An article regarding a family having their elderly mother’s aged care home deposit stolen by scammers.
Might be a good one re failures of the banking system, as the report calls into question why the system is open to the failure that has occurred. The report indicated that no one knows where the money has gone. Not even the bank. We need some more details to understand if it is really just a scam, or also a failure within the banking system?
I used to work for a large multi national company and receive phone calls from accounts departments calling to verify by phone if there was a change in bank details, its the safest way, just call the company you are paying to confirm if there has been any change to existing bank details.
It would be amazing if the bank did not have a log of inbound and outbound transactions. If the money went to a bogus outbound account they should know the bank and account, and the destination bank may be liable if it opened an account for a false identity rather than a stolen identity.
It is likely that a mule bank account has been used…that is another person which has fallen victim to the same allowing the scammers to transfer the money in and out of their account.
The failure possibly doesn’t lie with the bank as they were only processing the transaction instigated by the customer. If they were responsible for the transaction, then they would be responsible for every transaction which occurs within the bank.
Edit: From the news article, it appears that the computer used to instigate the transfer may have been compromised by malware, allowing the scammers to see and emails between the two parties. This allowed them to then impersonate/pretend to be the age care centre. It is possible that there wasn’t up to date malware scanner installed on the PC which may have detected the breach. This is possibly a timely reminder that it one uses the internet, that devices have reputable malware scanner installed which is updated regularly (at least daily) to try and keep one step ahead of the scammers and their malware.
100% it was a scam - and quite a common one. Email interception scammers love property settlements because the size of the sums is so large, usually the largest transaction a person will ever do.
The question is: should anything be changed in the banking system to make the scam harder to carry out?
The alternative question is: should anything be changed in the technology outside of the banking system to make the scam harder to carry out? e.g. wider adoption of authentication on emails e.g. stronger security on the access device (I’m talking architecturally stronger, not just more patches and more band-aids)
One thing is for sure … when you have customers making random suggestions about how the bank could improve its operations, a large dose of scepticism should apply - since the customer is unlikely to be aware of all the relevant issues.
"It would be great to be able to see an extra level of security on that side of things, like maybe you need to have a name that matches the account number and the BSB.
Name matching will lead to false positives. How many? Only a bank could tell you.
What level of fuzziness should be accepted? Exact match only?
Is the account name even present in the interface between banks? Only a bank could tell you.
Would it be viable to require name matching only on larger amounts? Maybe. However that may mean that it is a manually processed transaction or it may be that the transaction is delayed; and it may incur a fee, which no doubt people would then complain about.
Would it be viable for the sender of the money to specify that name matching is mandatory (regardless of the amount)? Maybe.
Due to entity structure (e.g. trading name v. company name or e.g. parent company v. subsidiary or …) name matching won’t necessarily be very transparent or very helpful when paying a corporate entity, as would apply in this case.
A bank will probably tell you that they are completely uninterested in improving the robustness of BSB/Account number payments because that mechanism is obsolete (in part because it is rather opaque and rather error prone).
"If I go to deposit a cheque at a bank, they won’t deposit it if it’s wrong, so why can’t we look at implementing something a similar way?
This is a doubtful comparison. The destination account name has to be present on a cheque because the destination BSB and account number is not present on the cheque.
Use a bank cheque for a property settlement.
For the amount of money involved, yep, a phone call is worth the trouble.
At the very least confirm the bank account details as published on the recipient’s web site. That too can be hacked but it raises the bar.
It would and could be problematic for everyday transactions as if the account name isn’t exactly as that documented by the bank, then a transaction would fail. It could be a typo, extra space, missing characters (esp when our bank won’t accept common symbols in the account name for EFT even though the actual bank account name has such symbols such as / @ or .)
Who would accept penalties for late payments or impacts on credit records I imagine it would be the banks fault for these as well.
For our last house purchase, our solicitors wouldn’t communicate any banking details electronically either by email, texting or such like. It had to be done the old fashion way of fax (if we had one) or by snail (registered) mail. While it was annoying, at least it was a more secure way to communicate such information and prevent communications being intercepted.
Maybe businesses and individuals should request such information for large amounts of money to be only communicated by such means. There is a risk that a scammer may start to send out registered mail with their fraudulent banking details, but when one received one from the business and one from the scammer it would automatically ring alarm bells and hopefully cause one to contact the business to confirm which was theirs.
Yes, I think some work would need to go into account name standardisation e.g. only and all printable ASCII (or agreed subset thereof), agreed maximum length, leading / trailing / doubled spaces not permitted.
Again I come back to: BSB/account number is obsolete for transfers. I doubt any bank wants to spend time improving it. They want you transferring via ACN/ABN or email address or mobile phone number. (Those aren’t scam-proof either but they do offer some improvements.)
All of this reminds me to stop using icloud as my main email, and switch to protonmail which I’ve had for a couple of years, but havent taken full advantage of…
While that is a good idea anyway, it doesn’t go to the heart of the problem.
First of all, the media coverage of this scam doesn’t provide enough information to know what the heart of the problem is. So there is necessarily an element of speculation. However
- you still have to keep your email access device secure, and
- so does the party at the other end, and
- if you use secure mail but the party at the other end does not (most likely to be the case) then the benefits of secure mail are not fully realised.
Better than dong nothng…
Another article regarding emails being intercepted.
