Online fraudsters have infiltrated almost every aspect of our daily lives, from romance and investment scams to the fake fundraising accounts that began to appear within 48 hours of the Christchurch mosque shootings.
Joanna Wane investigates a callous and increasingly sophisticated global crime wave that’s defrauding millions of dollars from New Zealanders every year – and finds we’re all just one click away from becoming its next victim.
Cyber-crime investigators tracking a professional money-laundering syndicate had followed the trail to Karina, an Auckland finance industry consultant and mother of two. Her online identity had been stolen, the person on the phone told her, and her bank accounts had been hacked.
“I was really shocked and I wanted to do what I could to help,” says Karina, who agreed to hand over remote access to her laptop. “Their basic objective was to scare me; when they put fear into you, you don’t really think about anything else. I absolutely fell into the trap.”
Karina lost $30,000 in the sting, and her case is now under investigation in Hong Kong, which has become a “hotspot” for online scams like this one, where victims are tricked into making international bank transfers. But the chances of her recovering any money are extremely slim.
She’d just got home after dropping her daughter at school on a Friday morning when someone claiming to be from her internet service provider rang to say there’d been a security breach on her account (coincidentally or otherwise, the wifi on her laptop had been playing up the night before). An “investigator” then phoned back to say her identity had been used to open multiple bank accounts in New Zealand and offshore.
Through her laptop, he showed her evidence uncovered by a major investigation into an organised crime network, including photos of a Russian man living in the US said to be the ringleader. They were close to making an arrest but had to act fast – would she help ensnare him in a trap?
By the end of the call, she’d agreed to create a paper trail by sending $30,000 to a bank in Hong Kong, using money the investigators showed her they had deposited into her account. When the suspect accessed those funds, anti-corruption officers would be waiting to pounce.
That afternoon, no one at her bank questioned the transfer of such a large sum offshore, and Karina had been told to keep the deal confidential because one of the bank staff was suspected of collusion. It was only later that night she went online to check her balance and sat speechless, staring at the screen, with the sick realisation she’d been had. The “deposit” she’d been shown was fake and $30,000 had been stolen from her account.
By then, it was 11pm. Frantically, she made a flurry of calls to both banks and to the police in New Zealand and Hong Kong. “I was desperate to try and stop that payment,” she says. Finally, she was told by the local bank that nothing could be done until they re-opened on the following Monday.
On Saturday morning, she made a report to the New Zealand police, who advised her they were unable to investigate the case because it was outside their jurisdiction. She filed a report online with the Hong Kong police the same day.
Karina, who’s self-employed, accepts she’s lost the $30,000 – some savings, and money she’d set aside to cover her tax payments. What worries her now is that the scammers had access to private information on her laptop and the threat they used to entrap her – that her online identity had been stolen – now seems a very real danger. She’s closed her bank accounts, put a freeze on her credit rating, had her driver’s licence reissued and won’t answer her phone if the caller id shows a private number. “It’s very traumatic thinking about what they might have stolen, and wondering what they are going to do with it.”
Since confiding in those close to her, she’s realised how many other people have been caught out, too. The fallout, she says, can be devastating. One friend sent her a news report about a young woman in China who killed herself after being swindled out of money she’d saved to put herself through university.
“I was naive, but I think we’re so trusting in New Zealand, it makes us easy targets. People say, ‘I can’t believe you’ve been scammed; it doesn’t sound like you at all.’ But they’re con artists; they just net you into believing their stories.”
Actually, those old-school scam emails are still doing the rounds. People still fall for them occasionally, too. But today, online fraud has evolved into a complex and insidious industry with links to organised crime and the ability – like a cancer cell – to adapt, mutate and multiply fast enough to stay at least one step ahead of the game. Within two days of the Christchurch terror attack, fake fundraising accounts had begun hawking for online donations.
A recent study by the Center for Strategic and International Studies in the US found that close to $US600 billion – nearly 1% of global GDP – is lost to cyber crime each year. And in a world where our lives are increasingly lived online, the difference between reality and deceit has never been more easily blurred.
In New Zealand, the vast majority of fraud-related scams go unreported, but some commentators put the cost as high as half a billion dollars a year. The Commission for Financial Capability is currently investigating a case where the total losses are close to $6 million.
Figures just released by the government’s cyber-crime security agency CERT (Computer Emergency Response Team) show a record number of incidents were reported here in the final quarter of last year, with a surge in increasingly sophisticated email extortion scams. “It’s a very large and serious business that makes an enormous amount of money, so the resources available to attackers performing these campaigns around the world is very, very significant,” says operations manager Declan Ingram. “And as organisations wise up as to how these attacks are occurring and how to mitigate them, the attackers come up with new methods.”
