Fraud
now browsing by tag
#romancescams | Directors Heidi Ewing & Rachel Grady On Showtime Docu-series ‘Love Fraud’ – CBS Dallas / Fort Worth | romancescams | #scams
(CBS Local)– On Sunday August 30, Showtime premieres a fascinating new docu-series called “Love Fraud” about a man named Richard Scott Smith, who conned women all over the country for 20 […] View full post on National Cyber Security
Feds indict former Shreveport city employee in $400K fraud | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | #
SHREVEPORT, La. (AP) — A federal grand jury in Louisiana has accused a former city worker and a second man of using city credit cards more than 3,800 times over […] View full post on National Cyber Security
#cybersecurity | #hackerspace | In-store Payments via Mobile Apps Can Lead to Increase in Card Not Present (CNP) Fraud
Source: National Cyber Security – Produced By Gregory Evans
Consumers love the convenience of paying for goods and services in store by using their NFC enabled smartphones and stored credit cards. This is demonstrated by the fact that you can download retailer specific apps for your smartphone to pay for everything from coffee, to movie tickets, to poutine using a retailer specific mobile app.
As more and more retailers embrace this technology and release their own mobile apps with in-store payment options, the threat of fraudsters looking to benefit from flaws in the implementation, or by exploiting the human component must be carefully considered. The following are a few example Card Not Present (CNP) fraud schemes that retailers who offer in-store purchasing using a store branded mobile app should be aware of.
In these scenarios, we will use the imaginary retailer Smoothie Shop. Smoothie Shop has a mobile app that allows customers to save their credit card in the app in order to facilitate easy in-store purchases. Consumers log into their Smoothie Shop account using an email address and password. Smoothie Shop has recently seen an increase in CNP fraud and chargebacks, but is unable to pinpoint the root cause.
(Smoothie Shop mobile app login)
CNP Fraud Scheme #1 – Fraudster takes over a Smoothie Shop account that has a Credit Card saved in the app
In this scenario, the fraudster has to take over an existing Smoothie Shop account. This is known in the industry as Account Takeover (ATO) which is explained here.
In this scenario the fraudster has lucked out! Since the account that was taken over by the fraudster already has a credit card saved in the app, the fraudster can simply walk over to a Smoothie Shop, present the mobile app with the saved credit card information and enjoy a refreshing smoothie that was paid for via some other Smoothie Shop customer’s stored credit card.
CNP Fraud Scheme #2 – Fraudster takes over a Smoothie Shop account that does not have a Credit Card saved in the app
Again this scenario requires the Frauster to take over an existing Smoothie Shop account, however this scenario requires a little bit more legwork, and is less profitable as Fraud Scheme #1 above. Since the Smoothie Shop account that was taken over does not have a credit card saved in the app, the fraudster will instead need to buy a stolen credit card off the Dark Web or some other electronic market*, and then add the freshly purchased credit card to the Smoothie Shop account and app. Once this is done, the fraudster proceeds in-store to obtain smoothies using the stolen credit card.
Why would the fraudster go through the trouble of taking over an existing Smoothie Shop account you ask? Good question! Fraudsters are aware that aged accounts (e.g. accounts more than 3-6 months old) with a good transaction history are usually given more leeway and transactions from these accounts are less closely scrutinized when compared to a brand new account with no transaction history.
*Stolen credit cards can be acquired for as little as $3 or as much as several hundred dollars depending on the credit limit, zip/postal code, issuing bank, etc.

(screenshot from Dark Web Credit Card market)
CNP Fraud Scheme #3 – Fraudster creates a brand new Smoothie Shop account
This scheme doesn’t require taking over an existing account, but instead requires the fraudster to use a bot tool or a human clickfarm to create hundreds of “fake” Smoothie Shop accounts. Once the fraudster has access to multiple Smoothie Shop fake accounts, he can then add in as many stolen credit cards as he pleases in order to make in-store purchases at Smoothie Shop, each one being a unique incident of CNP fraud.

(In-store payment via Smoothie Shop mobile app and stored credit card)
What can Retailers and Consumers do to protect themselves?
Prevention Methods for Retailers
1) Prevent Account Takeover. This is easier said than done. There are many ways to prevent or at least significantly reduce the amount of ATO, such as by eliminating Credential Stuffing. The goal of the organization should be to eliminate the economic advantage that fraudsters obtain from taking over an account. If the cost/effort of taking over an account outweighs the value of said account, there will be no incentive for the fraudster and he/she will likely go elsewhere to commit fraud.
