December 2023 ~ Phishing scam hits taxpayers
In a classic example of failure to educate staff about the dangers of fraud, West Suffolk Council has admitted to having been conned to the tune of £50k-plus. In a simple “mandate fraud”, where the clerk fell victim to fraudulent emails purporting to be from a supplier, a series of pay-outs were underway before the scam was spotted. Taxpayers may now be footing the bill, the equivalent of a 0.5% rise in council tax.
Alarm bells should automatically ring when an invoice arrives with notification of change of bank details. How long does it take to contact the supplier in order to verify the change?
In an after-the-horse-has-bolted measure, Councillor Diane Hind revealed that a supply-company’s security had been breached, and the council was now “strengthening and re-enforcing” their own practices. She called for more action nationally on fraud.
Now, where have we heard that before?
November 2023 ~ “Epic scale” Chinese espionage’s added risk to PIs
In a rare public appearance, Ken McCallum, Director General of MI5, has revealed that more than 20,000 people in the UK have now been covertly approached online by Chinese spies. This continued illegal activity provides even more reason than ever for the private investigation industry to apply KYC protocols to every new potential client.
In an unprecedented joint public appearance, the security chiefs of the Five Eyes alliance [US, UK, Australia, Canada, and New Zealand] warned western businesses of the real risk of having their innovative commercial secrets illicitly obtained by China. Standing in the heart of California’s Silicon Valley, Stanford University was a natural choice of venue for this first public meeting, and it was here that McCallum told the BBC, “We have seen a sustained campaign on a pretty epic scale.”
There have been plenty of examples of “false flag” investigations being instructed by Chinese officials under quite plausible guises. We all wait to see what happens to the veteran New York PI Mike McMahon, who must dearly wish he had had conducted more positive due diligence on his ‘translation service’ clients who turned out to be undercover Chinese intelligence officers. He was convicted of stalking in June and is among five defendants who are surely looking at lengthy prison sentences.
MI5 warns that it has recently documented cases of Chinese companies nefariously trying to gain access to sensitive technology developed by UK companies and universities, actively avoiding the required regulatory controls. Targeting British citizens of Chinese origin, with vulnerable relatives back in China, is a classic method employed by the Chinese Ministry of State Security applying pressure on such individuals to spy for them. Often, they employ third parties to make the initial [seemingly innocent] approach, perhaps disguised as a head-hunting exercise for a lucrative post. These bogus job-offers through LinkedIn are also the favoured method of the MSS to help track down dissident Chinese; again it is not unknown for third party recruiters or PIs to be used as the first port of call.
Having ourselves once received an instruction, and immediately recognised it as ‘false flag’ Chinese, IPFGB continues to carefully check the authenticity of its clients.
October 2023 ~ Mr/Ms Jobsworth make victims’ lives impossible!
It has been reported [BBC News] that a small Norwich building firm was threatened by debt collectors over a £10,000 unpaid bill; the result of fraudsters taking out four mobile phone contracts under the company’s name. It is not so much that phone companies and the like are so keen to capture business that they make it easy for impersonation at the signing up stage, it is the total obstruction which occurs when the victim tries to put the matter straight. The “data protection rights” of the scammer seem to be all that big-business staff consider.
In this case, O2 has eventually closed down the fraudulent account and cancelled the debt. But getting to that stage was a nightmare. Every time the company tried to communicate with O2’s customer services team over the phone, they were unable to pass the security steps. Only the fraudster knew the passwords.
And that is precisely the problem which victims face. How much of a delay did a series of ‘Jobsworths’ create in refusing to engage with the victim, during which time the scammer no doubt racked up further gains and reduced the possibility of detection?
According to the National Crime Agency, £2.46bn was lost by businesses and individuals to fraud in 2021/22.
September 2023 ~ CoHo scandal continues at a pace!
“The fact that the information has been placed on the public record should not be taken to indicate that Companies House has verified or validated it in any way.”