A network of 100 or so similar agencies operate worldwide, sharing information on the latest cyber-crime threats, liaising with victims and helping businesses shut down vulnerabilities hackers could exploit. When the WannaCry ransomware attack crippled computer networks across Europe in 2017, CERT was able to release advance warnings and limit the damage here.
Internet safety initiative Netsafe and Consumer Protection’s Scamwatch also post blacklists of both online and offline scams doing the rounds. Alerts from the past couple of years include crypto-currency scams, counterfeit tech-support websites, blackmail threats, callers impersonating Inland Revenue staff, and email scams offering fake jobs or entry into a prize draw to harvest personal information and potentially gain access to financial accounts.
A recent “Immigration NZ” scam targeted new migrants, threatening to cancel their visas unless they paid a lump sum in untraceable iTunes gift cards. In another brazen campaign, callers pretended to be from the National Cyber Security Centre – the part of the Government Communications Security Bureau (GCSB) tasked with helping New Zealand organisations protect their information systems from advanced cyber-borne threats.
One particularly disturbing trend is a new wave of “recovery room” operations, where fraudsters posing as specialist investigators approach people who’ve already been ripped off in a scam and offer – for a fee – to try to get some of their money back. “They’re all nefarious, but that’s pretty much as low as it gets, targeting someone who’s already a victim,” says Mark Hollingsworth, manager of consumer protection at the Ministry of Business, Innovation and Employment. “They prey on lack of knowledge and they prey on fear.”
In his six years overseeing Scamwatch, he’s seen an increase in both the volume of scams and amount of money lost. Gone are the days when you’d look at an email and see the company logo was on backwards, or the name of the bank misspelt; some even list “help” numbers now.
“They use psychological tricks to influence a vulnerable person’s behaviour and entire life savings are being stolen; some of the stories are in the millions of dollars,” he says. “This is the kind of thing that destroys lives, waking up at half past two in the morning and realising you’ve been scammed, then the guilt and the shame of that.”
Hollingsworth says victims are often ridiculed and receive little practical or emotional support. In March, TVNZ’s Seven Sharp featured the heartbreaking story of a 55-year-old farmer caught up in an online romance scam that cost him $1.25 million, including the family farm he’d inherited after his parents were killed in a car accident.
“I feel an old fool, really,” he said. “I was alone at the start and I’m even more alone now.”
Research published in the British Journal of Criminology found the techniques and psychological methods used by scammers in online romance scams were similar to those in domestic violence cases. For overseas investment frauds, where there’s the lure of big returns, the most common marks are older professional men.
Private investigator Tim McKinnel – who championed the overturning of Teina Pora’s wrongful conviction for murder – worked on one case where a wealthy Kiwi landowner lost tens of thousands of dollars in an inheritance sting, after scammers convinced him he was a distant relative of the Indonesian royal family and a windfall was coming his way. Only the intervention of the man’s bank and the police eventually convinced him to stop transferring payments for the “advance fees” required.
“It’s a psychological game,” McKinnel says. “Different people have different triggers and they’re vulnerable in different ways. There’s a scam designed for almost everyone.”
The art of the con has infiltrated our daily lives to such an extent that Research New Zealand reports 72% of New Zealanders have been hit by some kind of scam. In the course of investigating this story, my personal count was a lottery-scam email, a dodgy attachment sent from a friend’s hacked Facebook page, and a cold call from a Swiss-based brokerage firm promising to match me with a “top financial manager” to make big profits investing online.
In that same time, a colleague was sent a fake renewal invoice for anti-virus software, a friend’s son was locked out of his Apple ID after hackers stole his account, and a corporate banker in my social circle lost $2000 in a romance scam (he’s sent money overseas to a woman he met online for her airfare to Auckland, but strangely she has yet to arrive).
An investigative journalist of my acquaintance was once sucked in by the promise of a free McDonald’s voucher; that didn’t arrive either. I guess he was hungry at the time. He still has a copy of an email from Yasser Arafat’s widow asking for money to help release part of the PLO leader’s estate tied up in red tape – for which he’d be handsomely rewarded.
Ludicrous as some of these “scattershot scams” sound, all it takes to make a mass email dump profitable is for a small percentage of people to respond. In fact, virtual theft has become such a lucrative business that fewer criminals are bothering to make “house calls”, say Button and Cross. Many countries worldwide have recorded a sharp decline in the number of armed robberies of banks and other financial institutions in the past decade, leading to speculation offenders are turning to online crime, where there’s lower risk and the opportunity to reap higher rewards.