2) Maintain control of Account Creation process. Creation of accounts by bots and scripts can be limited by using a CAPTCHA, however captchas can be bypassed by mid-level sophistication fraudsters, and consumers generally dislike captchas. Preventing bulk creation of accounts requires collecting device level information in order to restrict the number of new accounts that can be created by a single device. There are device farms available for rent, but forcing the fraudster to leverage a device farm could make their rate of return less desirable and push the fraudster elsewhere.
3) Ensure your customers are not logging into your site/mobile app with credentials that have been compromised in 3rd party data breaches. This is a NIST recommendation that makes a lot of sense in today’s world of daily breaches. The customers that are logging in to your website or mobile app with compromised credentials are most likely the accounts that will be taken over and defrauded first.
4) Build controls around misuse of credit cards in the mobile app. Legitimate customers will likely need to add 1, maybe 2 unique credit cards to their account/device. Any account/device trying to add 3, 4, 5, or more credit cards to an account should be closely inspected and possibly restricted from adding any more. The stored credit card should also be tied to the device, rather than the account. That way, if an account is taken over from a new device, there will be no stored credit card information available for the fraudster to use. Both of these require a strong and unique identifier on the device level.
Prevention Methods for Consumers
1) Don’t reuse passwords across multiple sites! – This is the single most important piece of advice consumers should follow. If you reuse the same password across multiple sites, it is no longer a question of if, but rather when you will become a victim of Account Takeover and fraud. Using a Password Manager to create strong and unique passwords will greatly improve your personal security posture.
2) Be mindful of the sites and apps that you enter your username and password in to. Many fraudsters are now relying on phishing scam sites that look eerily similar to the real retailer/airline/bank site but are in fact under the control of the fraudster and are meant to harvest credentials in order to commit fraud.
3) Make sure you have a reputable antivirus on your Smartphone and uninstall any apps that are flagged as suspicious or malicious.
4) Use a virtual credit card. Virtual credit cards are now available from a number of organizations. These are beneficial as you can create a single use virtual credit card with a credit limit for a specific retailer. That way if the retailer suffers a data breach, or your account is taken over, your fraud exposure is contained and your real credit card is still secure.
5) Ask the retailer about their security controls and practices, and how they prevent Account Takeover. If they give you a sub-par canned answer, maybe you should think twice before saving your credit card information in their app.
*** This is a Security Bloggers Network syndicated blog from Shape Security Blog authored by Carlos Asuncion. Read the original post at: https://blog.shapesecurity.com/2020/02/13/in-store-payments-via-mobile-apps-can-lead-to-increase-in-card-not-present-cnp-fraud/
The post #cybersecurity | #hackerspace |<p> In-store Payments via Mobile Apps Can Lead to Increase in Card Not Present (CNP) Fraud <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Cybercrooks busted for multimillion-dollar identity fraud – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
A trio of Australians has been charged with identity theft that netted AU$11 million (US$7.41m, £5.73m) – ill-gotten loot they allegedly ripped off by hacking into businesses and modifying their payrolls, pension payments (known as superannuation in Australia) and credit card details.
According to ABC News, police arrested the alleged cyber-robber – an unidentified 31-year-old man, formerly of Adelaide – at a library in Sydney’s Green Square earlier this week.
His alleged cyber accomplices were 32-year-old Jason Lees and 28-year-old Emily Walker, both arrested in the Adelaide suburb of Seaton. According to Walker’s Facebook profile, they’re a couple.
New South Wales police reportedly said that the unidentified 31-year-old man allegedly stole more than 80 personal and financial profiles so as to use them in identity fraud in South Australia from early 2019, and then in NSW from August 2019. He’s been charged with 24 fraud-related charges in Newtown Local Court. Walker and Lees have been charged with money laundering and deception.
(What’s the difference between lies, deception and fraud, you well may ask if you’re not Australian? Under Australian criminal law, not all lies are deception, and not all deceptions amount to fraud, according to the law firm Sydney Criminal Lawyers. Here’s the law firm’s explanation.)
According to ABC News, the police prosecutor, Senior Sergeant Mike Tolson, told the court that the prosecution anticipates bringing hundreds of additional charges.
The stolen data came from businesses and organizations targeted for their employees’ data, including staff names, addresses and birthdates. The defendants allegedly used the details to set up hundreds of bank accounts into which they then allegedly deposited money.
Tolson:
All of the stolen identity has come from intruding upon businesses.
