How I fell for lockdown scam
Reporter Katy Jones tells how close she came to losing thousands of dollars to a scam during the Covid-19 crisis.
Looking back, there were signs I was about to hand over a large sum of money to a hacker. But the scam was so cleverly timed and targeted – and underreported, it turns out – that I’ve put the shame of falling for it aside to speak out to warn others.
It’s hard to know the true scale of hacking scams in New Zealand due to people not reporting the crime to save their businesses’ reputation.
But hackers, operating out of Nigeria or Ghana, using compromised emails, were costing $700 million a month in the United States before Covid-19.
I nearly became one of those victims.
In February, I bought a house and took on a mortgage.
Two months later, in Covid-19 lockdown, I took a pay cut.
When a family member offered to lend me the money to pay off tens of thousands of dollars from my mortgage, I gladly accepted.
I couldn’t make the payment face-to-face at the bank under alert level 2 restrictions, so thought it safer and easier if the mortgage adviser, who set up my home loan, did so on my behalf.
I called him for advice. He asked for a copy of my loan details, with the ASB bank, which I emailed to him, and he advised me to contact him once I was ready to make the payment.
When the money was transferred into my bank account about a week later, I emailed the mortgage adviser to let him know I had the money.
Two hours later, I got a reply from his email address, signed off with his name, to ask if I had the account information I was going to make the payment into.
Not knowing what he meant, I called his mobile.
When he didn’t answer, I emailed him, asking if I could call him. He said he was in a meeting, and could I email my request.
I asked which account he was referring to, and he replied that due to Covid-19, all payments were proceeding online, and he would send me the account information.
I put the tone of the email, verging on curt, down to him being busy and maybe impatience with my naivety..
The next morning I called him. I confirmed I had the money to make the repayment, and he asked me to email him the balance of my accounts.
Three minutes after I did so, I got an email back from him, or someone I thought was him, advising me to proceed with the payment, to the ‘‘ASB Mortgage Loan Trust’’. He gave the account number, and asked me to let him know when it was done.
I didn’t want to keep bothering him and – being busy myself – was keen to tick this off my list. So I transferred the money online.
Just over two hours later, I got
‘‘My heart sank. The doubts I let go unanswered suddenly seemed like glaring red flags.’’
a call from an ASB fraud investigator, asking me to confirm why I had made the payment.
The investigator then said the money had gone into a Bank of New Zealand account, but the BNZ had frozen the payment, because there had been cases of hackers intercepting business emails when people were transferring large sums.
My heart sank. The doubts I let go unanswered suddenly seemed like glaring red flags. I instantly felt a fool.
Frantic calls to the mortgage adviser confirmed he didn’t send the emails. He was shocked to discover his email had been hacked.
That night, the BNZ fully refunded the payment. Many victims are not so lucky. New Zealand businesses lost about $2.2m over the lockdown period after their emails were hacked, according to initial figures from the police.
Twenty-three separate cases of such ‘‘email compromises’’ were reported from businesses of various sizes, the data from the police cybercrime unit showed.
Fraud education manager at the Commission for Financial Capability, Bronwyn Groot, said the crime had become very common globally, before Covid-19 hit.
Last year Stuff wrote about a Nelson man and his family who nearly lost half their life savings to hackers after they phished his lawyer’s email. He was about to buy a house and they sent him an email purporting to be from the lawyer with a false bank account
In the US, business email compromises were causing $700m a month in losses, Groot said.
The full scale was not known in New Zealand, because victims here often didn’t talk about it for fear of reputational damage, she said.
Reporting was also ‘‘really difficult’’, with multiple agencies to report to.
‘‘The criminals are winning on this one.’’
Behind the cyber attacks was an organised criminal ring, which data showed was operating mostly out of Nigeria and Ghana, Groot said. In cases like mine, the money was likely to have gone through the bank account of someone – a mule – who was complicit, or wasn’t aware of the scam (unwitting), she said.
An unwitting mule could include someone caught out in a romance scam, where they believed they were receiving a repayment from a so-called boyfriend or girlfriend overseas, Groot said.
Unwitting mules were being arrested in New Zealand, she said.
‘‘They’re being locked up because it’s easy to go after those people instead of the overseas organised crime ring.’’
If banks in New Zealand introduced account number and name matching facilities, as in Britain, it could warn people of the likelihood they were about to send a payment to a scammer, she said.
Businesses or individuals making a payment where an account number changed, or there was uncertainty about it, should always verbally agree about a payment, she said.
‘‘Pick up the phone, ring the person that you’re paying.’’
Netsafe chief executive Martin Cocker said scammers could access email accounts that didn’t have extra protection, like second factor authentication, because people used their email address as their logon for many different sites, and often used the same password for everything.
Once a criminal had hacked into an email account, they could quickly remove all trace of emails they sent, he said.
Recipients of hacked emails could find themselves handing over money to scammers, not just because of the sophistication of the scam, but due to timing and chance.
‘‘For some people they’ll be under pressure that day, they’ll be in a hurry.
‘‘For scammers it’s just a numbers game.’’
During Covid-19, scams requesting change of payment accounts may not have flagged in the same way they would have under normal circumstances, he said.
‘‘Any time there’s a significant amount of change, people accept other change.’’
Introducing a single point of coordination for anti-scam activity in New Zealand, would help disrupt scams more quickly, Cocker said.
Because of New Zealand’s ‘‘very disaggregated approach to scams’’, information was not being effectively shared to help banks and telcos disrupt scams, he said.