McKinnel thinks that’s spot on. He describes online fraud as the future of crime, and believes it will become more sophisticated and more difficult to prevent. “Why would you commit burglary or robbery and run the risk of prison time when you can commit a relatively straightforward, high-volume, online crime with very little chance of being caught? All you need is basic IT skills and the ability to speak English.”
McKinnel himself was targeted by a sextortion scam a couple of months ago: an anonymous email was sent claiming his webcam had been hacked and threatened to release compromising footage if he didn’t cough up with a ransom. What made him take it a little more seriously was that one of his old passwords appeared in the email’s subject line. (This is an increasingly common scare tactic: Yahoo, LinkedIn, Adobe, eBay, My Space and Dropbox are among global sites that have been hacked in the past decade, compromising more than five billion passwords. In some cases, the breach wasn’t discovered for several years.)
“I wasn’t worried about the webcam, but I was worried about [the security of files on] my computer,” he says. “So I sent it to an IT security guy and it took me a good hour to work through and satisfy myself I wasn’t at risk.”
McKinnel’s contacts in the banking industry talk of an “enormous number” of interactions each week with offshore entities trying to dupe Kiwis out of their money. “You only need a return of .1% to make it a worthwhile investment. The countries these groups base themselves in have relatively weak rule of law, and often corrupt law enforcement. It’s so complex and so difficult to track down that it becomes an exercise in reducing impact rather than stopping it.”
What he finds frightening is not only how willing scammers are to exploit someone’s weaknesses, but how willing people are to trust a complete stranger. “And that’s difficult to protect against. When it’s a willing participant, there’s only so much you can do.”
Fair Go reporter Garth Bray thinks people let down their defences because they’re in a place of trust, at home on their phone or laptop. He says scammers create “rich and very, very detailed scenarios”, often trawling through social media to profile their victims. “They can get a hold of a lot of personal information about you they can use like third-rate spies to target you and try to pick your pocket. You have to remember that when you’re clicking on a website, it’s like someone has just knocked on your door.”
In 2016, Fair Go covered the story of a mechanical engineer living in Taupō who’d emigrated from South Africa 15 years before. He’d never been in trouble with the law, but was duped by scammers claiming to be from the IRD who demanded payment of a (non-existent) tax debt in Individual Taxation Underpayment Notarised Electronic Scheme cards – iTunes cards.
“They spent five hours on the phone manipulating this guy, convincing him the police were just down the road and he was in big trouble,” says Bray. “Eventually he got $8000 worth of iTunes cards from Pak’nSave and read them out the serial numbers; those can be activated anywhere in the world and then resold for face value and it’s basically untraceable.”
Now on his sixth season of Fair Go, he reckons it takes more and more every year to shock him. “We used to just deal with the rogue element in New Zealand. Now, we deal with the rogue element of potentially the whole world – and there are a lot more rogues and they’re a lot roguier,” he says. “You just have to be prepared to face the worst in people; the bottom of the barrel turns up on your doorstep every time you go online.”
“Whether or not it’s real and whether he actually lives there…” she says, spreading out a flow chart she’s drawn up to keep track of all the complex connections. “Maybe his passport is real. But I don’t even know that.”
Groot believes he’s a professional money launderer, and has passed her file onto the police’s Financial Intelligence Unit. As manager of fraud education at the Commission for Financial Capability, she’s part Sherlock Holmes and part grief counsellor, drilling down into fake websites or dating-site profiles to peel back the layers of scam – then sitting with victims as the reality sinks in.
“Success for me is that lightbulb moment when they say, ‘Okay, I get it.’ But it’s really, really hard when you see a 76-year-old man who’s lost his retirement fund and he’s crying and can’t cope, and he’s suicidal. They all say, ‘I’m so blimmin’ stupid, I was greedy.’ But it’s not you, it’s the fraudsters. They’re really good at what they do.”
Groot began her career as a bank teller, eventually specialising in financial crime and security. She suspects online fraudsters are part of organised crime rings that have access to massive global databases – sold on the black market – and often profile their targets. In overseas investment scams, where victims set up an online trading account and are assigned a financial adviser, the typical target is a man aged 65-plus who’s worked in senior management or run his own business.
“Of all the victims I’ve worked with, not one hadn’t invested in shares before,” she says. “And every single one said, ‘Bron, they were like my best friend. They were going to come out to New Zealand, have a beer and meet my family.’ One guy who didn’t listen to me at $250,000 finally went to the police when he was in for more than a million. They [the scammers] build up an ether, they call it, of excitement or fear, so people aren’t thinking straight. Then they strike. It’s psychological warfare.”