The defendants allegedly used multiple cryptocurrency accounts to launder more than $18 million, Tolson told the court:
However, one of the wallets that has been identified alone contains more than $18 million in transactions […] and multiple withdrawal accounts.
The prosecutor said that last month, police seized nine computers, their hard drives, and six mobile phones during a raid on the couple’s home. Next week, the court will consider an application for bail.
Investigators called the crimes “sophisticated and complex.” NSW Police Force Cybercrime Squad commander Detective Superintendent Matthew Craft said that it’s a timely reminder to beef up cybersecurity defenses:
Identity information is a valuable commodity on the black market and dark web, and anyone who stores this data needs to ensure it is protected.
Ripped-off payment card details – like these! – do indeed sell like hot cakes on the dark web, where carders snap them up, slap them onto new cards, and go on mad spending sprees on somebody else’s dime.
In December 2019, we also found out exactly how fast those hot cakes get sold: two hours, it turns out. That’s how long it took somebody – or something, if it turns out to have been an automated bot – to find, and use, a credit card posted by a security researcher.
Check your statements
Regularly checking your credit card and other financial statements means you’ll spot fishy charges before they cling to you.
We the consumers aren’t typically held responsible for fraudulent activity – but only when we report bad charges in a timely fashion. Don’t delay, if you don’t want to get stuck paying for somebody else’s baby lions and/or Lamborghinis.
Latest Naked Security podcast
The post Cybercrooks busted for multimillion-dollar identity fraud – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Android Malware for Mobile Ad Fraud Spiked Sharply …
Source: National Cyber Security – Produced By Gregory Evans
Criminal groups are increasingly targeting users of Android mobile devices with malware for conducting ad fraud on a massive scale.
Mobile security vendor Upstream this week said that in 2019 it identified as many as 98,000 malicious Android apps and 43 million infected Android devices across the 20 countries where mobile operators currently use its technology. The numbers are up sharply from 2018 when Upstream recorded some 63,000 apps and 30 million infected devices.
A startling 32% of the top 100 most active malicious Android apps that Upstream blocked in 2019 were available for download on Google’s Google Play mobile app stores. Many of them still are, according to Upstream. Another 19% of the most worst-offending malicious Android apps were also on Google Play but have been removed, the vendor noted.
More than nine out of 10 — or 1.6 billion of the 1.71 billion mobile transactions that Upstream’s security platform processed last year — were blocked for being fraudulent. If those transactions had been allowed, the total cost to end users in fraudulent charges would have topped $2.1 billion, Upstream said in a report. In Egypt, 99% of the mobile transactions that Upstream’s platform handled were fraudulent.
Android is the most targeted mobile OS because of how widely it is used and also because the operating system is open and therefore more vulnerable, says Dimitris Maniatis, CEO at Upstream.
Android is a favorite playground for bad actors, especially in the case of low-end devices, he says. “Users should have a heightened awareness of any preinstalled apps that come bundled with their device and pay attention to the mobile data usage by each,” Maniatis says. “Organizations should have measures in place to check the app’s reviews, developer details, and list of requested permissions, making sure that they all relate to the app’s stated purpose.”
Upstream’s analysis of 2019 data shows that the favorite apps for hiding ad-fraud malware are those that purport to improve productivity or improve device functionality. Some 23% of the malicious Android ads that Upstream encountered last year fell into this category. Other apps that attackers frequently used to hide malware included gaming apps, entertainment/lifestyle and shopping apps, communications and social apps, and music and audio and video players.
The top most downloaded malicious Android apps in 2019, according to Upstream, were Ai.type (an emoji keyboard), video downloader Snaptube, file-sharing app 4shared, video streaming and downloading app VidMate, and weather app Com.tct.weather. The top five apps alone have been downloaded some 700 million times. The top 100 malicious Android apps combined have been downloaded more than 8 billion times, Maniatis says.
In the US, the worst offenders, according to Upstream, were Free Messages, Video, Chat,Text for Messenger Plus; GPS Speedometer; QVideo, EasyScanner; and WhoUnfriendedMe.
A Stealthy Menace
In many cases, malicious apps do the function they are purportedly designed to do. For example, a weather app might forecast weather but in the background also carry out a variety of malicious activity without the user knowing a thing.
Malware for mobile ad fraud can visit websites and view and click on banner ads, make purchases, mimic a real user going through a subscription process, or deliver bogus ads to the device without the user being aware of the activity. The goal is to generate revenue for the malware author in different ways, including via payouts for fraudulent traffic and ad clicks.
