It’s a similar operation to that which cost America’s Cup organisers Team NZ $2.8m.
First is the infrastructure: spoofed email domains, phone numbers made to look local with number portability services, and - the most difficult of all - a bank account to first have the prize deposited into and then spirited out of.
Next comes the hack, with a compromised email server allowing rules to be set up forwarding, delaying or blocking messages entirely. Groot suspects John had been exposed with a malicious phishing link in the weeks or months leading up to the scam.
And finally, the climactic email or message designed to trigger the payment of funds requires social engineering. More psychology than technology, this key step relies on scammers knowing from prior communications when to strike, and how to phrase instructions, to be both persuasive and not raise alarms.
“They have obviously sat in there and read and watched until there was some sort of purchase coming through. Very quickly with this one, they saw the email with the bank request, then Photoshopped or altered the existing invoice with the new bank account number,” Groot said.
Cert NZ incident response manager Jordan Heersping.
Jordan Heersping, manager of incident response at government agency Computer Emergency Response Team (Cert), said sophisticated business email compromise scams were less common than garden-variety text spam, but tended to have more significant consequences for victims.
“We don’t get a lot of reports of this, which is good, but the few reports we do get are quite large losses: $50,000 would be small, and [John] seems to have had it particularly bad.”
Heerspring said business people needed to ensure their technical infrastructure was up to scratch and be aware of red flags when suspect approaches were made.
“On the technical side you can have proper firewall policies, endpoint detection tools, and make sure all your systems get patched to cover the latest vulnerabilities,” he said.
“But on the more human side of it there are a couple of things people can do. If you spot an invoice coming in that’s unusual - say a bank account has changed - give them a call. It’s always worth following up with a call, especially if you’ve got a personal connection and it’s a large volume of money.”
Despite banks and law enforcement authorities being alerted to the malicious transaction in both New Zealand and the United States, the whereabouts of John’s $1.6m - and who was behind the elaborate scam - remains unknown.
Jurisdictional issues - with the crime occurring across two, and likely more, countries - makes co-operation between financial institutions and authorities difficult.
John said his wife had tried to put things into perspective, and was thankful the sum lost didn’t represent his entire asset base.
“It’s only numbers on a piece of paper. We can afford to lose it, not everybody else can. It’s six months ago now, but I’d still like to see the guys behind it caught.”
