Written by: Martin Anderson | Farm Business Consultant | 0439 150 458
What an exciting and fast changing world we live in. The changes in new technologies that we’ve experienced within generations have been phenomenal. Think of computers, laptops, iPods, smartphones, tablets, smart watches. Add to that the pace of change & new innovations in the past 5 years with GPS, guidance systems, robotics, AI, ChatGPT, etc, which is increasing exponentially.
With all the benefits that the new innovations bring us, there has also been an increase in risks. Specifically cyber security and scams have been a rising risk, that seems to only be getting bigger and more sophisticated resulting in increased adverse outcomes and loss of money for people and businesses alike. In the news there isn’t a week, possibly even a day, with new reports on scams, cyber risks
or frauds that have taken place. A sobering statistic from the Australian Competition and Consumer Commission (ACCC), is that Australians lost a record $3.1 billion in scams in 2022, which was up 80 per cent on 2021. The following infographic from the ACCC website provides a breakdown on losses reported to Scamwatch (which represents only $569 million of the $3.1 billion in 2022).
Whilst there is a varied level of knowledge across the community regarding scams, cyber security and cyber fraud, given the increase in instances and the costs of losses, I felt it would be useful to discuss three common examples that I’ve been aware of in the last couple of years. Further, what are some of the actions that could’ve been taken to prevent the loss of money, and some timely and handy scam and
cyber security resources that are readily available.
Example 1 – The not so good
This relatively simple and small scam unfortunately happened to a relative of mine in the past 12 months. They wanted to sell a piece of furniture to the modest value of $500, online using a popular Social Network site. After advertising it, within a couple of days, they thought they had a legitimate buyer who was prepared to pay the price that was being asked. Naturally, this created a bit of excitement
and a sense of urgency.
Taking advantage of these emotional triggers, the scammer was then able to convince the person that they needed to create an ABN to enable the sale and advised that they could assist in setting this up. All the seller needed to do was to send them $250 for the ABN registration fee, and the scammer would organise it for them. Once this money was transferred, they then said it hadn’t gone through properly
and requested them to send a further $250 and then they’d send the other money back if it turned up.
Part of the confidence trick was to get the victim to feel like they’re already committed and embarrassed (by having sent the first $250 already), even though their gut instinct was that they’re possibly being scammed. By the time the second $250 had been sent, the scammer shut down their communications.
After reporting the incident to the bank, a couple of days later, there was no catching the funds. Whilst it remains unclear, there is a strong likelihood that the scammer was internationally based and was able to use a local Australian bank account (legitimate but compromised by a cyber security breach or established using false ID) before transferring the funds to other accounts locally or overseas as part of a broader organised cyber scamming scheme.
How could this have been prevented? The key signal in this instance was the request of the scammer for the seller to send them money, even though the scammer was supposed to be paying the seller for the purchase of the furniture. Whilst this seems obvious in hindsight, it was the scammer’s effective use of preying on the seller’s wish to pay the price they wanted, a lack of knowledge of scams by the victim and
the sense of urgency that allowed the scam to succeed. For the victim, it felt like it all happened in an instant, and by the time they realised, it was all too late.
Example 2 – The Bad
The classic scam phone call to an unsuspecting victim, that starts off sounding probable and develops slowly as the scammer builds a relationship and confidence. In this instance they were pretending to be from a telecommunications company, and they’d identified that there were some issues with the victim’s internet. As it turned out the victim had been having some issues with their internet, but this was purely coincidental (the scammer just got lucky).
Over the course of a few hours, they worked with the victim trying to assist, and then eventually the scammer convinced them to allow them remote access to their computer. By this time the victim was highly committed, as they’d spent considerable time on the phone with them and they still felt the person on the end of the call was legitimately trying to help them.
This is where things got interesting, but in bad way. The scammer not only gained remote access to the computer (allowing them to set up their own malware) and open programs files etc., but they also advised the victim that they believed there was issues with their smart phone as well. But it would be ok, as the scammer could help with that too, and got the victim to give them access to their phone by downloading an app.
Once they had control of their computer and smart phone, they said they’d been able to fix all the problems, and they just wanted the victim to check a few programs on the computer, including their internet banking. By this stage the victim had been on the phone for a significant amount of time but was wanting to get back out to the paddock to do some work. However, they were so committed by this time
that they logged into Internet Banking, (which allowed the scammer to retain access and keep it open remotely).