Often such rogue apps can remain on a device for a long time because the malicious activity is only happening in the background. In some cases, the apps change their name after being downloaded or don’t have an icon to locate them easily.
“Losses from online, mobile, and in-app advertising reached $42 billion in 2019 and are expected to reach $100 billion by 2023, according to Juniper research published last May,” Maniatis says. “Considering that fraudsters operate at scale and can simultaneously target millions, tens of millions, or even hundreds of millions of devices in one hit, the means to stop them in their tracks need to likewise operate at scale.”
A vast majority of the victims are users of Android phones, especially in countries including Brazil, Egypt, Indonesia, South Africa, and Ethiopia.
While detecting malicious mobile apps can be difficult, there are often some indicators — like a constantly drained battery, an overheated device, or high data charges. User ratings and reviews are also sometimes a good indicator of an apps quality, though not always.
The most downloaded malicious Android apps, for instance, all had good reviews and high rating, but only because of a carpet bombing of fake reviews, says Maniatis. “The only way to get around this currently is to scroll enough and see genuine negative reviews from real users,” he says.
Related Content:
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
More Insights
The post Android Malware for Mobile Ad Fraud Spiked Sharply … appeared first on National Cyber Security.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | The cyber pirates of the Caribbean responsible for online fraud that robs Australians of millions
Source: National Cyber Security – Produced By Gregory Evans
Posted
They ride the high seas of the global financial system, preying on everyday Australians and stealing millions of dollars. They are the outlaws of the digital world and authorities seem powerless to stop them.
Jane Smith* had run a successful business for years and was finally in a place where she could think about investing her and her husband’s retirement fund.
They had both worked hard and put aside a sizeable nest egg, but she was worried as she neared retirement age they needed a top-up.
So when a simple offer promising a healthy return popped up on her Facebook feed, she thought she would give it a try.
It sounded similar to something she had heard about from a friend whose son worked for a major investment firm that was using automated trading software on currency exchange markets.
And it came from a firm with a slick-looking website and a friendly investment manager who sounded highly educated and knew current market trends.
Little did she know her savings would be flushed into a river of cash flowing out of Australia and into a global network of offshore accounts, where it would be laundered and channelled into the pockets of highly organised criminals.
Scammers who are smarter than us
Jane’s life has changed irrevocably since she was targeted.
She is now forced to contemplate a future where she and her husband will have to keep working, then when they get too old perhaps turn to the Government for support.
And Jane is far from alone.
Many of us think we are too smart to fall for scammers, but investment scams cost Australians at least $86 million in 2018 — topping all other forms of scams that robbed people of their savings.
Fake investment offers in cryptocurrencies, such as Bitcoin, are becoming more popular, resulting in record losses in 2019, according to the Australian Competition and Consumer Commission (ACCC).
Photo:
Trading in cryptocurrencies such as Bitcoin has become a hunting ground for cyber scammers. (Supplied: Hybridreserve.com)
But despite the massive cost, victims say when they report these crimes, action is rarely taken.
An ABC investigation has peeled back the glossy facade of the scam that robbed Jane of her savings, to reveal an extensive global network including shell companies, sophisticated marketing and high-pressure sales tactics all designed to get what it wants — your money.
Fake news and bogus endorsements
For Jane, the scam started at her home in the West Australian city of Bunbury.
From there, it went all the way to the regulatory havens of the Caribbean, Europe and Asia that allow these financial pirates safe harbour.
It began with a fake ABC news story about a bogus endorsement by mining billionaire Andrew Forrest for a financial scheme that promised great riches.
Photo:
A screenshot of one of the bogus ABC News articles used to publicise the scam. (Supplied: Consumer Protection WA)
There are endless variations of this ad floating around Facebook, LinkedIn and other social networks, but the formula remains the same.
A name-brand celebrity like Microsoft founder Bill Gates or Virgin billionaire Richard Branson is ostensibly interviewed by a reliable news outlet, with public comments from supposed clients raving about the money they say they have made:
“Is this really working? Has anyone tried it yet?”
“It really is! I already earned 1352$ [sic] and it just keeps coming. I can’t wait to earn more with the app.”
“I’m very surprised that this is fully legal, with the amount I’m earning.”
Australian versions of the scam also feature former NSW premier and now NAB banking executive Mike Baird.
Jane read the article and was intrigued. She followed the links and found herself on a website using the name HybridReserve.
