Wanna buy a bridge? Too late, scammers have moved on…

Picture an overseas call centre staffed by intelligent graduates, being paid an hourly rate and working to achieve their weekly targets.

Click image to zoom Tap image to zoom

The call centre has processes, the latest technology and maybe even a clear desk policy. Sound normal enough?

" Scammers are known to be patient and monitor an individual or business’s activity to determine the best time to strike.”While this could be any call centre, it isn’t. It’s the emerging face of scams.

As banks have continued to invest in hardening their defences, so too have fraudsters changed their focus to target businesses and individuals directly, recognising it is easier to extract money directly rather than trying to bypass banking controls. Similar to how a petty criminal will break into the house with unlocked windows or no dog or CCTV.

Scam call centres are unfortunately real and whilst they are not trying to sell you the Brooklyn Bridge, their schemes range in complexity and take measures to ensure they are believable.

Adaptable and changing

According to the latest ACCC Annual Scam report, in 2018, almost half a billion dollars ($A489 million) were lost in over 378,000 scams reported to the ACCC, the Australian Cybercrime Online Reporting Network (ACORN) and other state and territory government agencies.

“These losses represent an increase of 44 per cent over the $A340 million reported in 2017 and demonstrate that the impact of scams on the Australian public is worsening,” the report said.

Scammers target everyone, are sophisticated and well-funded. The scammers have predefined scripts and approaches to convincingly trick people and businesses into parting with their money.

They are highly adaptable and regularly change their approach to optimise their success.

Scammers are also known to be patient and monitor an individual or business’s activity to determine the best time to strike, gathering personal information, monitoring emails, payment patterns, expected future large expenditure; watching social media activity to identity times you will be overseas or travelling making it harder to stop and report transactions.

This emphasises it should go without saying people should be vigilant of calls, emails and texts they are not expecting and should never release personal information, account details, passwords or provide remote access to computers or smartphones to anyone.

Businesses meanwhile need to ensure they have appropriate controls in place to detect changes in payment details and ensure segregation of duties cannot by bypassed. A common scam occurs when a business is tricked into paying into the wrong account - often after an official looking email notifying a change of payee account details.

No one is immune

Around one-third of the loss experienced by ANZ customers relates to businesses. Typically, the volumes for business are lower but the value of the losses higher - the average loss experienced by ANZ’s business customers was 10-20 times greater than individual scam victims.

Business email compromise (BEC) events can impact all businesses - from retail customers all the way through to the institutional customer base - meaning no one is immune.

The importance of appropriate business controls can’t be underestimated. In the majority of cases, the controls in place at the organisation are not sufficient to detect the scam or are easily circumvented to enable to scam to occur.

BEC events: how can it happen?

Click image to zoom Tap image to zoom

Key things businesses can be wary of and things they can do

  • Ensure appropriate controls, including segregation of duties around the vendor management, accounts payable and banking platforms.
  • Be vigilant of sending money to people or organisations who are new to your business. Don’t send money based on email, phone, SMS or voicemail demands, check with the organisation directly if you owe them money using contact information on their website.
  • Validate changes in banking payment information with organisations directly, making sure you speak with people you know or using known contact information.

Tip of the iceberg

The losses reported to banks, the ACCC and other regulators are likely to be the tip of the iceberg given there is personal embarrassment and a perceived stigma associated with falling victim to a scam. Organisations may perceive that publicity they are a victim of a scam loss will imply financial weakness and may have reputational damage.

Confusing next steps

Once an individual or business has fallen victim to a scam, there are unfortunately a confusing array of organisations the victim should contact to report the incident and request assistance:

  • their bank to attempt to recover the money;
  • the local police station;
  • ACORN - the preferred law enforcement cybercrime reporting portal;
  • the ACCC’s Scamwatch - a government body which collects statistics and raises awareness of scams; and
  • IDCARE - a not-for-profit organisation helping individuals who are victims of identity fraud and scams.

