Cybercrime: My Story

I am sure you often read articles or have been confronted with documents on Cybercrime, providing helpful advice on cybersecurity, steps to stop cybertheft and what not to do. However, until you have been part of a cybercrime you just don’t realise how helpless you really are, how inadequate our banking system is, and the inability and lack of resources available from police to investigate cybercrimes. We are inundated with advice on how to protect ourselves, but protection is only one piece of the picture. Preventing, Protecting and Recouping is the complete picture - We need to ensure we continuously prevent cybercrime and that when it happens, we can recoup effectively. We cannot continue to talk about cybercrime just in respect to security, we have to look at the bigger picture. I agree with ACS that despite the technical nomenclature, our approach to cybersecurity is as vital to our way of life as technology itself. In fact, they cannot be separated: our economic health, our national security and indeed the fabric of our society is now defined by the technology we depend on every day. However, this is also true for prevention and recouping and needs to be addressed just as avidly as we are addressing security.

My story, which I am sure is like many others, is as follows. I had been renovating my house and was conversing with my builder through emails. When the time came for payment the builder sent me a bill to my email (in the form of a PDF Invoice). This all seemed normal with no obvious issues. I paid the invoice ($30,000) into the bank account as detailed on his invoice. I notified my builder after making the payment (that afternoon) to inform him the invoice was paid. Since it was a large amount, I wanted to confirm he had received the funds and contacted him the following morning, upon which he informed me he had not. I was concerned, and checked his invoice, including the bank account numbers directly with him, and to my surprise I discovered they were not his bank account details. This immediately raised alarms and I started to investigate, which led me back to the original email I received from the builder with the attached invoice. I did a SMTP (Simple Mail Transfer Protocol) trace on the email and found that the email was actually spammed through two external nodes Magichandsmassage.co.uk (Magichandsmassage – by all accounts an above the board reputable financial advice bureau in the UK), and Yandex.com (a Russian multinational corporation specialising in Internet-related products and services…). After further investigation and research I realised this was a Man in the Middle Attack (MITM) – “which is an attack where the criminal secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other”. I looked at the security dashboard on my Microsoft email account, reviewing my access controls and found that my account had been accessed in Vietnam, Thailand, Russia, China and other locations – basically the people performing the MITM hack may not have been in these countries but were using localised nodes in these places to download and retrieve my emails, read them and then respond through a secondary SMTP node in the UK as the originator or respondent, spoofing the email to make it look like it came from the recipient. 

This all happened within a 24-hour period (elapsed time since I paid the builder – which was 3pm the previous day and me following up at 9am the next day). I immediately phoned my bank to report the fraud and to recover my funds. I was put through to a call centre and explained the issue, however the call centre was not at all helpful and lacked the urgency required. Fortunately, I have a good relationship with my bank manager and called him immediately, sending him the evidence I had. He directly alerted the payee banks internal fraud squad within the hour. I also reported the crime to the police. What happened then within the payee bank I do not know…. It’s a blank page, as the payee bank will not supply any information and refused to communicate with me directly. However, below is what actually happened based on my experience and what I believe should have happened:

What ACTUALLY happened

1. The payee banks internal fraud investigators are informed through the banks process, in many cases this is still not electronic. There is no time limit for this process, the fraud team can take up to 10 days to investigate the dispute, bank accounts are only frozen only when they have gathered enough evidence.
2. The bank did not perform its KYC checks correctly and investigations are slow because the customers proof of authenticity (Proof of Identity, Proof of Address, etc.) and other relevant documents were fraudulent to begin with. The funds are partially transferred to a series of mule accounts and money is lost.  (Mule accounts can be either accounts created by criminals using stolen or synthetic identities or accounts belonging to legitimate customers who have allowed criminals to use their account for illegitimate reasons).
3. The Payee bank does not transfer funds back or only partial funds are returned.

What SHOULD have happened

1. The payee banks Internal fraud investigators - once informed - should have immediately frozen the account(s) in question – no funds out or in allowed! An immediate “advanced fraud analytics” instigated to capture all account activity and interactions across the accounts in question.
2. The payee bank should have immediately investigated the accounts for fraudulent use – KYC checks (Know Your Customer) would have been instigated and the account owners contacted, and appropriate authorities informed of criminal action and the criminals apprehended. If the accounts were not fraudulent then the immediate investigation would have qualified the legitimacy of the accounts.
3. The funds would have been returned immediately to the payer.