Astonishingly, this is the rider which continues to provide Companies House with the excuse to blindly persevere with their policy of accepting company fees to register totally bogus companies, despite clear evidence that failing to check data is simply facilitating international fraud.
For three years now, a prestigious sounding address in the northwest of England has been used to register in excess of 40,000 companies, rising still at the rate of a score or more each week. In every case, the sole appointee purports to be a Pakistani, usually in his twenties, providing only the registered address here in the UK as means of contact; [hence remaining completely untraceable]. Mostly, these companies exist for a year or so, before being struck off for failing to submit legal documentation [and further fees] to Companies House.
So, what’s the problem? Although the postcode is live, the street number simply does not exist. The address is fake!
This sham address is now so prevalent that it even fools Google Earth.
Staff at those bona fide companies who occupy offices at the same postcode, together with the local postie, are all aware that some form of scam has been going on for years. Only last month, a young lady was in tears in an office foyer, trying to track down the company which had tricked her out of more than £9,000.
So, what is there to gain from registering these shell companies? What is plain is that they give a form of credibility to the fraudsters who set up websites to scam individuals and commercial concerns out of thousands of pounds, dollars, or whatever. A “presence” at the address is unnecessary. Indeed, our investigation at IPFGB was instigated on behalf of an overseas client, who had been defrauded of a substantial sum by one of these shell companies at the address. The results of our investigation concluded that the perpetrators of the fraud were likely in Pakistan and had never set foot in the UK. With law enforcement here undoubtedly having no interest in an overseas criminal committing an internet crime against an overseas victim, the client pragmatically dropped the matter. That has not inhibited us from trying to bring the matter to the attention of the local force; so far without positive response.
Companies House also complains on its website that it does not have “the statutory power or capability to verify the accuracy of the information that companies send to us”. Capability? What utter nonsense! Do they not employ anyone with the nouse to look up the Royal Mail postcode checker to discover the street number does not exist?
The National Crime Agency has lamented that fraudsters have for years abused UK company structures. Reforms under the long-awaited Economic Crime and Corporate Transparency Bill may one day grant Companies House the “statutory power” which it currently lacks. Cynics amongst us might consider the agency is not shouting too loudly; for more work and certainly fewer applications/fees would be the immediate effect. But at least fraud victims would be just a little safer, and the scammers not gifted such a useful tool to keep in their swag-bags!
[Article repeated Association of British Investigators website]
August 2023 ~ USA in bold move against cybercrime
For many years in the UK, the major stumbling block in provoking law enforcement into action, particularly in relation to fraud, occurs in that initial engagement. It matters not that a serious financial crime may have already been investigated by a competent private outfit, and presented as a ready-solved and evidentially sound investigation. As investigators or even simple members of the public, we have all hit that invisible brick wall. And the reason for the inertia is inevitably budgetary.
In the States, the Computer Crime and Intellectual Property Section [CCIPS] has been around for more than a quarter of a century and has been an effective weapon there against cyber threats, such as ransomware, botnets, and malware. The Section has traditionally been the go-to authority when American businesses are hit by hackers demanding ransom, helping companies to decrypt their processes without acceding to the crooks.
The National Cryptocurrency Enforcement Team [NCET] is a much younger setup. It was formed in 2021, subsequent to the collapse of the crypto-exchange FTX; designed to confront both terrorists and criminals moving funds. It helped bring Hong Kong-based Bitzlato to book, and assisted in the global investigation of Binance.
Now, following a White House inspired initiative to restructure the national cybersecurity strategy, the Criminal Division of the Department of Justice has announced the merger of NCET with CCIPS. [Source Wall Street Journal.] The strategy requires cooperation between various facets of federal government. The idea here is to create a single, highly skilled, and experienced alliance, to combat cybercrime and the use of cryptocurrency for illicit purposes.