“HybridReserve set out to allow ANY person sitting at home or in the office to be able to invest modest sums of money and offer them the 100% support and guidance needed for beginners,” the site claims.
“Confusing terminology and complicated technologies, are not our thing.”
She started off with small amounts, but as the returns flowed in and she received some early payouts, she was encouraged to invest more heavily.
She eventually deposited $670,000 over several months into HybridReserve’s online trading platform, believing it was being invested on her behalf.
But once the money was deposited, her investment manager suddenly became hard to contact, despite the previous daily calls and emails.
And heading over to their office to speak to him was not an option.
HybridReserve lists a main address in the picturesque Caribbean nation of St Vincent and the Grenadines.
The tiny nation lies in a chain of tropical islands that also includes famous offshore tax and regulatory havens such as the British Virgin Islands, the Cayman Islands and The Bahamas.
When the ABC called the only number listed on HybridReserve’s website that was still connected, the man who answered claimed no knowledge of HybridReserve.
He said he was only there to “connect” callers to other agents, but also that he was available for anything the ABC “wished to do that considers trading, and such”.
He then said he would put the call through to management, and hung up the phone.
A very busy address
The address listed by HybridReserve — Suite 305, Griffith Corporate Centre, Beachmont, Kingstown — is well known to authorities and IDCare, a not-for-profit identity theft and cyber fraud support service.
The man who answered the phone said he was in St Vincent and the Grenadines, at “Suite 305 Griffith”, but later backtracked, saying he could not reveal where he was located.
In the past two years IDCare has dealt with 41 complaints linked to that address out of 583 cases of alleged investment fraud.
The Australian Securities and Investments Commission (ASIC) also lists 12 business names or entities associated with this address on their companies you should not deal with list.
It is a modest office block that sits in a semi-industrial part of the capital, Kingstown, next door to a private medical centre.
The ABC does not suggest all firms linked to this address are involved in fraud, as there are legitimate reasons for incorporating your business offshore.
But a number of brokers who are the subject of complaints by Australian investors have this listed as their main address.
Griffith Corporate Centre is advertised online as offering virtual office space and registered office services.
The ABC made repeated attempts to contact the centre, but received no reply.
There are legitimate locations like this one all over the world. Often they are just post office boxes.
They can be used by people who want to incorporate a company in a particular jurisdiction, but either don’t have their own property located there or want to list a different location to their bricks and mortar office.
Bank accounts can then be opened in the names of incorporated companies, which can be useful for people wanting to move large amounts of money around the globe.
Photo:
This office desk picture was uploaded to Griffith Corporate Centre’s address on Google in September, 2019. (Google: Griffith Corporate Centre)
In Saint Vincent and the Grenadines, an incorporated company must have a locally registered office and agent, although the directors and owners can be located offshore.
A firm offering offshore company incorporation services, which is headquartered at Suite 305 at the Griffith Corporate Centre, is Wilfred International Services (WIS).
WIS managing director Merma DeFreitas said the majority of her clients used WIS as their registered office, but she denied knowing anything about alleged fraud committed by firms incorporated at the address.
“Wilfred Services Ltd is the registered agent ONLY and does NOT own or operate any of the entities that are incorporate[d] through our firm,” Mrs DeFreitas said in a written statement to the ABC.
“Therefore our firm is NOT linked to OR aware of any alleged fraud committed against any individuals.”
The ABC requested information about 10 firms that list this address — including HybridReserve — which have had complaints against them registered with ASIC or IDCare.
Mrs DeFreitas said she could not make any comment about these firms as WIS only responded to requests made by local financial regulatory authorities.
Why harbour in the Caribbean?
Saint Vincent and the Grenadines is renowned worldwide for its soft sand beaches and tropical paradise image — which saw it feature as the backdrop to the blockbuster Disney film series Pirates of the Caribbean.
But it is famous for another reason in the global financial community.
The cluster of islands often referred to as SVG is known for its lack of financial transparency, to the extent that firms specialising in offshore businesses, such as offshore-protection.com, spruik it as having “one of the most restrictive confidentiality laws globally”.
SVG has issued public warnings that currency trading businesses registered in its jurisdiction are not regulated by the government, but its response to tackling the problem has so far been limited.
SVG has flagged changes to comply with European Union requirements for good governance, after it was threatened with blacklisting as an uncooperative tax jurisdiction.
But those reforms have focused so far on local taxation and not on “economic substance” reforms, which could require companies to have a physical presence in the country and local staff.
The ABC approached the country’s Financial Services Authority for information relating to businesses incorporated at the Griffith Corporate Centre, but it was not provided.
