By John F. Wasik, RealClearInvestigations
November 6, 2019
Jim Johnson didn’t notice the mysterious activity in his IRA until he received a note from his financial adviser.
“She received several emails from an unknown man asking for my bank account numbers,” Johnson recounted. “He was using my email address and insisted it was me trying to get access.”
The thief didn’t gain access to the retirement account or take any money yet – that would come later. What ensued was an agonizing series of cyber intrusions and probes looking for holes in his online security walls.
Johnson -- a business consultant in the Chicago suburbs who spoke on condition that his real name not be used -- is one of tens of millions of Americans who not only have had their identity and bank information hijacked, but have been victimized by thefts even after they became aware of the attacks.
It is still unclear how and why people like Johnson become repeat targets for scammers and thieves, even when they have financial professionals working for them. But experts say serial cyber thievery reflects the increasing sophistication of not just lone operators but those working for international cartels or rogue countries exploiting cutting-edge technology, including artificial intelligence.
Identity theft is a perennial problem victimizing an estimated 14 million Americans last year in fraud-related cases. The Insurance Information Institute and Federal Trade Commission say thieves raked in some $1.5 billion last year, an increase of $406 million from 2017.
More important, notes the insurance organization, “criminals are becoming adept at foiling authentication processes, particularly mobile phone account takeovers. These takeovers nearly doubled to 680,000 victims in 2018, compared with 380,000 in 2017.”
Johnson, then, is on the cutting edge of victimhood. His experience is especially instructive because he was not a naïve individual who fell for a “How could he believe that?” scam. As a high-level consultant, he is attuned to the latest technology. He consistently upgrades his security levels. Yet still he was targeted.
I’ve known him for about 20 years, but I didn’t know about his cybersecurity issues until another friend, a business systems expert, casually told me over breakfast. So I sat down with him last month to find out what happened.
Johnson was in Colorado on personal business a few years ago when he first heard from the financial adviser. Soon afterward, someone posing as him said he wanted to access to his retirement account, “presumably to clean it out.” His adviser confidently assured Johnson that “nobody could get in.” But soon his bank accounts were being broken into repeatedly.
Those serial thefts – more than $40,000 total -- pointed to operators who were not only persistent but versatile, with multiple strategies.
“Even though we closed the checking account and opened a new one four different times, it made no difference,” Johnson recalled. “Their breach of choice was coming in through the phone banking system, authorizing checks to be written" -- a service offered by the bank -- "and sent to people we don't know using random amounts, all timed to when we were making deposits.”
How did the thieves know what he was doing? There is no simple answer. Cyber thieves are often members of criminal syndicates or state-sponsored enterprises (think North Korean or Russian), and they have the means to monitor accounts in real time. Engaged in widespread data and identity theft 24/7, they continually steal or buy email addresses, Social Security numbers, and new account information that’s posted for sale on the Internet.
“You can find databases of stolen customer data on the dark web,” notes Mark Gazit, CEO of ThetaRay, a provider of AI-based Big Data analytics. “Cyber criminals often use artificial-intelligence algorithms to systematically and autonomously hack into bank networks and steal the identities of hundreds of thousands of accounts.”
All Johnson knows is, “They were clearly monitoring our account balance. I don't know how, though, as I stopped doing electronic banking immediately and only my wife used it. We had to change our auto-pays four different times and incurred fees and spent dozens of hours trying to clean this up.”
The Johnsons' frustration level went through the roof as the couple bounced from bankers to the email account provided by his cable TV operator. How could someone know their every financial transaction? Was their Internet connection and phone tapped?
His travails were relentless. Even as his banking intrusions abated, another scam emerged: sham credit cards opened in his name.
In a lobby of a suburban Chicago police station loaded with identity-theft brochures, a local detective investigating Johnson’s banking and credit card complaints described a wholesale market for stolen data. And Johnson’s case file – obtained through a Freedom of Information Act request – suggested that thieves use information today the way bank robbers “case” a bank before a heist. They watch and wait for online financial transactions. Then they make their move.
“I got a phone call around 9 p.m. on a weeknight from our credit card company to `confirm our mailing address’ so they could send us a replacement credit card,” Johnson recounted. “I said I didn't order one. They said, `Sure you did – earlier today – and you gave us a mailing address.’ Then I asked for the address and, against their policy, they gave it to me. They don't like to give it out, because, as they said, our customers can become `vigilantes’ and take matters into their own hands, which is risky.”