The DoJ has recognised that cyber criminals consistently use cryptocurrency, and having an enforcement team under the same roof as the investigators, equipped with the tools to follow the money trail, should be comforting news to law-abiding commerce in general. The importance of private cryptocurrency investigation services cannot be overemphasised, but in reality, law enforcement has the authority to go that step further.
Back to the UK, and because cybercrime, like most fraud, usually crosses borders, [whether geographical or skillset], the specific agency or police unit to whom that referral is made is immediately reluctant to commit; fearing that what may start as the simple wrap-up of a reported crime could rapidly expand, requiring officers to engage with other forces/agencies. And that can regularly end up solving other peoples’ crime, without them having to contribute to the cost. That’s a great result for the public, but could be a devastating financial blow for the force/unit. Consequently, in most cases, the referral is declined, ignored, or lost.
The answer is to revisit the way that UK law enforcement is financed. The mindset and skill of our officers may be present, but the necessary funding to do the job is sitting in too many different piggybanks. Also published: ABI News
July 2023 ~ False flag instructions
IPFGB director, Dick Smith, is a past President of the Association of British Investigators. His article, published today on the ABI website, offers advice to fellow investigators and again stresses the need for them to check the authenticity of their clients.
He refers to the case in New York where an experienced PI was duped into carrying out an investigation of a former Chinese citizen, believing his client was simply a local translation company. The instructions, however, ultimately came from a PRC police officer and a Wuhan prosecutor, operating illegally in the US. Last month, the PI and these two Chinese government officials were convicted of conspiracy to commit interstate stalking and now face the possibility of five years in the slammer.
As the PRC ramps up its global activities its critics, only this week, Hong Kong authorities issued arrest warrants and bounties for eight activists who were involved in the 2019 pro-democracy demonstrations in the former UK territory; one of whom has been granted political asylum here. The potential exists, therefore, for UK PIs to be similarly deceived into tracing and tracking dissidents. Investigators must ensure they carry out due diligence in respect of their clients and examine their ‘legitimate interest’ thoroughly. For access to the full ABI article, click here
July 2023 ~ ABI Code of Conduct soon?
Considering the oft-justified negative publicity the investigation industry has received in the past twenty years, both the commercial world and the wider public are surely cognisant to the fact that unaccountable rogues continue to plague the sector. Yet the dismal absence of initiative by successive governments since 2001, in evading the implementation of the Private Security Industry Act passed that year, has permitted absolutely anyone to continue to operate as a “private investigator” and remain outside any form of regulatory regime.
Hence, the eagerly awaited Code of Conduct [under Article 40 of the UK GDPR] developed by the Association of British Investigators, will benefit the entire sector, or at least those PIs operating within the law of the land!
The Code, which will ensure professionalism, ethics, and accountability become the norm, may at last be in the final stages of acceptance by the Information Commissioner’s Office. Indeed, when introduced, this voluntary regulatory structure, when guided by market forces, should benefit not only the honest side of the industry, but more importantly, their clients. The Code, in which the ABI has invested deeply, will require public awareness, and it will no doubt be looking to the ICO to guarantee that occurs. The process will also need, above all, a positive reaction from the legal profession, ensuring only those investigators signed up to the Code, and subjecting themselves to annual testing, are engaged to conduct their business.
June 2023 ~ Police admit to being “way out of our comfort zone’
In the five minutes it will take to read this article, well over £10,000 will have been stolen in the UK by way of fraud. Yet Law Enforcement remains “under-resourced and under-educated about the potency and scale of online fraud,” a view held by David Hamilton, who has just retired as chair of the Scottish Police Federation. When it comes to tackling cybercrime, says Hamilton, police officers across the country are still “way out of their comfort zone.”
Attacking from another direction, David Postings, head of UK Finance, the banking industry body, quotes, “Social media companies profit from scams on their platforms.” As such, he advocates they should help reimburse those victims of online fraud; a view shared last month by TSB, who additionally demanded that phone companies take more responsibility for their users’ safety.
