Scammers are having the time of their lives. whether by phone call, email, web page or fake invoices, they are stealing large sums of money from unsuspecting businesses, organisations and consumers at an alarming rate. The advice below is relevant to bank transfer scams where the stolen funds are transferred from your account at your bank to the scammers account at another Australian bank or branch. Yes, you read it right, scammers are easily opening bank accounts at most major banks in Australia, all banks are denying this and will usually blame a "compromised account" by way of explaining how a scammer can operate a bank account in Australia where they generally don't even live in Australia!
Strangely enough, opening an online bank account does not require the same proof of identity required to open an account in person at your local branch, all banks use what they call "data matching" often outsourcing those services to specialist companies where a stolen drivers licence is often enough to open an account, in fact they open numerous accounts at different banks and then those accounts sit idle until they are used to transfer stolen funds at the appropriate time in the future
So, that's the back story, so what happens if you have been scammed using a bank transfer between Australian banks?
Your bank will blame you (OK, maybe not all of them)
As if you don't feel bad enough already, your bank will pile on the misery by pointing out that it is your fault. You believed the scammer, you gave them access to your phone or computer, you accessed your internet banking while the scammer was accessing your computer, you gave up the SMS code which authorised the transaction, it's all your fault.
But it's not entirely your fault
For starters, you are using their system. You didn't ask for internet banking, sure it's handy, but the banks invented internet banking and through various means forced you to use their services. They closed their branches, they made it difficult to do your banking in person, they developed the systems we use today and the scammers are way ahead of them. The current SMS confirmation system used to work a treat until scammers worked out how to trick their targets into giving up the code, the bank login screens have pathetic warnings if any, at best they encourage you to wade through pages and pages of different scams and will then blame you for not being aware of them all. All banks have systems of "Red Flags" which are internal computerised warsings which are supposed to pick up typical scam behaviour, some banks are good at this and some banks are hopeless at it. It beggars belief that their Red Flag systems are being defeated by scammers over and over again
OK, you've been scammed, now it's time to talk to your bank
Hopefully you contacted your bank the moment you realised you had been scammed, some banks will contact you if they pickup a transaction which has the hallmarks of a scam transaction but this does not happen often enough. Warning: Scammers are now pretending to be your bank's fraud department and they are very convincing, you just can't trust phone calls from anyone these days! Confessing to your bank that you have been scammed is a horrible conversation, plenty of people will use the term "hacked" because that implies it is not really one's fault, but this is rare, it is much more likely that you have given up your email login credentials inadvertently, or you really did think it was the NBN calling.....
Your bank will immediately shut down your internet banking, change your passwords, they may even cancel your credit card and they won't activate your internet banking until your computer and other smart devices have been cleared of remote access software and other malware which may have been installed. We do this work routinely and provide a statement that your computer and other devices are all clear and safe to use. In most cases the removal of the remote access software you may have been asked to install is enough, but in the case of an email compromise we have to check the email software on each of your devices for email filters and auto-forwarders commonly used by scammers
You are going to need to ask them some hard questions
Hard for the bank that is, you will find the questions very easy to ask once you know what they are, it is the bank who will find them very difficult to answer. Your local branch will be polite and sympathetic but completely ineffective in the sense that they are usually not even allowed to engage with you in the way you might expect, most banks actively prevent their local branch staff from dealing with the issue directly and will insist that you talk to the bank's fraud department who are somewhat distant from the local branch and completely disconnected from the horror of being scammed, I think they are just numb to it, at best. Insist on meeting with your local branch manager, that's where you put your money and your local branch manager should be ready to assist you as best they can. Invite me too, that can be helpful.....
Question: Where is my money?
It's pretty easy to work out where your money went, it's a bank to bank transaction after all using BSB (bank/branch) numbers and account numbers. From the BSB you can work out precisely where the scammer operated their bank account. bsbnumbers.com will tell you.
OK, so you know and your bank knows where the money went, they know the precise date and time and the amount stolen from you.
They will contact the scammer's bank and gently ask for the money back. Sadly, this process can take some time, it rare to get a sense of urgency from your bank. Almost without exception, the scammer's bank will advise your bank that there are no funds in the account and your bank will thank them politely and then tell you the money is gone, it's all your fault, sorry about that, job's done.
If you are very fortunate, either your bank's Red Flag systems or the scammer's bank's Red Flag systems will block the transfer, this is the ideal outcome but it's not common.
Question: When did you notify your bank about the scam?
You will need to be clear on this. You will generally have a very strong memory of the moment you realised you were scammed and the call to your bank is usually one minute later! Your bank will also know when you called them. Sometimes, you will feel more comfortable driving straight to your bank rather than call them but this is only a good idea if the branch is relatively close, time is of the essense here
Question: When did the funds transfer take place?
