Another grubby scam which hacked banking details and redirected a bank transfer of $147,000 in Victoria.
Is there a lesson here in our lack of understanding, that email is not a secure or 100% reliable means of communication?
The fax machine outlasted the onset of broadband with the legal profession.
Online banking, Govt services such as Centrelink or the ATO, and many large corporates now use more direct means to facilitate their business. Why? Because they need to ensure better security.
That’s true - as typically used - but that wasn’t the core of the problem here.
To the story itself: I was a bit confused by “These foreign hackers” v. “withdrew $40,000 from their local branch in Leongatha”. Your typical foreign hacker does not have an account with a local bank.
Did the foreign hacker successfully bypass all the identity protections in opening a bank account and potentially travel to Australia to do it?
Or did the foreign hackers use some third party’s bank account (either without that person’s knowledge or by misleading that person or with that person as a knowing local accomplice)? (This would be my guess.)
Or some other possibility that I have not thought of?
I think the moral of the story is: Don’t give $147,000 to your daughter.
I never send a hard copy of my bank, credit or any other financial/bill details details out by email, text or any other electronic forms to anyone…even family members. If they for some reason what them, I only ever give them over the phone or write them on a piece of paper and hand them over to them personally.
It looks like he may have fallen for a phishing email as well to get the password to access his online account. Another lesson is never click on links to anything sent to you, especially if they report to be from a company or institution one deals with. Type your usual web address into the URL bar in the web browser instead.
Alternatively, the criminals emailed him the account details for sending the money to his ‘daughter’. If this was the case, why didn’t he check the details and legitimacy of the request with his daughter…all it would have taken was a phone call. Asking for $149K seems a little out of the norm for a usual transfer to a family member.
Our bank uses RSA tokens for logging in also to set transfer limits to external accounts. I suspect this is to reduce the risk to the customer and the bank in the event that an online account is compromised. This however doesn’t prevent actions of one transferring money out of one’s account to another party as one can increase the limit to facilitate the transfer.
These days this is an “electronic form”, albeit much harder to fake than email.
Or she may have? but there are many many other ways in which a compromise could have occurred at whichever end it occurred.
“Dad, I’m a little short for the rent this month, do you think you could spot me $140k?”
That is a key point. Once you have tricked someone into doing the transaction, no amount of fancy tech (be it RSA tokens or 2FA or encryption or authentication … or even transfer limits if the customer can change the limits) will save the victim.
One little observation though … the new banking system that was supposed to give us real time transactions seems also to be giving us transfers that don’t use BSB and account number e.g. transfer destination identified by phone number or email address. Particularly if identified by phone number that might have saved the victim in this case.
Another scammer arrested after ripping off a woman for $500,000.
Property settlement scam is an increasing problem. It is particularly lucrative for the scammers as the amounts are large and everyone expects them to be large.
I believe that current best practice when paying a deposit on real estate or when settling the purchase of real estate is … if doing it via bank transfer to BSB and account, always verify the information via another mechanism e.g. you phone your conveyancer/lawyer, or in person. Never accept the information if received exclusively via the internet (web, email) - since just about everything “internet” should be assumed to be doubtful.
I believe that there are two ways that this scam works.
- They trick the purchaser into thinking that the purchaser is dealing with the conveyancer when in fact the purchaser is dealing with the wrong organisation (an organisation set up by the scammer to siphon funds to). OR
- They take control of the conveyancer’s/lawyer’s email - so that all emails are legitimate in origin in a sense - but the scammer has the possibility of generating new emails, altering sent emails, answering received emails, suppressing received emails, etc. This in turn commences using any one of the usual email attacks e.g. social engineering, Day 1 exploits via email, Day 1 exploits directly into the email system, dare I say it - weak passwords.