A new UK Finance report calculates UK’s 2022 fraud figure at £1.2bn. Headlined is the statistic that 78% of ‘authorised push payment’ scams, [the victim is tricked into approving a transaction], emanates from online contact, with about three-quarters of them beginning on social media.
The Online Safety Bill, currently going through Parliament, will require tech and social media platforms to remove scam adverts. However, rules on reimbursement by social media companies were sadly lacking in the government’s ‘Fraud Strategy’, published recently.
At present, it is solely banks which consider any form of refunding. “But is reimbursement the answer?” says Dick Smith, director with IPFGB, whose core business is to investigate commercial fraud. “After all, it is we the public who foot the bill in one way or another! Surely, it makes more sense to stop the frauds, either by better education of potential victims, or by proper investigation and neutralisation of the fraudsters.”
The UK Finance report also revealed [as expected], that lost and stolen bank and credit card fraud soared last year following the increase of the contactless spending limit to £100; for the first time exceeding £100m.
But with fraud having for some years been the most common criminal offence in the UK, police forces are still struggling to address cybercrime. And for the victims, the outcome is devastating. A woman from North Lanarkshire told STV News she’d been forced to sell her house, having been scammed in a bogus cryptocurrency investment scheme advertised on Facebook. She’d been pressed into taking out further loans to invest in the con, which ultimately left her £150,000 in debt.
Despite repeated warnings from the private sector, the authorities have been too slow to take significant action to combat what has become “everyone’s problem but no-one’s priority,” as described by the House of Commons’ Public Accounts Committee, and previously reported in this column in March.
The Committee reported that the “volume and complexity of fraud currently overwhelms the capacity of both Action Fraud and local police forces.” Indeed, only 1% of police personnel is actually assigned to online fraud investigations and those officers lack training and resources to investigate. Case officers are left overstretched, despondent, and burned out.
A former member of Dorset Police’s Cybercrime Team & Digital Forensics Unit supports this theory. Jake Moore worked with Action Fraud during this service and admits it was incapable of processing the number of fraud reports, let alone investigate more than a fraction. He confessed that each month he would cherry-pick one or two out of 300; leading to frustration for the police as well as the victim!
Experienced cops like Moore and Hamilton agree on one thing . . . a lack of funding resulting in an inability to keep pace with the rapidly changing pace of cybercrime.
The Home Office has promised a “fundamental shift” in the government’s approach to cybercrime. This will include a £30m investment in a reporting system to replace the fundamentally discredited Action Fraud.
“Properly accepting a record of the crime was one area in which Action Fraud failed in spectacular fashion,” concluded Dick Smith. “But simply recording it is not the answer. For far too long, this ineffective, constricted outfit steadfastly refused to accept professionally investigated referrals; cases which presented properly gathered evidence leading to identified Bad Actors. The new body will not be worth a jot unless it has the ability to recognise those reports which include strong evidence which can lead to prosecutions with high potential of success. Furthermore, then to disseminate to trained, competent investigation units within the police.
“£30 million is a tidy sum,” he added. “But with the cost of fraud in the UK estimated at £2,300 per minute [UK Finance], that £30m investment equates to less than a week’s worth of losses!”
May 2023 ~ Companies House slapdash record-keeping
One has to wonder at the quality of staff employed at CoHo for the mundane task of data input; particularly in respect of new company applications. In our efforts to investigate organised crime, every day we search companies and individuals, and consistently find clear evidence of multiple entries for the same person. How can both the public and the commercial world be expected to conduct due diligence when records are maintained in such a relaxed manner?
Privacy considerations have undeniably eroded the basic need to prove the bona fides of an applicant, with fewer and fewer identifying features being necessary to record. The result is that staff undoubtedly abandon efforts to establish identity and routinely raise a new file on the flimsy credentials supplied. Consequently, it is not unusual to [eventually] find as many as five or six entries for the same individual. How can that possibly be efficient?