Groot helped one woman disentangle herself from a long-term romance scam, showing her how the man had created a fake profile by lifting photos from the internet. A few months later, she found the woman had begun sending money to him again. At last count, she’d lost almost half a million dollars and had sold her house. “I just had to walk away from that one.”
On Groot’s desk is a pile of flash brochures and scratchie cards relating to a Malaysian travel scam that was stopped in its tracks a few years ago when NZ Customs seized 350,000 envelopes at the border. It’s now started up again. When Groot looked into the scheme, she found links to websites for hundreds of fake travel companies and fake sponsors for the “prizes”.
Last year, the commission published The Little Black Book of Scams (also available online), which looks at a variety of scams and how to recognise something is amiss. A common trap, says Groot, is the amount of personal information people reveal on social media. Chances are that online quiz, where you create a porn-star persona by combining the name of your first childhood pet with the street you grew up on, has just given away the answers to a couple of security questions on your online banking account. The commission has also trialled a call-blocking device that prevents scammers and unwanted callers from harassing people on their landlines.
The commission supports calls for a centralised agency to combat the rapid rise in scams: a one-stop shop with investigatory powers where victims can report scams, and receive help and support. Groot would like to see banks treat scams more seriously, and challenge payments or transfers that seem out of character. In one case brought to the commission, the victim lost a total of $1.2 million; she says the bank didn’t follow up on the documentation she gave them or question the customer until the last transaction was being made.
Banking Ombudsman Nicola Sladden says banks do have a responsibility to follow up on red flags, and can withdraw products and services if they suspect fraud is involved. In one recent case, she found a bank partially liable because staff had failed to adequately question a customer’s motives for taking out a loan: the couple involved, who had already lost $100,000 in a Hong Kong investment scheme, borrowed another $10,000 to try to recoup their losses.
Under anti-money laundering legislation, all overseas transfers of more than $1000 must be reported to the Police Financial Unit (in one three-month period last year, there were more than a million of them), as well as any transaction or activity deemed suspicious.
Sladden says banking ombudsman schemes internationally have seen a spike in complaints relating to fraud and online scams. Under the New Zealand Code of Banking Practice’s fraud guarantee, banks will reimburse money taken without authority if a customer hasn’t been dishonest or negligent (such as sharing their PIN), has complied with terms and conditions, and taken reasonable steps to protect their banking.
However, if the customer has voluntarily authorised the payment, that may not apply. For example, a bank might not reimburse a customer who’s been taken in by a fake shopping site, but should make an attempt to recover the funds, says Sladden. In reality, an online transaction where money has been sent overseas is almost impossible to stop or reverse. “Stop and think, ‘Is it for real?’ And assume once you press push, the money is gone.”
Banks use algorithms to flag suspicious activity, but the numbers are daunting. ANZ, for example, processes around 30 million transactions per month. As part of a customer-education campaign, emails have been circulated on how to recognise a phone scam, and staff have been trained to run cyber-crime workshops at retirement villages.
Successful prosecutions for online fraud are rare, but busts overseas support the premise that it’s a bedfellow of organised crime. In 2016, Indian police swooped on a series of call centres in Mumbai where around 700 people were making thousands of scam calls a day to the US. And last October, investigators in Hong Kong, Malaysia and Singapore infiltrated an online romance syndicate where 147 victims had lost a total of more than $US14 million.
Detective Superintendent Iain Chapman, national manager of the New Zealand Police Financial Crime Group, works closely with law-enforcement colleagues in the Five Eyes intelligence alliance, which is cracking down on money laundering. “And scams are money laundering, no matter which way you cut it. Transferring money obscures the source of those funds.”
While alarm bells might ring if someone is asked to send money to Nigeria, he says, “if you’re being asked to send it to Invercargill, that seems legit. Who’s the person in Invercargill the money is being sent to? Well, they’re caught up in their own scam – probably a romance scam, where the victim is acting on behalf of a boyfriend or girlfriend online they’ve never met before who’s stuck on an oil tanker somewhere.
“It’s absolutely insidious, and until you’ve been inside the belly of the beast and experienced this kind of social engineering, you can’t for one second know what it’s like. The front end of a scam and its methodology changes daily, but the back end is exactly the same. What we need to teach people is not to worry about trying to keep up with the latest techniques – worry about the red flags that exist across them all.”
