Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
A 51-year-old Australian businessman recently told the Australian Financial Review that he came much closer to handing over $25 million than he could have ever expected. The man, pseudonymously referred to as “John,” was targeted by a fraudster who convincingly posed as an HSBC executive and relied on John’s previous inquiries.
The incident serves as a chilling reminder that scammers are increasingly setting their sights on a lucrative target: executives, business leaders and other high-net-worth individuals. These scam attempts aren’t the typo-laced, sloppy phishing messages that almost everyone receives – they’re meticulously researched, laser-targeted, and use white-collar acumen that’s catching even the most financially savvy targets off guard.
Here’s how the scam against John unfolded – and what it means for leaders.
Think you’d never be tricked into handing over millions to a fraudster? Think again. It’s important to dissect how these scams work and the ways in which scammers establish credibility with educated, informed targets like John – a businessman who had recently sold his company to a multi-billion dollar, ASX-listed corporation.
According to the account John gave the AFR, the scammer posed as the head of fixed income at HSBC. Scammers routinely pose as trusted brands or authorities, but there was a critical factor lending extra credibility this time: John had previously made enquiries about term deposits with HSBC around 18 months prior. The scammer’s knowledge demonstrated they had done their research thoroughly, gathering intelligence on John’s previous financial dealings and interests. (Note that scammers use similar tactics with all big-four banks – no bank is safe from fraudsters attempting to capitalise on their trust with consumers.)
John also says the scammer was extremely comfortable with financial terminology and jargon. During their conversations, the scammer used terminology unique to the banking sector, portraying themselves as a seasoned professional.
Another subtle yet persuasive factor? The scammer claimed to be offering a competitive – yet still believable – rate. At 1% higher than John’s existing term deposit with NAB, the rate was attractive without setting off alarm bells. In many of our own articles about scams and red flags, we regularly warn people to think twice when something “sounds too good to be true.” But, here, the bait was carefully calibrated to be simply good rather than too good.
Finally, the scammer supplied John with what appeared to be an official rate sheet from HSBC, mimicking legitimate bank materials. If this sounds too complicated for many scammers to achieve on any sort of worrying scale, remember that new artificial intelligence (AI) tools are helping cybercriminals create fraudulent documents en masse.
John may well have uncovered red flags later in the process, but it was a call from NAB that alerted him early on. After calling NAB to give them the right of refusal, the bank rang him back to warn that he was likely being targeted in a scam.
Chris Sheehan, the head of fraud at NAB, tells the AFR that criminal organisations are often responsible for these scams – and that they have the scope and resources to go far beyond the spammy, obviously dodgy messages that most people associate with scammers.
“We’re not dealing with amateurs sitting in their mother’s basement. What we’re dealing with is transnational organised crime rings, incredibly well-resourced, with the latest technology and skilled salespeople.”
Of course, some scammers are mere opportunists, sending out blanket messages to score some low-hanging fruit and see who bites. In the sort of scams that targeted John, fraudsters are calculated predators. They’re fastidious in their research of targets, scouring social media platforms like LinkedIn to gather intelligence on their victims’ backgrounds, interests and vulnerabilities.
Unfortunately, it’s not just public data or social media that can fuel these scams. Staggering amounts of stolen data are available on the dark web, offering another tranche of exploitable information for scammers to mine. Police have linked the Medibank breach, for instance, to more than 11,000 cybercrime incidents.
Sheehan warns that scammers often target company executives, exploiting their busy schedules and crowded inboxes.
Ken Gamble, the executive chairman of IFW Global, a cybercrime investigation agency, also tells the AFR that there’s another vulnerability: a lack of financial expertise among some high-net-worth individuals. He recounts instances where affluent individuals, unfamiliar with complex investment schemes, have fallen prey and lost millions.
Scammers employ a range of psychological tactics, from fear of missing out on lucrative opportunities to coercion and manipulation. They often pose as attractive and successful businesspeople, grooming their victims over months before introducing the idea of investing. Gamble notes that while these individuals may be highly skilled in their respective fields, they can sometimes lack the social acumen to recognise the red flags.
The ACCC’s Scamwatch paints a grim picture, with Australians losing a staggering $477 million to scams in 2022 alone. Investment scams were the most lucrative, netting scammers $292 million – a 23 per cent increase from the previous year. Alarmingly, those aged 55 and over were the hardest hit, collectively losing $151.9 million.
Experts like Paul Haskell-Dowland, a professor of cybersecurity practice at Edith Cowan University, emphasise that scammers tailor their approaches to their targets’ profiles. For those who have recently acquired wealth but lack financial expertise, romance scams may be the chosen tactic. For those with more financial acumen, they present seemingly genuine investment opportunities.
Underreporting remains a significant challenge, as victims, particularly those in business circles, often fear reputational damage. However, experts stress that no one is immune to sophisticated tactics. When someone is targeted with just the right tactics, at exactly the wrong time, almost anyone can be caught out – scammers only have to succeed once, while the rest of us have to defend against every attempt, every time.
As scammers continue to evolve their methods, individuals, businesses, and authorities have to remain proactive. Raising awareness, implementing robust security measures and fostering a culture of transparency are crucial steps in protecting the financial wellbeing of all, especially those with significant access to wealth or sensitive business processes.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.