Monday, 3 June 2013
The internet has many advantages. Most businesses have now become nearly totally reliant on emails and the internet to conduct business. And we’ve all heard those scare stories of people who fall for scams. They’re all lonely viewers of adult sites and naïve, right? Wrong.
It is estimated that Cyber crime has cost businesses worldwide around $388 billion in 2011 and is estimated to have already risen to $1 trillion annually. $388 billion makes cybercrime bigger than the global market for marijuana, cocaine and heroin combined. In Australia, Symantec estimates that 4.5 million Australians fell victim to cybercrime last year, totalling $4.6 billion. This is more than double the $2.2 billion lost to burglary. Thailand employs over 200 police detectives on cyber crime (rising to 800), NSW has 12 detectives, with even less in other States.
We’ve recently been targeted, and we’d like to share our story, so you don’t have to go through what we have. In very simplistic terms, the scammers intercepted emails between a purchasing person and a regular supplier, diverting it through a series of email addresses that came up on both businesses Address books as the normal email contact. In the background, they have used email addresses from 4 continents (including .au). They monitored emails for about 2 weeks, mostly passing on the same emails as we sent (but delayed a few minutes while they handled it, which is very unlikely to be picked up). They intercepted a genuine purchase order from us (2.5 pages of line items, that didn’t have any prices on it), “repackaged” this into a ZIP file, that our supplier opened. The file contained a virus that allowed the scammers access to our suppliers server. In at least one email, the scammers also added innocent enough questions to get more information. When they had enough information and the timing was right with what we expected, they sent us an invoice (copying the format from our suppliers’ server and complete with line by line prices that matched what we expected it to be – information we hadn’t sent) and new banking details, which we paid on. The business name spelling had changed by one letter, but still looked like a real business name, and a Bank Account had been set up to match the business name. Even the spelling “mistake” was not unusual, if you look at the lack of attention to detail in our society. I’m sure all of us have successfully banked cheques or made payments with spelling errors before.
When you have the benefit of hindsight, the little giveaways were there, although we (including IT experts) missed some of the pointers on the initial review even when we “knew” what we were looking for. When you have the sheer volume of transactions and you are dealing with your trusted regular contacts of many years, you don’t look for this level of effort from scammers.
Our lessons from this?
- The Australian Banks can’t/won’t do much at all. You have transferred money “correctly”.
- The well known UK bank can’t/won’t help. They represent their client.
- The Law has not kept up with Internet crime. Who’s law applies across borders? Where was the crime committed? Qld Police and The Australian Federal Police can’t/won’t do anything. We’ve had to involve law enforcement in other countries. Although we probably have enough information to catch a person, you’ll be on your own…
- We have never changed Banking Details. IF YOUR SUPPLIER CHANGES BANKING DETAILS, CALL YOUR REGULAR CONTACT TO VERIFY. Emails are not a secure means of communication.
And the take away for the Low life Scammers: The law is struggling to catch you, so they probably can’t protect you either. There is a trail there, and you now have to live with looking over your shoulder, because one day soon, one of your victims will find you.
I may not be a Fraud expert, but there are some “easy” fixes that Government agencies around the world should agree on so these issues don’t continue to grow, and at least make it harder for criminals:
- All IP addresses should be registered to a person or business, allowing easier tracking and removing some of the anonymity of the internet. This would benefit not only Fraud cases, but fix many of the issues with the internet.
- Setting up a Bank Account anywhere requires positive identification of a person. An International protocol to Freeze questionable funds until resolved would likely lead to the apprehension of the person involved.
- Contrary to the constraints of other manufacturers, software companies are not liable for poor product quality, and security is often not high on their agendas. It’s like selling a car without door locks, and leaving the keys in the ignition.
Internet crime is not faceless. We just need “someone” to champion the cause and implement some solutions.
It’s Our Future – have your say!
All sides of Qld Politics recently got together in Mackay to develop a 30 year plan for Qld. It is apolitical, that is, seeks to get the views of all Queenslanders (irrespective of political affiliation) on where we want the State to head over the next 30 years. Having been invited to be a part of the process myself, it’s now over to you to have your say, so we can determine the issues that are important to us. I’d like to invite you all to please get on Board and submit as many or as few ideas as you like on the main topics of: Jobs and the Economy; Education and Research; Healthy and Active lifestyles; and our Communities in general. You can either send the details to your own State Member, or send your thoughts to Mark Stewart, Member for Sunnybank Sunnybank@parliament.qld.gov.au Further details are in the attached link http://queenslandplan.qld.gov.au/ .
Mark Stewart has been taking a great interest and has a good understanding of the issues we have in Qld. Having seen more results from his initiatives in the past year than was achieved in over a decade earlier, I’m convinced that Mark and others will listen to your feedback and make a difference to improving our futures. If we do nothing, nothing will improve. I hope you put your two bobs in!
As always, onwards and upwards!