After more than five days of no communication from the Payee bank (a well-known National Australian Bank) I had $21,700 of the $30,000 returned to my account. However, I was still missing $8,300 (I assume to this date these funds had been transferred to a mule account and transferred out of the payee bank). My bank at this point could not assist anymore to support me, and the payee bank would not deal with me directly. So, what course of action can one take to retrieve funds, besides spending huge amounts of money on a lawyer with no guarantees? The following is the action I took:

1. Letter to Payee Bank CEO – There are some very useful sites that supply email addresses for corporate executives such as https://www.ceoemail.com/australia-newzealand-companies.php. I wrote to the payee bank CEO as I believed they were negligent in allowing the accounts to be created in the first instance, and for the lengthy amount of time that passed before action was taken. A process called KYC (Know your customer) exists which validates whether a customer is legally opening the accounts for personal use. It is a series of specific checks – these checks are compliance regulations that the payee bank needs to adhere to. The accounts were set up specifically for fraudulent use and therefore I believe the bank technically should have been liable given the KYC process did not identify the fraudulent accounts. Reference letter below and payee banks position.
2. Notify Police– I raised the awareness with the local cybercrime department. The police could not do any more as they didn’t have the resources and I it seemed the general opinion anything under $10K is not considered a priority or recoverable in respect of resource and time (costs) required to recover (as the cost in police time would be worth more than the amount lost. Furthermore, it was obvious to me that police just don’t have the resources or technology capability to chase cyber criminals to the extent needed.
3. Notify the financial ombudsman - I raised a case with AFCA (Australian Financial Complaints Authority). AFCA would not pursue with the payee bank because, crazy as its sounds, I was not a customer of the payee Bank. Quote “AFCA cannot consider the complaint because the payee bank has not provided you with a financial service.” This makes a mockery of our banking system as any transfers between banks or payments outside of your own immediate bank could potentially go wrong and there is no recourse.

So, there you have it, Cybercrime at its best. Clearly criminals know how to beat our banking system; our police system; they are technology astute and our financial ombudsman is as useful as a chocolate teapot.

Having been at the forefront and a victim of cybercrime, it has taught me the reality that we all need to be knowledgeable in our increasing digital world, it is critical to our future and needs to be addressed by us all. I am writing a series of articles on the topic of Digital Identity as this has become a passion of mine over the years. Building and running my own companies, developing and running a GDPR practice in the UK and providing technology consultancy services to clients has encouraged me to research, be knowledgeable and comprehend how to contend with cybercrime, digital Identity, Identity management and our digital footprint.

My next article will addresses what I am now doing personally to combat Cybercrime and how we need to safely exchange our digital identity information, followed by further articles of compliance, social media, our digital footprint and what the future may hold for Digital Identity.

The below is information relating to my story and maybe of further interest particularly to anyone who may have been a victim of cybercrime:

1. ACSC Statistics Published July to September 2019 in Australia
2. Letter to Payee Bank and final response from Payee bank
3. My email SMTP trace (partial trace).

------------------------------------------------------------------------------------------------------------   

ACSC statistics published July to September 2019 in Australia

In the first three months of operation, 13,672 reports were made to ReportCyber. This equates to an average of 148 reports per day, or one every 10 minutes. Of these 13,672 reports, 11,461 contained sufficient information to be referred to state and territory law enforcement agencies. The ACSC responded to the remaining 2,211 cases providing tailored cyber security advice to the reporter.

The distribution of reports referred to state and territory police is shown in Figure 1 below, with Victoria receiving the greatest proportion (3,023; 26.4%), followed by Queensland (2,997; 26.1%) and then New South Wales (2,930; 25.6%).

The Reported financial losses over the first quarter of reporting, the headline numbers in relation to reported financial loss were:

·        Average financial loss per report $6,000

·        More than $890,000 in reported losses each day

·        Annual estimated losses to cybercrime of $328 million

Letter to Payee Bank

Dear Mr X,

I am writing as we recently have had an extremely upsetting and bad experience with your bank, <Payee bank>. This experience was in the act of a Cyber theft through bank accounts within your bank. To summarise, In <Date> we paid a large amount into a <Payee bank> account as our builder sent us an invoice via email which was unfortunately subject to a man-in-the-middle attack (MITM), where the attacker secretly relayed and altered the communication between my builder and myself and changed the Invoices with false account numbers – which happen to be <Payee bank> accounts. I paid the Invoices ($xx,xxx), luckily this was quickly spotted as bogus by myself as I was checking with the builder he had received the funds which he had not (within 48 hours – well within 10 business working days).

We tried to communicate this to <Payee bank>, however your services department refused to deal with us as we “are not <Payee bank> customers”. It was from the speedy and efficient response from our account manager at <our bank> with whom we bank with, that informed your Fraud department of the situation, however it still took a further 5 days for anything to evolve, and to cut a long story short, only partial funds were recovered, leaving us with a deficit of $8,300, which is still outstanding.

We have tried through the Financial Ombudsman, the police, personally by tracking through IT systems and further calls to <Payee bank> to recover these funds. The least helpful being <Payee bank> who will not deal with us directly and clearly have breached Govt. regulation and your own anti-money laundering policies.

I can confidently say this as it is proven that the accounts in your bank had been setup for fraudulent use as <Payee bank> have not recovered the funds and have not passed on any information in respect to whom the Customer is so that these funds can legitimately be reclaimed. This is in direct contradiction to banking regulations and the code of banking practice – which <Payee bank> is contractually bound by the obligations under the code. The following are just examples of what your bank has been negligent in

1.     The Australian Govt. Austrac regulation Part B of an AML/CTF program (customer due diligence procedures) - The primary purpose of Part B is to ensure the reporting entity (<Payee bank>) knows its customers and understands their customers' financial activities. The reporting entity must establish a framework and document its customer due diligence (CDD) procedures in detail. Nothing has been supplied by <Payee bank> in this matter and no further information has been supplied.

2.     Banking Code of Practice and Policy - Know your customer, alternatively known as know your client or simply KYC. In all banks the process of a business verifying the identity of its clients and assessing potential risks of illegal intentions for the business relationship is paramount. The <Payee bank> process does not seem to have captured these accounts high lightening a flaw in its vital process in stopping money laundering and fraud.

3.     Regulation Technology (RegTech) - Regulators / Auditors & the increasing penalties / punishments - At this time of heightened transparency <Payee bank> is trying to sweep events like this under the carpet and not being transparent (By not disclosing the information of these accounts and being silent its apparent that the focus on the customer and regulatory compliance are not being carried out correctly). <Payee bank> RegTech capability is flawed and the priority in order to ensure the royal commission recommendations are implemented is not being adhered to.

4.     Money laundering Principals which is defined by the OECD as - The processing of ... criminal proceeds to disguise their illegal origin. <Payee bank> processes are flawed in this respect as it has enabled criminals to support criminal activity through the bank. The Australian Bankers’ Association (which I believe <Payee bank> are a member) have stated that the Banks under the Financial Transactions Reports Act 1988, are required to report suspicious transactions to AUSTRAC. We would like to understand if this has occurred if not why, as you are duty bound.

In respect to this the liability in not transferring the full funds back to our accounts is on <Payee bank>. I have listed the various references for your information that you can use to verify our claim.

·       <our bank> reference Number from <Payee bank> – XX SDXXACFXX

·       AFCA Complaint with <Payee bank>, case number XXXXXX

·       Police Report Reference EXXXXXXXX

I request that the missing funds are repaid back to my accounts and a further reference to what <Payee bank> is doing to protect all its direct customers and customers who transact through the banking system so that these criminals are stopped.

There was further communication with the <Payee bank> as they did not respond quickly and would not communicate with me directly.

Final response from the Payee Bank

Since receiving your email I have put through enquiries regarding the concerns you have raised.

From my enquiries, <the payee bank> has investigated your matter and are dealing with the involved account appropriately. Due to privacy we are unable to provide any further information on this account nor are we able to compensate on behalf of this account.  