The Estonian connection
HybridReserve’s international connections are not limited to Saint Vincent and the Grenadines.
The terms and conditions say the website is owned by a company called Singlebell OU, which is incorporated in the eastern European Baltic state of Estonia, and that this firm is fully liable for claims, losses, costs or damages.
Estonia also allows people to incorporate companies from offshore, and this is often done with the assistance of law firms that can register multiple entities at any single address.
But Estonia is more open than St Vincent and the Grenadines, as it does make company records available.
Company documents from Estonia show Singlebell OU is registered to an address in the capital, Tallinn.
ASIC lists another 10 firms all appearing to offer brokerage services linked to this address on their companies you should not deal with — unlicensed companies list.
Photo:
The address where Singlebell OU is incorporated is an unassuming office building in Tallinn. (Source: Google Street View)
The Cypriot
Company records from Estonia show Singlebell OU was registered in March 2018, but the members of the management board changed the following month.
The management’s location shifted south to the Mediterranean.
The new solo management board member, Serge Michou Tchio Daloko, listed an address on the business registration in the Cyprus capital of Nicosia.
But Mr Daloko’s tenure on the board of Singlebell, and its status as a Cyprus-listed company, lasted little more than a year.
In July this year, Singlebell’s management board changed again, shifting across the Atlantic Ocean to Central America.
The new structure saw Mr Daloko replaced on the business registration by a man named Daniel Lopez Romero, who listed his address as a small two-storey building in a quiet residential street in Mexico City.
Exploiting the global network
ASIC executive director for assessment and intelligence Warren Day has spent years chasing criminals who seek to defraud Australians.
Mr Day said criminals registered official companies and bank accounts to look legitimate and move money across the globe to avoid detection.
“What we know is the minute those funds hit those accounts they move on to another account in another country, and then probably another country again, so that the trail goes cold,” he said.
“So it’s very hard for regulators and money tracking authorities such as AUSTRAC to identify where they’ve gone.”
He said these scams had become an “intractable problem” because of the mobility of the perpetrators and the way money could be quickly moved.
“Effectively trying to arrest someone, and let alone get a successful prosecution, the chances of that are low to non-existent,” Mr Day admitted.
Photo:
ASIC’s Warren Day says the prospects of arresting cyber criminals are almost non-existent. (ABC News: Chris Sonesson)
“That’s cold, that’s really cold news to a victim, and the best thing we can say is, ‘you’ve been scammed’. But the good news is, by you telling us, you’ve prevented other people from losing a lot of money as well.
“I fully acknowledge that’s really cold comfort to the person who may have lost tens to, in some cases, hundreds of thousands of dollars.
“But the reality is, these people have disappeared, they were never here in Australia, they’re not even in the countries they say they operate in.”
Australia seen as an easy target
The former head of the Australian Crime Commission, David Lacey, has seen first-hand the impact of investment fraud after he started IDCare, a charity that supports victims of identity fraud.
He has seen calls about investment fraud to his service quadruple in the past 12 months.
“Often for a lot of people they are life-changing events,” Mr Lacey said.
“They’re going to have to make decisions like, do they sell their house, are they applying for welfare, are they going to work to a later age — that’s the human toll a lot of these things have.”
Photo:
David Lacey was the former executive director of the Australian Crime Commission. (ABC News: Chris Gillette)
Mr Lacey said Australia tended to be “a bit slow off the mark” promoting awareness of scams that crossed jurisdictions and may already have been reported by overseas financial regulatory authorities.
But he said there also needed to be a focus on deterrence.
“What we haven’t seen is perhaps the deterrence and the intervention that we would like to see, to send a message — a very clear message — to criminals offshore that Australia is no longer an easy target,” he said.
“At the moment, we think there’s a bit of a gap.”
Trying to track the scammers
Australian authorities were notified about HybridReserve, but the information seemingly failed to filter back to Jane’s bank — the Commonwealth Bank — or even ASIC.
The Australian Competition and Consumer Commission (ACCC) said it received 25 reports about HybridReserve last year, and first notified ASIC on January 1 — but it only publicly listed HybridReserve as an entity you should not deal with on November 25.
This is despite details about HybridReserve being listed on the International Organisation of Securities Commissions (IOSCO) investor alerts portal on March 4, at least a month before Jane made her first major transfer.
Belgian financial authorities flagged it even earlier, in February.