The Johnsons' new cards were sent to what was evidently a "straw" address in a local senior apartment complex in Oswego, Ill., about 45 miles southwest of Chicago. So, Oswego police detectives set up a sting to follow one of the fraudulently obtained cards to the intended recipient, a woman living in the senior complex.
“They dressed dressed up as UPS delivery men hoping to catch her in the act of accepting the replacement VISA card,” Johnson said.
But she refused to accept the package. What's more, she had refused others sent in the past. Detectives had to rule her out after she said she had been contacted by a man she had virtually “met” online through Match.com -- a “con man,” she later concluded.
The next step was getting a subpoena to determine who owned the email address on the online dating service. The detectives traced it to Lagos, Nigeria, and other locations in the United Kingdom. Then the trail went cold: The overseas email accounts had been shut down. “All investigative leads have been exhausted and the origination of the fraudulent activity was in Nigeria,” the police report concluded, closing the probe without an arrest.
And still Johnson’s troubles still were not over. His 30-plus-page police report file confirms one more attempted swindle.
“We were refinancing our home,” Johnson continues. “We were going to wire transfer $91,000 at closing. They [the cyber thieves] sent a fake email – posing as our mortgage broker – then gave us new instructions for the wire to an out-of-state bank in Texas. Ten minutes before sending, my wife had the great judgment to call our mortgage broker to make sure all the banking information was correct. The broker then told us, "STOP!!! FRAUD!!!" Had we sent the money, it would have been lost forever.”
How did the fraudsters know about Johnson’s transaction as he was making it? Again, the most agonizing part of this narrative is that the thieves appeared to be monitoring the couple’s transactions in real time, meaning they were watching their messages to financial institutions. Maybe they acquired his email address or banking information from the dark web. He’ll never know.
Still, there was more to this apparently multifaceted Nigerian phishing operation operated remotely through email, the police surmised. Johnson had his own theory, which came down to one email.
“I once received an email with the subject line, `You’re a millionaire’ from my financial adviser. A week later, I noticed something scary: My laptop was `taken over’ by a third party remotely. I could see the cursor moving on its own. I called my email provider, which didn’t resolve the issue. That’s how they got in, I think.”
Like most people, Johnson initially read that enticing email. It was a real message from his adviser, yet provided a loud signal to the thieves monitoring his accounts. Surprisingly, unlike most phishing scams, he didn’t click on a dangerous link nor download a virus. Since they were watching for high-value keywords -- "millionaire," "money," "banking," "accounts" -- the cyber thieves wanted to follow the money at that point.
What can be done?
Experts say there’s little chance that any government agency, much less the financial services industry, can keep pace with the overwhelming volume of cyber thievery. According to the FBI’s Internet Crime Complaint Center, which receives some 900 complaints daily, the bureau logged more than 20,000 complaints last year involving what it calls “email account compromises.”
“The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds,” the FBI report states.
In non-technical terms, cyber thieves can monitor public social media accounts. Does a targeted person “like” a particular bank? Do they promote a certain financial service on Twitter? From there, thieves know where to start and try to acquire email addresses. They don’t even have to eyeball accounts one at a time: They can employ “bots” to automatically scan for keywords like “banking” or “brokers.”
"Like many issues in the cyber tech world, regulators and government agencies are slow to respond to the fast-paced changing world of threats and don’t have the sufficient resources to handle this global assault on financial and commercial systems,” said ThetaRay’s Gazit. Complex passwords and unique security information and tokens help, but there’s much more that needs to be done to protect personal data.
Then there’s the old-fashioned approach: Thieves will often call banks saying they “lost” their account information or credit cards, which can give them access to passwords or account numbers. That’s the “social engineering” part of it where posted information gives them leads on how to set up identity thievery.
A more detailed breakdown of specific cybersecurity thievery can be found in the Data Breach Investigations Report prepared by Verizon. Although reported direct theft from bank accounts seems to be relatively rare, hackers often find “back doors” by stealing identity information such as bank account or routing numbers, email addresses, or by phishing. As in the Johnson scam, this last ruse involves sending a link requesting personal information that will allow thieves to bypass other security measures.
In Johnson’s case, the thieves had several strategies, which they employed once they got into his email account. Was Johnson a random victim or was someone working within his bank or email provider setting him up? He has his suspicions, but he may never know. His vigilance and follow-through with police and his bank certainly helped, though.
Although he says that some $40,000 total was taken from his accounts, his bank replaced illegitimately withdrawn funds. Still, his confidence in his email provider and bank were shattered.
“Although we never lost a penny, I lost track of the hours I spent on these scams,” he concludes. “Thieves move on.”