News from 2022

June 2022 ~ Caution needed over Chinese instructions

Those of us who regularly take on investigations on behalf of overseas clients will occasionally have encountered red flags when conducting due diligence in respect of prospective clients. At IPFGB, we follow ABI guidelines by automatically compiling a Data Protection Impact Assessment in respect of each case. Naturally, that takes into account not only our legitimate interest in processing the personal data of others without their consent, but also that of the potential client.

Our good friend and highly respected IP infringement investigator, Ron Alvarez, has once more warned his fellow-American PIs of a problem which has been dogging the industry there for some time. Very recently, the US Department of Justice indicted a number of people for harassing, threatening, and spying on US-resident Chinese dissidents on behalf of the Chinese government. What has emerged is of PIs in the US accepting instructions to provide background checks on Chinese victims legally living in the United States. One PI completed an OSINT profile for a $1500 fee, but was then further tasked to obtain IRS tax returns and to establish any links with the CIA or FBI; further, to dig up derogatory information and, if none existed, to invent it. The PI duly informed the FBI of the approach . . . it was established that the client was indeed an agent of the Chinese Ministry of State Security [MSS]. Ron has provided evidence that this was not an isolated case . . . in 2020, a PI and former law enforcement officer was arrested for conspiring with Chinese “foreign agents” to coerce a target to return to China.

In a press conference in March of this year, the FBI’s Assistant Director, Alan Kohler, made an official announcement to all US PIs, urging them to notify the FBI if approached by foreign governments.

So, could it be happening here in the UK? Quite simply, the answer is, “Yes.” Only last year, we at IPFGB were indirectly approached by a Chinese company, tasked to locate a sizeable number of Chinese nationals working in the UK; ostensibly as a ‘head-hunting’ exercise with a view to offering them lucrative employment. Immediately suspicious, we applied the ‘legitimate interest test’ and insisted that the potential client provided sufficient data to satisfy us that the approach was indeed warranted. As expected, the assignment instantly evaporated . . . we never heard another word from them. One was left to wonder what justifiable reason they would have produced in wanting to know where their nationals were living and working . . . other than to pressure them into spying. Was the task offered elsewhere . . . and accepted?

Also published at ABI News:

May 2022 ~ ABI award for Dick Smith

Having served the Governing Council of the Association of British Investigators for seven years, including Presidency in 2018 and latterly as Law Enforcement Liaison Officer, IPFGB’s Dick Smith was presented with the prestigious Frank Martin Award at the annual gala, this year held at Tortworth Court in Gloucestershire.

Full story: Click here

April 2022 ~ Ofcom crackdown on number spoofing

Around 45 million scam calls or texts were received in Britain during last summer alone. Cybercriminals pretending to be genuine individuals or organisations defrauded thousands of victims out of cash and sensitive data. Last year, on this news blog, we reported that it would be 2025 before a new VOiP system would create the opportunity for the UK to counter ‘number spoofing’ fraud.

Global e-retailer clients engage IPFGB to conduct international investigations across Europe, and invariably it is UK-based mobile and landline numbers being used. Number spoofing involves fraudsters changing their caller ID to disguise their true identity or trick the recipient into believing they are calling from their bank, or some other genuine entity.

Many victims say the most convincing element of the scam is the fraudsters’ ability to appear as though they are calling from trustworthy companies. The majority of spoof calls are made using a VoIP service or an IP phone that transmits calls over the internet; users being able to choose the number or name they want displayed on their caller ID.

In conjunction with phone companies, Ofcom is introducing new measures to reduce spoofing; compelling networks to block numbers that are clearly fraudulent. Networks could sift out spoof calls originating from within the UK by authenticating a caller’s ID information before connecting them to the dialled number. The UK’s transition to digital landlines within a few years should make this achievable. But most spoof calls originate from overseas and do not have a valid caller ID.

Ofcom is also aiming to prevent scammers from accessing valid phone numbers by ensuring phone companies run background checks on business customers. Once fraudulent numbers have been identified, phone companies should suspend and report them to the police and regulators.

“Many of these phone companies are also based overseas, however,” says Dick Smith. “With OCGs operating these scam call centres in Northern India, for example, one wonders if the substantial revenue arising from their business will in reality be sacrificed.”

March 2022 ~ Using QR Codes? . . . . beware!

This year will mark the seventieth anniversary of the patenting of barcodes, and two years later, a 10-pack of Wrigley’s Juicy Fruit chewing gum was the first product ever to be scanned . . . in an Ohio supermarket.

Surprisingly, the QR Code, a variation on that theme, has already been around for almost thirty years.