Photo:
Australia is seen as an easy target for cyber fraudsters. (Reuters: Kacper Pempel/Illustration)
Mr Day said ASIC was working with the ACCC to better streamline how they exchanged information.
He also said ASIC did not automatically list scams from IOSCO on its blacklist, but it was in the process of reviewing that policy.
“There are so many scams operating at any one time, we would flood our own blacklist,” Mr Day said.
“Our experience at ASIC has been that often the scams that are being perpetrated against a citizen in Belgium, or Spain, or Portugal, or the UK, don’t necessarily mean that they’re being perpetrated on people in Australia.
“That obviously now is changing, the behaviour is changing, and we are reviewing our practices in that space.”
No red flags were raised for Jane
HybridReserve instructed Jane to transfer her money into two Australian accounts set up in the names of shell companies.
Neither of these were registered with the Australian Transaction Reports and Analysis Centre’s (AUSTRAC) remittance register, which is required for firms whose business is transferring money overseas.
Photo:
The woman said the fake stories looked so authentic she believed the scam was real. (ABC News: Anthony Pancia)
One transaction alone was more than $300,000, which Jane said should have raised red flags.
She even called the transfers “HybridReserve” on her Commonwealth Bank statement.
Jane was also told to send her money to a German account, registered to a firm based in Berlin.
German financial authorities flagged that firm two months after Jane made her first transfer, telling the company to desist from conducting money remittance and specifically naming HybridReserve.
The Commonwealth Bank said it were only notified by Jane some months after her last transfer that she had been the victim of a scam and wanted to try to recover the money.
“Unfortunately despite our efforts, we were unable to recall the funds concerned,” a spokesperson said in a statement.
The Australian Banking Association said in a statement banks worked closely with AUSTRAC to protect the Australian community from serious crime and terrorism.
“The financial intelligence and information provided by banks significantly contributes to Australia’s intelligence picture, helping AUSTRAC and our government partners in their work to detect and disrupt criminal activity — here and overseas,” the statement said.
Mr Lacey said while banks played a critical role, they should be the very last line of defence, and multinational companies which profited from selling ads and server space to criminals should also step up.
“For investment fraud to succeed for a criminal, there’s a lot of enabling activities that need to occur,” he said.
“We’re seeing a lot of very large multinational companies involved in … assisting in advertising investment fraud offerings, so they’re receiving money from criminals who are paying to advertise their investment frauds so that Australians can fall for these scams.
“If your organisation is enabling these things to occur … you need to be asking yourself the question whether or not your products and services are involved in that criminal enterprise.”
He said many clients had expressed an interest in a class action against such firms.
Jane’s money remains lost at sea
While she waits for justice, Jane’s money remains unaccounted for as it travels the world in the hands of the cyber pirates.
It has been more than three months since she contacted police, but they had not yet taken a formal statement.
She said she felt let down by the Australian law enforcement system and the banks.
“Three months later, they [have] failed to understand whose jurisdiction this whole case falls under,” she said.
“It’s just handballing and no action. In three months … they haven’t even taken a statement from me, or contacted any international authorities, or held anybody accountable.
“All financial institutions have to be responsible enough to keep their database up to date of all these scams, in order to protect their customers, their clients’ money.
“I think they let us down.”
*Name has been changed to protect the woman’s identity
Credits
- Reporting: Rebecca Trigger
- Video and graphics: Claire Borrello
- Digital production: Liam Phillips and Rebecca Trigger
- Editor: Liam Phillips
Topics:
hacking,
computers-and-technology,
fraud-and-corporate-crime,
perth-6000,
wa,
bunbury-6230,
cyprus,
estonia,
saint-vincent-and-the-grenadines
The post #cyberfraud | #cybercriminals | The cyber pirates of the Caribbean responsible for online fraud that robs Australians of millions appeared first on National Cyber Security.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | Fraud scams continue to evolve — BBB tells you what to look out for – The Advocate-Messenger
Source: National Cyber Security – Produced By Gregory Evans Grandparents have quite a soft spot in their hearts for their grandbabies, no matter the age of those “babies.” Maybe this is why the “grandparents scam” call seems to never go away. Lately, people have been reporting a “resurgence” of the scam call, where someone calls […] View full post on AmIHackerProof.com
#cyberfraud | #cybercriminals | Fraud Decisioning Pulls Ahead In A Tight Race
Source: National Cyber Security – Produced By Gregory Evans
The cat-and-mouse game between law enforcement and code-abusing felons is entering a new year, and a new phase. The world’s biggest social media platforms are cracking down like never before. The latest iterations of third-party solutions are potent hybrids of machine learning and artificial intelligence (AI) — paired with actual humans — to make the tougher calls. Companies are getting much better at fraud detection and prevention, partly in response to its rapid spread.
