How I Almost Lost Thousands After Falling Into Email Hacking Scam
New Zealand businesses lost around $ 2.2 million during the lockdown due to hacked emails. Stuff reporter Katy Jones almost became another victim.
Looking back, there were signs that I was about to hand over a large sum of money to a hacker.
But the scam was so intelligently planned and targeted – and underreported, it turns out – that I put aside the shame of falling into the trap to speak out and warn others.
It is difficult to know the true scale of hacking scams in New Zealand because people do not report the crime to save their business reputation. But hackers, operating from Nigeria or Ghana, using compromised emails, were costing the United States $ 700 million per month before Covid-19.
I almost became another of those victims.
* New Zealand scam victims reveal pain and self-loathing of being sucked in
* Action needed to address low levels of cybercrime reporting
* Hacker Uses Fake Bill to Steal $ 53,000 for Daycare
In February, I bought a house in Nelson and took out a mortgage.
Two months later, during the lockdown of Covid-19, I suffered a salary cut.
When a family member offered to lend me money to pay off tens of thousands of dollars on my mortgage, I gladly agreed.
I could not make the payment face to face to the bank under the alert level 2 restrictions, so I thought it was safer and easier if the mortgage advisor, who set up my loan real estate, was doing it on my behalf.
I called him to ask for his advice.
He asked me for a copy of my loan details, from ASB bank, which I emailed to him, and he advised me to contact him once I was ready to make the payment.
When the money was transferred to my bank account about a week later, I emailed the mortgage advisor to let them know I had it.
Two hours later, I received a response from his email address, signed with his name, asking if I had the account information I was going to make the payment to.
Not knowing what he meant, I called his cell phone.
Since he didn’t respond, I emailed him asking if I could call him. He said he was in a meeting, and could I email my request.
I asked which account he was referring to, and he told me that due to Covid-19 all payments were happening online and he would send me the account information.
I set the tone of the email, bordering on dry, because it was busy and maybe impatient with my naivety.
The next morning I called him. I confirmed that I had the money to make the refund, and he asked me to email him my account balances.
Three minutes after doing so, I received an email from him, or someone I thought was him, advising me to make the payment, at the ASB Mortgage Loan Trust. He gave the account number and asked me to let him know when it would have been done.
I didn’t want to continue bothering him and – being busy myself – I wanted to check him off my list. So I transferred the money online.
A little over two hours later, I received a call from an ASB anti-fraud investigator, asking me to confirm why I had made the payment.
The investigator then said the money went to a Bank of New Zealand account, but BNZ froze the payment because there had been cases of hackers intercepting commercial emails when people were transferring large sums of money.
My heart sank. The doubts that I let go unanswered suddenly seemed like blatant red flags. I immediately felt like a fool.
Frantic calls to the mortgage advisor confirmed that he had not sent the emails. He was shocked to find that his email had been hacked.
That night, the BNZ fully refunded the payment.
Many victims are not so fortunate.
New Zealand businesses lost around $ 2.2 million during the lockdown after their emails were hacked, according to early police figures.
Twenty-three separate cases of these “email compromises” have been reported by companies of varying sizes, according to data from the police cybercrime unit.
Financial Capability Commission fraud education officer Bronwyn Groot said crime had become very common around the world, before Covid-19 struck.
Last year, Stuff wrote about a man from Nelson and his family who almost lost half of their savings to hackers after he phished his attorney’s email. He was about to buy a house and they allegedly emailed him from the lawyer with a fake bank account
In the United States, business email compromises were causing $ 700 million in losses per month, Groot said.
The true extent was not known in New Zealand, as victims here often did not speak about it for fear of damaging their reputation, Groot said.
Reporting was also “really difficult”, with multiple agencies to report to, she said.
“The criminals are winning on this one.”
Behind the cyber attacks was an organized criminal network, whose data showed it operated primarily from Nigeria and Ghana, Groot said.
In cases like mine, the money probably went through the bank account of someone – a mule – who was complicit or not aware of the scam (subconsciously), she said.
An unintentional mule could include someone caught up in a romance scam, where they believed they were receiving a refund from a so-called boyfriend or girlfriend abroad, Groot said.
Involuntary mules have been arrested in New Zealand, she said.
“They are locked up because it is easy to attack these people rather than the organized crime network abroad.”
If New Zealand banks introduced account number and name matching systems, like in the UK, it could alert people to the likelihood that they are about to send a payment to a scammer, a she declared.
Businesses or individuals making a payment when an account number has changed, or there was uncertainty about it, should always verbally agree to a payment, she said.
“Pick up the phone, call the person you’re paying.
Netsafe CEO Martin Cocker said crooks can access email accounts that don’t have extra protection, like second-factor authentication, because people use their email address as a login for many different sites and often used the same password for everything.
Once a criminal hacked into an email account, he could quickly delete all traces of the emails he sent, he said.
Recipients of hacked emails could find themselves handing over money to scammers, not only due to the sophistication of the scam, but due to timing and chance.
“For some people, they will be under pressure that day, they will be in a hurry.
“For crooks, it’s just a numbers game.”
During Covid-19, scams requesting a change in payment account may not have been reported the same way they would have under normal circumstances, he said.
“Whenever there is a significant amount of change, people embrace other changes.”
Introducing a single point of coordination for anti-scam activities in New Zealand would help disrupt scams faster, Cocker said.
Due to New Zealand’s “very disaggregated approach to scams”, information was not being shared effectively to help banks and telecom operators disrupt scams, he said.
Police advised businesses and individuals to review their cybersecurity and provided the following references: