As Jane Fleming lit the candles on her son’s birthday cake, she was preoccupied with a substantial sum of missing money — $51,000 to be precise.
- Scammers intercepted an email and changed the banking details on the attached invoice
- Police believe the account used by the scammers was likely set up using a false name
- Business email compromise scams cost Australians millions of dollars a year
“It was a horrible day. I just felt sick all day, just wondering where the 50 grand was,” she said.
It was on her son’s ninth birthday that she realised she’d transferred that amount into a scammer’s bank account.
Jane helps run the family building business, and in May she was arranging to pay $51,000 to a subcontractor.
“I thought it’s a huge [invoice]. I’ll break it up into two payments until we’ve got more funds to pay for the whole invoice,” she said.
She’d worked with concreter Simon O’Donnell for almost a decade, making countless payments to him in that time.
But a couple of days after Jane transferred the funds, Simon called her husband, asking where his money was.
“I had my bank account on my computer screen right in front of me and there was no money there,” Simon said.
“His wife said in the background something to the effect of, ‘I’ve paid Simon, he was the one that changed his bank details.’
“Then the penny dropped.”
Simon realised he’d been scammed.
He said such a substantial loss of money was a kick in the guts in an already difficult period.
“I’ve, from my angle, done nothing wrong. I finished a good job for someone, he was happy with the job, and I’m a lot of money out of pocket for six months, which during COVID hasn’t been ideal.”
But the money was gone — and so began Simon and Jane’s efforts to get it back.
Spot the difference
When Jane received the $51,000 invoice from Simon, she did notice his bank account had changed and updated his details before transferring the money.
“We hadn’t used Simon for six months so I thought he’s possibly changed it over that period of time,” Jane said.
The email itself didn’t seem unusual and it showed clear details of the job that’d been completed.
But after looking at the email Simon sent, and the one Jane received, it was clear something was off.
Simon’s outbox shows he sent the invoice to Jane at 4:56pm on a Friday — but it didn’t appear in her inbox until 7:30am on the Saturday.
According to associate dean for computing and security at Edith Cowan University, associate professor Paul Haskell-Dowland, someone had gained access to either Simon or Jane’s computer, and was waiting for an opportunity like this.
Dr Haskell-Dowland believes hackers gained remote access by hacking the builder’s website and surreptitiously redirecting visitors to another site which installed malicious software.
“So potentially having direct access to the computers and monitoring them, perhaps keeping an eye on them for a while, getting a feel for the kind of invoices that are being sent that way,” he said.
“It’s that control that has allowed the attackers to manipulate and modify emails between the two parties in this particular case.”
He said the hackers may have had access to the computer for months, or even longer — and a late-afternoon invoice was a prime target.
“An end-of-day invoice coming through where they know that the receiving company isn’t going to look at their email … that opens up an opportunity and it gives them time to analyse the email, to examine the [attached invoice],” he said.
Dr Haskell-Dowland examined the fraudulent invoice and said the alterations could only have been made by a person.
“The email would have been intercepted potentially via automated means and would have then been modified by human means,” he said.
Scammers stealing millions from businesses
Jane and Simon fell victim to a sophisticated business email compromise (BEC) scam.
“I didn’t know that an invoice could be intercepted between a supplier and ourselves and altered,” Jane said.
Last year, Scamwatch said BEC scams netted $5.3 million across Australia.
But when those losses were combined with data from other government agencies and the big four banks, a total of $132 million was recorded.
So far this year, Scamwatch has received 1,099 reports of business email compromise scams worth $3.7 million in losses.
Small Business Ombudsman Kate Carnell said the average amount businesses lost was $10,000 per transaction.
“Just recently, a survey was done of nearly 2,000 small businesses and 62 per cent of them had been hit by some level of cybersecurity breach, and this one, the invoice interception is now one of the most common,” Ms Carnell said.
“What we’re seeing is a significant increase and some of that increase we think is because people are working from home with less secure systems.”
Who’s behind the keyboard?
Tracking who was behind the scam that cost Simon and Jane is much more difficult than figuring out how it was done.
Jane and Simon both had their computers examined for signs of malware and came up with nothing.
“It is quite possible that the malware has been removed by the attackers because the attack has been successful,” Dr Haskell-Dowland said.
Despite Simon’s email address appearing as the sender of both the fraudulent $51,000 invoice and a lesser $804 invoice, metadata shows each invoice was actually sent by a different email address.
The ABC tracked down the person who owned one of the addresses to find out he too had been hacked.
The scammers had used his email to target others and managed to successfully scam a Canberra builder out of $20,000.