(Some people have rather limited ambition for their life. Driving a Tesla isn’t that exciting. )
In addition to everything that I previously said about business email compromise scams, in this particular case Tesla could improve their process by not emailing out an invoice but instead emailing out a link to an invoice that would be downloaded from the secure Tesla web site. (It’s not that difficult. Even various tinpot service providers that I deal with are capable of doing this.)
The email can of course still be interfered with (the customer hasn’t necessarily fixed the underlying problem!) but if the link is changed in some way then there are additional possibilities for the customer (or the mail client, or both) to detect the scam.
I find it astounding that the most obvious simple thing that can be done by mandate was consigned to the very last pages. Estimated by the payments regulator to prevent 70% of the problem.
That is mandate confirmation of payee. The sending side has to send the full account details of number and name, and the receiving side must validate this full information. And reject the transfer if the details do not match.
Matching the name is not a perfect solution. See my comments in post 6 above for an existing discussion.
Some additional comments that are not explicit above:
- What about upper and lower case? really has to be exact match? or case-blind match?
- What about middle names? The account name will often include the middle name but you may not know the middle name even of people that you know quite well.
I am not opposed to matching of the name provided that it only applies to transactions over $Y, I get to configure Y for my account, and the default value for Y is a safe (low) amount.
In the context of the original discussion - preventing fraudulent transactions - there is an elephant in the room: you can’t ignore overseas transactions - and yet overseas transactions magnify the problems with name matching (I could elaborate at length but I will spare you).
The Australian government has no legal authority to dictate to foreign banks. It is also not a change that could quickly be rolled out globally to thousands of banks. So we may find that such a change only ends up applying to domestic transactions.
Currently my internet banking seems quite broken about character set i.e. barely allows anything more than alphanumeric, and quite broken about field length. So, domestically, we would have to find an acceptable subset of printable ASCII (preferably all printable ASCII) and an appropriate length restriction.
The other challenge is that the scammers will change their mojo if exact name matching is required. Scammers succeed as they are highly convincing and can quickly develop a relationship (of trust) with the person they are scamming. If name matching is mandated, scammers will either change their name to match the account name in question (they already do this when trying to convince the victim that they are someone they are not - such as for catfishing or romance scams) or convincing the victim that the different name is justifiable for some reason (it is the account name for their business and the company trading name is different - which already occurs often in Australia). This will quickly negate any benefits of the mandates.
Just how clever are the Scammers and how smart does one need to be to avoid being caught out?
Worth a read and watching (ABC) this real life experience $200,000 worth.
Getting your money back? The Victim remains upset with the banks involved.
Isn’t this another way of saying that our systems of banking and business regulation, authorisation and identification are the weakness.
Are they likely to change?
A clever accountant can attest Trust structures and shelf companies serve a multitude of purposes. They deliver benefits that those who use them argue will be lost if greater transparency is required.
OTOH just how hard is it for an individual tax payer to open an account without reliable ID.
No it says that no matter how strong the system is, the weakest link is the victim. Blaming the system does not solve the curse.
A few weeks/months ago (I have been trying to find a link to the audio but have been unsuccessful), there was a leading Australian academic on northern Tasmania ABC radio talking about scams and what makes them successful. It made compelling listening.
Something which stuck with me is that the scammers are almost gifted in the way they can quickly develop relationships with victims (a victim being those susceptible to a scam) and how they can easily manipulate the victims when trust is gained. Scammers often create what should be obvious (red) flags in their dealings with their victims, but the manipulation is so strong that victims often don’t see these until it is too late or they they are specifically pointed out to them (even when pointing them out, some victims still refuse to accept them).
It appears that doesn’t matter what you do to the system, there will always will be scammers as they are very successful at their craft (crime). The only real way to fully remove the opportunity for scammers is to block all forms of communication, such that we return to the days before long distance communication. This won’t happen.
Trying to deal with the scam before it can be communicated may be the only way to have some effect, as once the first contact is made, if one is susceptible and not matter the systems in place, the opportunity to be scammed has been created.
From what I have read, accounts can’t be opened without adequate checks and balances. Accounts can be compromised (mule accounts or on sold accounts which has been reported that some temporary residents have done after leaving Australia and no longer needing the account), due to greed or through another victim of a scam. One shouldn’t think a scammer’s account has been created with unreliable ID.
Where an account has been reported as compromised, the institution the account sits with should be taking immediate action to shut down the opportunity for further scam monies to be laundered through the same accounts. This might also have some effect and significant limit the number of victims.
There are many other examples from society where suggesting the problem is the weakness of the victim.
I’m hopeful that is not where this discussion is going. The weakest in the community deserve the same level of protection as the rest of us, if not more to ensure their weaknesses are not taken advantage of.
Which side of the Choice Board Charter such views fall, it might be for one of the board to ad their view point?
@BrendanMays hopefully this is not asking too much?
A scam victim is a person who is susceptible to be scammed by a scammer (which in reality could be anyone). It is skill of scammer and the susceptibility of the victim which leads to a scam being successful. It is challenging, as there is enough public information to allow one to see red flags, but when the manipulation by the scammers is strong, victims are blind-sighted to what many others would see as obvious flags to being scammed.
The government can implement what they think are the strongest financial, business or regulatory systems to stop scams. But when it comes to relationships, trust and ability to manipulate individuals for an ill-gotten gain, no system can be created to prevent this occurring.
It is worth reading about the psychology of scams and why this makes scams successful. This Conversation article touches on some elements…