Another grubby scam which hacked banking details and redirected a bank transfer of $147,000 in Victoria.
Is there a lesson here in our lack of understanding, that email is not a secure or 100% reliable means of communication?
The fax machine outlasted the onset of broadband with the legal profession.
Online banking, Govt services such as Centrelink or the ATO, and many large corporates now use more direct means to facilitate their business. Why? Because they need to ensure better security.
Thatâs true - as typically used - but that wasnât the core of the problem here.
To the story itself: I was a bit confused by âThese foreign hackersâ v. âwithdrew $40,000 from their local branch in Leongathaâ. Your typical foreign hacker does not have an account with a local bank.
Did the foreign hacker successfully bypass all the identity protections in opening a bank account and potentially travel to Australia to do it?
Or did the foreign hackers use some third partyâs bank account (either without that personâs knowledge or by misleading that person or with that person as a knowing local accomplice)? (This would be my guess.)
Or some other possibility that I have not thought of?
I think the moral of the story is: Donât give $147,000 to your daughter.
I never send a hard copy of my bank, credit or any other financial/bill details details out by email, text or any other electronic forms to anyoneâŠeven family members. If they for some reason what them, I only ever give them over the phone or write them on a piece of paper and hand them over to them personally.
It looks like he may have fallen for a phishing email as well to get the password to access his online account. Another lesson is never click on links to anything sent to you, especially if they report to be from a company or institution one deals with. Type your usual web address into the URL bar in the web browser instead.
Alternatively, the criminals emailed him the account details for sending the money to his âdaughterâ. If this was the case, why didnât he check the details and legitimacy of the request with his daughterâŠall it would have taken was a phone call. Asking for $149K seems a little out of the norm for a usual transfer to a family member.
Our bank uses RSA tokens for logging in also to set transfer limits to external accounts. I suspect this is to reduce the risk to the customer and the bank in the event that an online account is compromised. This however doesnât prevent actions of one transferring money out of oneâs account to another party as one can increase the limit to facilitate the transfer.
These days this is an âelectronic formâ, albeit much harder to fake than email.
Or she may have? but there are many many other ways in which a compromise could have occurred at whichever end it occurred.
You think?
âDad, Iâm a little short for the rent this month, do you think you could spot me $140k?â
That is a key point. Once you have tricked someone into doing the transaction, no amount of fancy tech (be it RSA tokens or 2FA or encryption or authentication ⊠or even transfer limits if the customer can change the limits) will save the victim.
One little observation though ⊠the new banking system that was supposed to give us real time transactions seems also to be giving us transfers that donât use BSB and account number e.g. transfer destination identified by phone number or email address. Particularly if identified by phone number that might have saved the victim in this case.
Another scammer arrested after ripping off a woman for $500,000.
Property settlement scam is an increasing problem. It is particularly lucrative for the scammers as the amounts are large and everyone expects them to be large.
I believe that current best practice when paying a deposit on real estate or when settling the purchase of real estate is ⊠if doing it via bank transfer to BSB and account, always verify the information via another mechanism e.g. you phone your conveyancer/lawyer, or in person. Never accept the information if received exclusively via the internet (web, email) - since just about everything âinternetâ should be assumed to be doubtful.
I believe that there are two ways that this scam works.
- They trick the purchaser into thinking that the purchaser is dealing with the conveyancer when in fact the purchaser is dealing with the wrong organisation (an organisation set up by the scammer to siphon funds to). OR
- They take control of the conveyancerâs/lawyerâs email - so that all emails are legitimate in origin in a sense - but the scammer has the possibility of generating new emails, altering sent emails, answering received emails, suppressing received emails, etc. This in turn commences using any one of the usual email attacks e.g. social engineering, Day 1 exploits via email, Day 1 exploits directly into the email system, dare I say it - weak passwords.