The sheer number of organisations to contact often makes the process of being a scam victim even more confusing, stressful and time consuming. Individuals often feel unsupported and unsure of where to turn. The development of support structures for individuals is continuing to develop with the support of organisations such as the ACCC & IDCARE.

Daily challenges

Just because the focus of scams is shifting from banks to individuals and businesses, the industry is not washing its hands. ANZ and other banks have established Scam Assist operations teams to proactively and reactively respond to customers who experience loss or are at risk of a scam loss.

These teams face the daily challenge of proactively engaging with customers to advise they may be subject to a scam. It’s rarely welcome news.

Customers will exhibit a wide range of responses including denial, anger and complete despair. In a lot of these matters, the customers are in distress, particularly when they eventually find out they have been scammed. This can often be the result of the realisation of a significant financial loss or embarrassment and shame that they have been deceived.

The second challenge is that the banks and other organisations have sought to raise awareness of scams through education and notifications however, notwithstanding the increasing awareness, the incidents and losses continue to rise at an alarming rate.

Interrupting operations

The prevalence of both complicit and oblivious money mules, who move the proceeds of scams quickly around Australia and ultimately out of the country, and are typically only used for a short period of time, make it challenging for law enforcement and regulators to crack down and break the organised syndicates. This is evident by the unfortunately low numbers of convictions for money mule activity.

International scam networks are often complicated and well connected. It is not unusual to see recipients of scam related funds actually be victims of a scam themselves. These recipients - more often than not romance scam victims - are being directed to receive and move funds by another online actor.

This continues to allow the scammers to layer funds, decreasing the possibility of recovery, detection and subsequent law enforcement intervention. Given that these deceptions are carried out across state and International boarders, it presents further challenges in coordinating law enforcement efforts.

These scam types account for about 75 per cent of scam losses for ANZ customers:

Business Email Compromise (BEC)

A business receives an invoice from a familiar looking email address asking for payment to be made for an outstanding debt. The names appearing on the invoice often relate to a regular payment made by the business - however, the payment instructions have been changed to a third party’s account. This scam relies on the business not noticing this change of bank details.

Remote Access Scams

In these cases, an individual is contacted by a company and told their details are being used to commit fraud and in order to catch the scammers they need to provide remote access to their computer. The scammers then log on to the individual’s Internet Banking and transfer funds between the accounts and convince the individual to buy iTunes or other electronic voucher gift cards.

Romance Scams

People looking for romantic partners are taken advantage of, often via dating websites, apps or social media. The scammer often pretends to be a prospective companion. They play on emotional triggers to manipulate an individual into providing money, gifts or personal details. The prospective companion is often overseas.

Investment Scams

Scammers attempt to persuade an individual or a business to give them money in order to pursue a fake financial opportunity. Typical schemes are binary options, cryptocurrency, etc

If you think you, a family member or friend has been scammed, report it immediately to the ACCC via the ScamWatch website. If you think you have provided your account details to a scammer, contact your bank or financial institution immediately.

Warren Brown is Manager of Financial Crime Oversight and Dylan Ryan is Fraud Risk Lead at ANZ


The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

15 Jan 2016

The many reasons you should clean up your desk at work

Paul G Edwards | Publisher, BlueNotes

We know at BlueNotes – courtesy of our most-read story –the tie or no tie with business suit debate is a hostile one. But we've found another: desk management. Our publisher, Paul Edwards, was so stunned by the state of the desk of our managing editor, Andrew Cornell, he tweeted a pic of it.

08 Oct 2018

Cybersecurity risk in business – it’s personal

Cosi De Angelis | Head of Transaction Banking, ANZ

To truly assess risk, a digital business strategy must consider cyber risks inside the business and the home.

12 Oct 2018

A cyber-pact to make the team stronger

Lynwen Connick | CISO, ANZ

The financial cost of cybercrime grows every year – as does the human cost.