This will be easy to establish even if you can't remember in the chaos of the moment. The bank transfer will be date/time stamped.
Question: What was the time difference?
The time difference is now easy to work out, sometimes it is a few hours, sometimes it's the next day and sometimes it is within a few minutes.
Question: Why didn't the bank block the transfer when I rang to report the scam?
This is the big question and the answer may horrify you, at best it may be a complete surprise.
Back in the day, when Internet Banking was a lot safer to use, there was a delay between when you made the bank transfer and when your bank sent the money to the receiving bank. Very early on it could easily be a few days before the funds were "cleared" and the recipient got your money but in more recent times each bank transferred funds at set times of the day, typically several times a day, ie 6 hours or so between transfers.
So, in recent times, if you rang your bank within a couple of hours and before their cut-off times which were usually midday, 6:00pm and midnight, you could easily get your stolen money back
Today, pretty much every bank in Australia uses a service called OSKO.
Question: Why were my funds stolen using OSKO?
OSKO is owned by BPay and BPay is owned by the big four banks, or they at least created BPay. BPay is an excellent payment system, OSKO is an unmitigated disaster and is ideally suited to scammers who can steal your money in the blink of an eye. Your bank will tell you, as will OSKO, that is "the easy way to pay household bills" and "perfect for when you need to pay a mate back for dinner or pay a tradie".
No mention of it being used for business to business transactions involving tens and hundreds of thousands of dollars.
Question: Can I remove OSKO from my internet banking?
No. Really, no. Did you ask for OSKO? Also no. Scammers can steal your money in under a minute using OSKO.
Question: Where did my money go?
Your bank won't tell you and neither will the scammer's bank. True story.
Your bank won't even ask the scammer's bank where the money went, they know they won't get an answer. None of them tell each other where the money went so nobody learns anything from any stolen funds transfer which has gone before. Let's say the banks do know. But they are not telling their customers. It's just "gone".
So let's work through this
You have an Australian bank account with an account name, a BSB number and an account number and you had to jump through the 100 point hoops to open that account.
The scammer also has an Australian bank account with an account name (but not their actual name), a BSB number and an account number and they either opened the account with stolen credentials or they compromised an existing account
Your stolen funds get transferred from your bank account to the scammer's bank account and that transaction is "known" in the sense that your bank knows where the money went and so does the scammer's bank
So, the stolen funds arrive in the scammers bank account, they then take advantage of OSKO to transfer the funds elsewhere, almost always overseas, in the blink of an eye
We know the scammer is not going to walk into a branch and withdraw cash, mainly because the scammer is rarely physically in Australia but also because the police could be waiting for him/her "You're nicked, sunshine"
So the funds get transferred to another bank account somewhere else in the world. That bank, branch and account number are known to the scammer's bank but not to your bank.
Question: Why doesn't your bank investigate where the funds went?
Well duh! Because this is all your fault of course. Your bank pays lip service to tracing the funds and they don't look any further when the scammer's bank says sorry, there are no funds in the account.
Question: Why doesn't the scammer's bank investigate where the funds went?
Good question. Because they are the bank who allowed a scammer to operate a bank account at their bank. They don't want anyone to investigate because it will quickly become apparent that they aided and abetted the scammer. Discussions between bank fraud departments are very secretive under the guise of privacy and/or bank security so they won't tell you or me anything. But the scammer's bank knows where the funds went. They may try to recover the funds but it is never obvious they are doing so and you will never know whether they even tried.
Question: Why isn't there a better system for first time payments to a new bank account
All banks know that bank transfer fraud is huge. If the payee is already recorded in your payee list within your internet banking then the SMS confirmation works a treat. But for some reason the same system is used for payments to a new payee where the scammers are using every trick in the book to get you to give up the SMS code. If they are logged in to your phone via a remote access app which is becoming more common, they can mute the phone notification so you don't even see the SMS confirmation come through, they just enter the code and OSKO does the rest. All banks know this, they have pages and pages of scam and security advice for you to wade through yet they don't do more to block that first payment to a new payee. Where are the Red Flags? So easy to setup a system to double-triple check all payments to new payees but they don't do it. Why not? Because it's your fault.
OK, so that's a lot of questions!
Yes it is and your local branch won't be able answer many of them, so you will need to escalate the issue
Who is your line manager?
This is actually a good question to ask early on, whomever you are talking to at the branch will have an area or district manager they report to. Ask for that person's name and make a note. Some branches will get that person on the phone while you are in the branch and some branches will not even tell you the person's name. All banks will want you to talk to their fraud team who will generally just reinforce the notion that it's your fault so you will need to be firm with your line of questioning. Some banks have what they call a "Customer Advocate" where I don't think the word "advocate" means what they think it means
For more information contact Greg Williams on 08 8682 1666
or email email@example.com
or email firstname.lastname@example.org