Last October, we reported National Crime Agency lamentations that fraudsters had for years abused UK company structures and welcomed the promise of reforms under the long-awaited Economic Crime and Corporate Transparency Bill. Two months later, as a Commons Committee listened to how CoHo continued to facilitate fraud, MPs learned that “Less verification [was] needed for someone to set up a fraudulent shell firm than to borrow a library book!” The Bill is currently languishing at the Committee stage in the Lords.
So, is CoHo merely waiting for the new Act to be enforced before it starts to get its own ‘act’ together? It certainly appears to be the case because evidence shows that the slapdash data inputting continues at a pace . . . the issue being debated at an Association of British Investigators seminar in Warrington last month.
April 2023 ~ Been the victim of fraud? Blame someone else!
Following on from last month’s blog, one of the ‘key recommendations’ recently made by the House of Lords Fraud Act 2006 and Digital Fraud Committee may be worth exploring more closely. Anywhere Government sees an opportunity to make a buck out of the commercial world seems to be par for the course.
Having been shocked to discover what 41% of crime victims in England & Wales already knew . . . that there are fraudsters out there . . . this ermine-clad committee blamed digital technology companies for providing new opportunities for criminals, and failing to do enough to prevent exploitation. They recommended that those tech companies should also be held accountable when people fell for scam advertising on their online platforms.
They acknowledged that law enforcement was disjointed and ineffective, and released the disarming statement that “just 1% of law enforcement is focussed on tackling economic crime.” However, instead of suggesting that pitiful statistic should be robustly addressed, they called for the introduction of a new corporate criminal offence of “failure to prevent fraud, applicable across all sectors, accompanied by significant financial penalties.”
Occupying the chair, Baroness Morgan of Cotes admitted that fraud prevention and detection was under-resourced, under-prioritised, and its impact widely under-estimated. “If this were any other type of crime, we would deal with it swiftly and the perpetrators would be brought to justice,” she said.
Was it the brief for this committee to look solely at members of the public who are preyed on? It was notable that nowhere in the report was there any solace for corporations who are defrauded. Either way, when commercial or individual victims report fraud, they are inevitably rejected by those “under-funded and ineffective” police. They may then turn to the private investigation industry to gather the required evidence and track down the criminals. Yet even when a bona fide case with an achievable result is presented to Action Fraud, after the prescribed 28 days the referral is met with an automatic proforma letter announcing, “insufficient evidence to investigate”. If I had binned a crime file as a police officer, I would have been disciplined. Nowadays, it appears to be standard procedure!
Methinks this committee missed an opportunity to shake government into addressing once and for all its pathetic response to the fastest growing crime so far this century. Or was the whole purpose to mastermind a lucrative scheme whereby it could shift the blame and perpetrate a sting on the techies?
March 2023 ~ There are two concurrent police scandals!
Every day we hear about police scandals, and the current role of the press seems to be to attack at every opportunity. With [hopefully] a tiny but shameful minority of the current crop of coppers being unmasked as sex offenders, domestic-abusers, or belonging to organised crime families, it is probably right that media pressure continues until they are rooted out. We should all be aware that for some years now the ‘civilian’ element of a police force has controlled administration, and with recruitment being an industry in itself, the hacks might want to ask how these misfits got there in the first place. We must also remember that the police ultimately reflects the society it is there to protect . . . or is supposed to!
Because what is similarly a scandal, but appears to evade the attention of the hacks, is that not too many years ago, crime in the UK was robustly tackled by the police in a structured and targeted manner. Yet, going mostly unreported at the end of last year were the findings of a Lords Committee which confirmed the fears of most, that the UK had “retreated from the fight against crime.” Fraud now accounts for 41% of all crime, the report read. Furthermore, anyone in England and Wales aged 16 or over is more likely to be a victim of fraud than any other individual crime type. Whereas the Committee concluded that digital technology companies were not doing enough to prevent the exploitation of their services, the under-resourcing of law enforcement meant that criminals were rarely caught.