Therefore, although the funds had been deposited to a <Payee bank> account, it is in <Payee Banks>  view that the bank is not liable for the fraudulent activity caused by our customer. <Payee bank> has security measures in place to detect some fraudulent activity, however are unable to monitor the legitimacy of every transaction. Unfortunately as this was not a transaction actioned by <Payee bank>, we were unable to recall any outstanding funds from the fraudulent account and compensate you for your experience.

As you are still in a deficit of $8,300, I have been advised that you do have the option to raise your matter to AFCA again but against <your bank>, since you are their customer and can have the recall process reviewed, or you can seek independent legal advice to pursue this matter further. 

Extract from SMTP Header trace of emails received

To get the SMTP or Internet Header, open the email from Microsoft Outlook, select File, Info and Properties. The Internet headers or SMTP information is displayed and can be selected and pasted into a document to be analysed.

Received: from VE1EUR02HT107.eop-EUR02.prod.protection.outlook.com (2603:10a6:200:89::29) by AM4PR0802MB2258.eurprd08.prod.outlook.com with HTTPS via AM4PR0202CA0019.EURPRD02.PROD.OUTLOOK.COM; Tue, 18 Dec 2018 00:11:15 +0000 Received: from VE1EUR02FT044.eop-EUR02.prod.protection.outlook.com (10.152.12.55) by VE1EUR02HT107.eop-EUR02.prod.protection.outlook.com (10.152.13.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1446.11; Tue, 18 Dec 2018 00:11:14 +0000 Authentication-Results: spf=none (sender IP is 173.201.192.40) smtp.mailfrom=magichandsmassage.co.uk; live.co.uk; dkim=none (message not signed) header.d=none;live.co.uk; dmarc=fail action=none header.from=gmail.com; Received-SPF: None (protection.outlook.com: magichandsmassage.co.uk does not designate permitted sender hosts) Received: from p3plwbeout11-04.prod.phx3.secureserver.net (173.201.192.40) by VE1EUR02FT044.mail.protection.outlook.com (10.152.13.51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1446.11 via Frontend Transport; Tue, 18 Dec 2018 00:11:14 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:748BF8D277E5A379C76142E07C61BF3CFC73149F41A897A242CB988F0157A534;UpperCasedChecksum:E0D2ED8FD41CD75A0BEF5983D5574F8B296B5809533DC6ED32216255670AC776;SizeAsReceived:1015;Count:16 Received: from p3plgemwbe11-03.prod.phx3.secureserver.net ([173.201.192.9]) by :WBEOUT: with SMTP id Z2yAgqR1TVKAJZ2yAgglAO; Mon, 17 Dec 2018 17:10:42 -0700 X-SID: Z2yAgqR1TVKAJ Received: (qmail 17559 invoked by uid 99); 18 Dec 2018 00:10:42 -0000 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8" X-Originating-IP: 5.62.21.43 User-Agent: Workspace Webmail 6.9.49 Message-ID: <20181217171039.d359619a1cb3bc7221c63be23ea5705f.66dc7d4fbe.wbe@email11.godaddy.com> From: XXXXX <[email protected]> X-Sender: [email protected] Reply-To: XXXXXX <[email protected]> To: <[email protected]> Subject: Progress claim 4 Date: Mon, 17 Dec 2018 17:10:39 -0700 X-CMAE-Envelope: MS4wfDqgs1ybdxfVxSAegZmZXO7BT+bSHe1k3FRTuxlIA1nB22Z7pHsi/oNLm8Mfb5thk+24KQaEzarElxT5IKYagCyvuv2wYl0dHtm/YsFaezH4GO7vKDHN 40mMMC27zP6dZN+aNgYaC+EoZdkIDIJO91c/QtfjH8qwpGo2i7Onxj+pJzKw/Vs3Se8E0vft/FpM9Rxg/3HKgwuDiMrLzRNHv9hwIvDugEhygAYlRAtGHuAg X-IncomingHeaderCount: 16 Return-Path: [email protected] X-MS-Exchange-Organization-ExpirationStartTime: 18 Dec 2018 00:11:14.7808 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-