With ever-increasing applications for QR codes, particularly during Covid, when social distancing has been so essential, the public in general has embraced their use, taking advantage of instant connections and rapid transactions.

But do we all take a moment to check exactly what we are connecting to, or precisely where we could be sending our money or, more importantly, our data? Well, we should!

Since the start of 2022, the FBI has been repeating warnings that a second wave of QR code scams is sweeping the world. We cannot afford to be blasé, casually pointing our phones every time we are encouraged or even instructed to do so. False codes can lead you to websites which can then download malicious malware to obtain information on your phone, allowing scammers to hold your device hostage and demand payment.

Quick-draw mobile-users appear to be adopting a “shoot first – ask questions later” reaction to every QR code they encounter. During the recent Super Bowl, a colourful QR code bounced across TV screens worldwide and millions of viewers picked up the smartphones and engaged with the ad. They were taken to the website for Coinbase, a cryptocurrency exchange. The ad generated so much traffic that it crashed Coinbase’s app.

Whenever new technology simplifies the process of pulling in customers, before long it’s going to be abused. The problem here is that the QR code masks the site you are visiting. It is so easy for the scammers to mock-up a copycat website and take unsuspecting [or careless] punters to the cleaners.

The FBI cautioned, “Cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.” They also warned that “malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim’s mobile device and steal the victim’s location, as well as personal and financial information.” 

Suggested precautions:

  • Only scan a QR code from trusted sources; check the URL, and never enter personal information without verifying it is both official and secure.
  • if you receive an email with a QR code, that’s an immediate red flag. These codes are meant for interactions where you can’t just click on a link.  
  • If you use QR codes in your company, ensure the one your customers scan is the one you created. If you code is out there on the street, make sure no one has covered yours with a sticker! Best of all, add some text . . . for example: “This code takes you If it doesn’t, don’t enter personal information and please let us know.” 

February 2022 ~ Processing Criminal Offence Data . . . in the 2020s

Investigating fraud being IPFGB’s core function, it is naturally necessary to provide our clients with a good understanding of the identity and background of those who are committing these offences. In order to provide evidence for civil litigation or prosecution in the courts, we are occasionally tasked to establish details of the bad actors’ criminal past. Under certain circumstances, that data which is in the public domain may potentially be legally processed once the data protection impact and legitimate interest assessments [D{IA and LIA] have been properly conducted. A good understanding of the law in this field is, therefore, essential.

Controlling and processing of personal data in general, and special category [sensitive] personal data in particular, is taken very seriously by members of the Association of British Investigators [ABI].

With ill-informed TV programmes only as a guide, a member of the public might be forgiven for having scant knowledge in this regard, but it is unforgivable that we are still approached by law-firms who seem to have no comprehension of DP compliance, or somehow believe that they [and we] are perhaps exempt. Such was the case recently, when a well-established firm blatantly asked us to quote for obtaining “full criminal convictions” of individuals with whom they were in litigation. We declined the opportunity.

Full story on the ABI website here.

January 2022 ~ Putting right a 20-year wrong

2022 marks the twentieth anniversary of the Enterprise Act, when a certain Chancellor of the Exchequer attempted to de-stigmatise bankruptcy. His idea was to encourage ‘risk-takers’ and allow failures to be back in business within a 12-month. Oft as not, of course, those risks were taken with other people’s money and the result was that within two years, personal bankruptcies almost doubled and respectability became a thing of the past.

A study by Kingston University revealed that only 16 per cent had anything to do with business; the vast majority being consumers who had got into trouble with their credit cards or wide-eyed home-improvers who had under-estimated the costs of doing up a mortgaged property; [source The Spectator].

During these 20 years, in conducting fraud investigations, IPFGB has regularly encountered company directors whose business history has been littered with a trail of failed enterprises; many of them having taken advantage of the situation and rooked people, and the taxman, out of millions.

HMG has now announced that rogues who dissolve their companies and avoid paying liabilities to staff, creditors, and the taxpayer, can now be disqualified from being a director. The Insolvency Service has been granted new powers to tackle these unfit directors.

Business Secretary Kwasi Kwarteng said: “We want the UK to be the best place in the world to do business . . . these new powers will curb those rogue directors who seek to avoid paying back their debts, including government loans provided to support businesses and save jobs. Government is committed to tackle those who seek to leave the British taxpayer out of pocket by abusing the covid financial support that has been so vital to businesses.”

If misconduct is found, directors can now face prosecution, be disqualified as a company director for up to 15 years, and be forced to pay compensation to creditors who have lost out due to their fraudulent behaviour.

The banking and finance industry is supporting this legislation which will provide additional deterrents and easier enforcement of the rules.