By this stage the scammer, via full control of the computer removed the screen of the Internet Banking from the victim’s view and proceeded to make several transfers of between $10,000 to $20,000 out of their account over a couple of days. The scammer also had full control over the smart phone, meaning that the client couldn’t make or receive phone calls.
After seeing the unusual transactions, the victim’s bank (via their transactional security monitoring team) tried to contact them, however, couldn’t get through on the smart phone, given the scammer was preventing the clients from taking or receiving calls. The security team then reached out to the victim’s local bank manager, who also tried calling them with no success.
The victim could see the incoming call from the Bank Manager, and as they couldn’t take the call, made a return call using someone else’s mobile phone. It was at this point that it was confirmed what had been taking place, with the relevant information relayed by the Bank Manager to the security team. This enabled a complete transactional stop to be put in place on the victim’s account. Traces and investigations were made to the Banks where the money had been sent to see if the money could be recovered. Unfortunately, in this instance, only about 1/5th of the funds was recovered.
Funds were transferred almost immediately they hit the initial transferee accounts, with sophisticated overseas scammers involved. The victim had to have their computer looked at by a specialist and restored, a replacement mobile phone and phone number, and new internet banking set up.
How to prevent? In this instance, it was the initial lack of knowledge of scams, particularly the ability to fake being from a legitimate Telecommunications provider, that caught the victim out. Followed by the fact that they felt they were being helped and invested a lot of time with the scammer. The point of no return was giving the scammer access to their computer, smart phone, and internet banking.
Unfortunately, the best way to prevent this is to not engage in the unsolicited call in the first place. If you feel that you have a potential internet, computer issue or the like, it’s best to discontinue the call and then make your own phone call by calling the service provider directly (ideally confirming their phone number from a couple of legitimate sources, from correspondence that you have had from them in the past
such letters or emails etc). Finally, never allow someone to view your internet banking remotely, as this is where the actual fraudulent transfer of money transactions can take place.
Example 3 – The Ugly
Whilst Examples 1 and 2 were distressing and resulted in financial loss, both involved the victim being engaged during the scam process and being groomed under a confidence scheme. The third example has very minimal involvement from the victim, aside from transferring funds to what they truly believed was a legitimate bank account, and it resulted in a significant loss of money.
This example has a legitimate purchase transaction occurring for a large item (in this case a piece of machinery for approximately $450,000). The victim received a tax invoice which has all the usual supplier’s information, the item purchased, and the bank account name, BSB & Account number on it so the purchaser can pay via their internet banking. Given the purchaser had agreed to purchase the item and knows the supplier etc they weren’t aware that anything was untoward. Unbeknownst to both the victim and the supplier, the invoice that was emailed to them had been intercepted by the cyber criminals, and the BSB & account details altered to a different account. When the victim made the payment via their internet banking everything was processed as expected. It wasn’t until a week or so later when the supplier was following up the payment with the purchaser, that the billing scam was identified. Given the timeframe that had passed there was no recovery of funds.
How to prevent this? In this instance the only way to have identified the scam would have been to call the supplier direct prior to transferring the funds and asking them to confirm their Banking Account details. Whilst this may seem like an onerous additional step when paying via internet banking it is the most effective way of ensuring large invoice / billing scams are identified before the damage is done. For regular supplier payments, once you’ve set up the billing account details in your internet banking, you generally don’t have to re-check each time. That said, there may be instances, such as very large payments, that it may be worth double checking.
In each of the above example’s scammers rely on human emotions, such as trust, fear, urgency, lack of knowledge etc to develop relationships and gain the confidence of their victims to perpetrate the scams. In this day and age, we need to be continually vigilant, trust our gut instinct if it doesn’t quite feel right, stop engaging even if it is to double check with someone else and seek advice from known and trusted sources where possible.
Another important aspect is to report the scams, to your service provider, to the Police and to the Australian Government’s, Report Cyber website. It may not get your losses back, but it gives authorities important profiling of the types of scams that are occurring (particularly innovation in scams) and the types of losses that are being inflicted. This information will assist in developing new measures to counteract future scams, raise awareness and possibly even result in changes of legislation, regulation etc.
There are several useful resources that can assist particularly in education and prevention, including your bank, telecommunications service provider etc. Additionally, the following Government sites are useful for both prevention and reporting of scams, and I’d highly recommend a review of these:
• Australian Government | Australian Cyber Security Centre (ACSC) https://www.cyber.gov.au/
• Australian Government | Report Cyber https://www.cyber.gov.au/report-and-recover/report
• ACCC | Scamwatch https://www.scamwatch.gov.au/
• IDCARE https://www.idcare.org/