Despite anecdotal evidence that scam victims are often treated dismissively by the police or bank staff, all the key people interviewed for this story stressed the importance of lodging an official complaint. Chapman says that’s essential for agencies such as the Government’s cyber-crime security unit CERT so they can build up a national scam profile and identify new threats. The day before he spoke to North & South, Chapman had been contacted by an officer in Taihape, where a woman had reported being scammed out of $213,000 since the start of February. “So that constable has done the right thing.”
Figures from CERT show people aged 65-plus accounted for a quarter of all reported incidents of cyber crime last year – and 85% of direct financial losses. However, a 2018 report from the Federal Trade Commission in the US found millennials are particularly vulnerable to “imposter scams”, with 40% of fraud victims aged 20-29 losing money, compared to 18% of those aged 70-plus. Even then, older people tended to lose much more.
Chapman says that generation is often missing an entire skill set around IT and social media that younger people take for granted. “If you want to step onto a building site, you need to be inducted, you need a hard hat and steel-cap boots – you need everything to keep yourself safe. Yet we’ll go and give Nana an iPad for Christmas.
“If a younger person loses a couple of grand, that’s not life-changing. You can chalk it up to a life lesson. But older people who fall for an investment scam and lose their life savings, there’s no coming back from that.”
Netsafe, a non-profit organisation dedicated to keeping people safe online, is more commonly associated with preventing cyber bullying, but now has an entire section of its website dedicated to scams. In 2018, 13,000 instances of online scams and fraud were reported to Netsafe, with total losses of $33 million – triple the year before.
Technology director Sean Lyons has no doubt cyber crime sits right alongside people-trafficking and other more traditional operations associated with organised crime. “And all the time they’re learning from what they do, building mass data, working out the points of failure and then modifying their process to fix it. When one ring is taken down, it’s like technological whack-a-mole, creating a space in the market for someone else to occupy.”
Even romance stings have “the sniff of shift work”, suggesting the possibility of specialists involved in different phases of the scam, with some hooking the victims and others winding them in, before a “closer” makes the first approach for money. “You can’t underestimate the psychological skill of the people involved.”
Lyons says scams cause devastating harm and can change the trajectory of a person’s life. His advice? Listen to your instincts. Hit delete. And don’t try to work through it alone. “Get another set of eyes, a sense of someone else’s reality who’s not quite as wrapped up in it – someone you trust and can say, ‘Objectively, on the balance of everything, I don’t think this is real.’”
A trail of deceit
March 2019: A Hawke’s Bay man pleads guilty to charges of blackmail and forgery after contacting a 22-year-old woman on Facebook claiming (falsely) to have compromising photos of her and threatening to distribute them if she didn’t send more. A Hamilton-based model and talent agency was also targeted by the same scam.
February 2019: An Otago University student chats online in te reo to a scammer who’d duplicated her aunt’s social media page; she tipped to the con when her “aunt” told her she was eligible to apply for $150 million from a charitable foundation, and told her to call a Los Angeles-based telephone number for more details.
December 2018: Offices in New Zealand are targeted as part of a global email scam claiming a hidden explosive device will be detonated unless a ransom is paid in bitcoin.
October 2018: Netsafe posts an alert after receiving thousands of reports about a sextortion email scam, where victims are told their webcam has been hacked and embarrassing footage of them cruising porn sites will be released to their personal contacts unless they pay up.
January 2018: Families with children returning to school are informed their online stationery order hasn’t gone through and that payment needs to be made again via the online link supplied.
May 2017: Government cybersecurity agency CERT gives advance warning here of the global WannaCry “ransomware” attack that infected tens of thousands of computers in 74 countries with malicious software, locking out users and threatening to destroy their data.
May 2017: An offshore scammer claiming to be from Windows technical support unwittingly phones a Kiwi police officer. A recording of the call is posted to the NZ Police Facebook page with the hashtag “oops”.
April 2017: Fair Go exposes a Denmark-run beauty company, Lux Style, that sends out unordered products to potential customers who have supplied their addresses, and then demands payment – threatening to forward any “unsolved debt” to a collection agency.
September 2016: Unauthorised images of Seven Sharp’s Toni Street and fabricated social media posts are used in an internet scam promoting a weight-loss supplement. “Real people are actually losing real money here,” says Street, “and I’ve been painted as someone who peddles diet pills.”
June 2015: Whanganui man Antony de Malmanche is jailed for drug trafficking in Bali after 1.7kg of crystal meth is found in his backpack on arrival at Denpasar Airport. The 52-year-old had flown over to see a woman he’d met online.
This article was first published in the May 2019 issue of North & South.