Digital fraudsters aren’t taking this lightly. One analysis of more than 1.3 billion transactions found that between July and September 2019, about 20 percent of accounts opened were the result of massive bot attacks, not humans. The robot army marched on eCommerce, financial services, gaming and travel sites mostly — a 70 percent rise in bot-driven registrations in Q3 2019 alone. Then there’s the mobile advertising situation. Brands will have spent roughly $77 billion on in-app ads when 2019 is over, and it’s estimated that phonies will dip out with $26.5 billion of that. Such is “bundle ID spoofing” that makes false apps look real to ad networks.
Then there’s the disturbing rise in loyalty program scams. A leading index of digital theft found that loyalty fraud exploded by 89 percent over 2018, opening a vast new front in the battle.
For their part, the anti-fraud community is hitting back hard. Facebook is going deep into device data like battery charge and GPS coordinates to determine if it’s you or someone else making that purchase. FinTechs and merchants have formed a posse of sorts, with validation solutions provider Service Objects recommending using application programming interfaces (APIs) to verify emails, while retailers such as Costco, Morrisons and Tesco tell customers not to fall for social media notifications asking for personally identifiable information. It’s all in the latest PYMNTS Fraud Decisioning Playbook.
Fighting Fakes With Fire
War against digital fraud uses live ammo or, in some cases, recently live. Fishing fraud (not to be confused with “phishing”) is big business, for example. According to the European Union’s Food Fraud Network, fraudsters love seafood so much that it has seriously interfered with supply chain integrity. What’s an example of fish fraud? Selling chemically treated tuna intended for canning as “fresh” and fit for restaurants is a $220 million a year scandal in the U.S. Into the fray steps IBM to partner with Raw Seafoods of Fall River, Massachusetts, on the blockchain-powered Food Trust mobile app. IBM calls it a “… permissioned, permanent and shared record of food system data.”
Fraudsters like travel even more than seafood, and travel booking site TripAdvisor has had it. The platform’s recent transparency report tells of how TripAdvisor anti-fraud detection stopped roughly 1 million false and misleading reviews from ever being made live. Each interactive makes the TripAdvisor AI smarter, guarding content integrity and preserving trust in the brand.
Meanwhile in China, the Alibaba Anti-Counterfeiting Alliance (AACA) used AI to scan for fake accounts, which in turn led Chinese authorities to shut down a reported 500 knockoff shops.
The common denominator in these far-flung cases is AI and machine learning engineered for rapid decisioning on millions of possible fraud attacks while simultaneously providing a delightfully seamless experience for your customers. Easier said than done.
But it is getting done, with innovative systems that leverage human and artificial intelligence.
Data-First to the Last
Data-first approaches are winning right now, where smart AI scans impossibly large datasets making split-second decisions, while organizing and visualizing the rest for human analysts to ingest — an incredibly important stage that is now getting the attention it deserves. The brave new world of the machines exposing fraudulent activity is surprisingly human after all.
It’s all a moving target. When the FBI bobs, cybercrooks weave, and so on. But with new capabilities like device recognition, augmented analytics and data-lake enrichment, plus the intuition of human analysts, the cats are winning their eternal fight with kleptomaniacal cyber-mice.

The post #cyberfraud | #cybercriminals | Fraud Decisioning Pulls Ahead In A Tight Race appeared first on National Cyber Security.
View full post on National Cyber Security
OneCoin crypto-scam lawyer found guilty of worldwide $400m fraud – Naked Security
Source: National Cyber Security – Produced By Gregory Evans A Florida lawyer who boasted of making “50 by 50” – as in, $50m by the age of 50 – is now facing a potential 50+ years behind bars for money laundering and lying to banks about funds flowing from OneCoin, a cryptocoin Ponzi scheme that […] View full post on AmIHackerProof.com
#cyberfraud | #cybercriminals | Payroll Fraud: A Growing BEC Threat to Businesses and Employees Alike
Source: National Cyber Security – Produced By Gregory Evans The FBI reports that direct deposit change requests increased more than815% in 1.5 years $8.3 million. This number represents the total reported losses due to payroll diversion schemes that were reported to the FBI’s Internet Crime Complaint Center (IC3) between Jan. 1, 2018 and June 30, […] View full post on AmIHackerProof.com