Police almost powerless
Victoria Police is investigating what occurred with Simon and Jane, but justice is far from assured.
The site associated with the hack of the builder’s website is based in Singapore, which puts it out of state police’s reach.
Police also believe the scammers have withdrawn money from an ATM in South Africa, further hampering the investigation.
Local police officer, Detective Leading Senior Constable David Morrison, is now trying to figure out who’s behind the web of Australian bank accounts used to funnel the money overseas.
“Unfortunately at this stage, I have not been able to identify the account holder of the offending account, and it is possible the account was opened online under a false name and address,” he told the ABC in a statement.
He said he had contacted multiple banks involved in a bid to trace the money.
“I have received some information as to the account holder’s details … however I am yet to receive information regarding the movement of the monies,” Leading Senior Constable Morrison said.
“Attempts are still being made to identify the account holder/s of the relevant accounts, however again, it is fairly probable that these accounts were opened under false names.”
In separate correspondence with Victoria Police, Jane was told: “Any further investigation is unlikely to result in a successful prosecution of the party responsible.”
“The reason is Victoria Police has no jurisdiction in South Africa and Interpol will only investigate fraud matter in excess of $1,000,000 loss,” it said in an email.
Leading Senior Constable Morrison said the matter would likely be passed on to the Australian Federal Police (AFP).
But the priority of the AFP is to “investigate cybercrime threats against Commonwealth Government departments, critical infrastructure and information systems of national significance” — meaning Jane and Simon’s case may come to a dead end.
What are the banks doing?
As cyber specialist Dr Haskell-Dowland picked through the trail of foreign servers and hacked emails, he questioned what Australian banks were doing to stop this type of crime.
“In terms of how to improve the situation, certainly the banks would be the [place to start],” he said.
Banks have a legal obligation to verify the information used to set up bank accounts.
But according to Victoria Police, it appears the Commonwealth Bank account which Jane deposited the money into was likely set up online using a false name and address.
Dr Haskell-Dowland said that could be prevented by strict “in-person identity checks, removing the opportunity for people to do this electronically, without undertaking some form of formal verification”.
Jane said she’d been “going in circles” trying to get help from the banks and regulators.
“CBA said they weren’t negligent and then AFCA (Australian Financial Complaints Authority) said we’re not in the jurisdiction because we’re not customers of CBA,” Jane said.
“Then they said to contact ASIC, who pointed us back towards AFCA.”
Jane has since received an email from the CBA declining her request for a refund, telling her she’d need “to approach your financial institution (Bendigo Bank) and lodge a claim for these funds”.
“I’d like this to be resolved by CBA acknowledging that they are negligent and allowing criminals from overseas to operate in Australia,” she said.
“It sounds like anyone can open a bank account with any name and then I can put money into that account in another business name and there are no alarm bells going off.”
The Commonwealth Bank said it acted quickly to block the account, which is now closed, as well as providing information to authorities.
“Despite the commitment and best efforts of regulators, law enforcement agencies and the banking industry, such frauds and scams sadly still occur,” the bank said in a statement.
“It is widely recognised that scams are becoming increasingly sophisticated which has prompted increased investment across the sector in resources, systems, data and intelligence to combat fraud and alert the Australian public to the risks the community faces.”
Jane lodged an AFCA complaint to the Bendigo Bank in the hope of a resolution.
In response, the bank said it tried to recover the money as soon as it was made aware of the situation.
“The correct procedures were followed to notify the other financial institution (Commonwealth Bank) and to request a recall of the funds,” the bank said.
“Because of the time delay between the funds being sent and notifying Bendigo Bank of the fraud, the likelihood of recovery for any other financial institution would be very low.”
The bank advised that those efforts were ultimately unsuccessful.
The ABC asked the Bendigo Bank about Jane’s case, but it declined to comment while the matter was still before AFCA.
Double-check your invoices
The Australian Financial Complaints Authority said it was working with industry and other stakeholders to try to minimise invoice hacking scams.
“To avoid falling victim to invoice hacking scams, consumers should call the supplier to confirm the correct account details before transferring large amounts of money, especially if they have received an email from the supplier saying their account details have changed,” AFCA lead ombudsman banking and finance, Evelyn Halls, said in a statement.
It’s advice both Jane and Simon can’t endorse strongly enough.
The concreter now sends a text with every invoice he sends, while Jane calls the sender to check details before paying.
“Just any invoice that you get, check if it’s a new [account] with a new BSB and account number, just call your supplier and confirm that that is their details,” Jane said.