The existence of so many departments, agencies, and ministers with responsibility for tackling fraud had led to inefficient policymaking and a lack of accountability in government. They urged the Government to establish a single cabinet subcommittee with a clear mandate to tackle fraud, chaired by and accountable to the Security Minister.
So, considering that 41% of crime is fraud-related, might the media consider as a headline this frightening statistic which also emerged from the report . . .
1% of law enforcement in England & Wales currently focuses on economic crime!
February 2023 ~ Know Your Customer . . . or else!
International work is all very appealing, but just because an overseas client is requiring maybe a trace, or due diligence on a UK-based citizen, does not mean they are entitled to that data. In an article on the Association of British Investigators website, click here, Dick Smith has provided some valuable advice to newcomers to the investigation industry; once more emphasising the legal requirement to apply the ‘legitimate interest’ test for each case-type instruction.
Drawing attention to an out-of-the-blue request which came in last year from a seemingly bona fide Chinese company using a UK-based representative, IPFGB was asked to trace and obtain background on a Chinese national, resident somewhere in the UK. The enquiry was wrapped up in the guise of a head-hunting exercise in relation to a job offer. But did we really know our customer? This was clearly a disguised approach from the Chinese Ministry of State Security [MSS] and in testing the ‘legitimate interest’, our germane questioning of the client resulted in the enquiry evaporating as quickly as it had arrived.
Getting it wrong can have dire consequences. Mike McMahon was an NYPD sergeant with 75 career awards. A married man with three children, he quit the police following serious injury and switched to private investigation; becoming an approved government investigator [CJA], working on high profile cases. Amongst his private clients, however, was a New York based translation company for whom he was conducting typical PI business, including surveillance, background checks, and asset searches. But did he know that his client was connected to a criminal enterprise involving the Chinese Communist Party? Either way, in October 2021, he was locked up by the FBI with half-million dollar bail being posted, and now faces a range of charges, including interstate stalking and conspiracy. Additionally, he is the first US PI ever to be charged with failure to register as a foreign agent [FARA]; an offence usually reserved for errant lobbyists and marketing entities.
Eight other people have been indicted, the allegation being that US residents of Chinese origin were stalked and harassed in an effort to get one of them to return to face an alleged bribery charge; his family being threatened with harm were he to refuse. It is claimed that a Chinese police officer and a Chinese prosecutor travelled to the US to direct the operation, and enlisted the help of the co-conspirators.
The activities of Chinese ‘law enforcement’ abroad, has been well publicised over the past two years; highlighting further reasons why the investigation industry should be extra-cautious. Indeed, the Chinese government continues to build an unofficial global enforcement infrastructure carrying out “malign influence” operations. Western officials see the outposts as key to the PRC’s effort to monitor Chinese nationals overseas, including dissidents. The recent violent and shocking incident in Manchester, where UK-based Hong Kong pro-democracy activists were attacked by members of the PRC consulate general, demonstrated the current shameless attitude of Beijing to the rest of the world.
In the US, these police outposts are located across the country in Chinese community organisation facilities, commercial offices, and even restaurants; the spaces being described by the PRC embassy in Washington as, “provided by local overseas Chinese communities who would like to be helpful.” But don’t think this activity is limited to the US.
In Europe, evidence of Chinese police clandestine activity in the Netherlands and Hungary has emerged in recent months. In the UK, following the Manchester outrage, the House of Commons was informed by the chair of the Foreign Affairs Committee, that this “network of secret Chinese police stations” was being used by Beijing to hunt down dissidents. These under-cover establishments were masquerading as ordinary-looking administrative centres for Chinese nationals in Hendon, Croydon, and Glasgow. Concerns for the safety of Hong Kong students was raised by the chair of Parliament’s Intelligence and Security Committee, and Shadow Home Office minister, Holly Lynch, said: “The recent unacceptable conduct we witnessed outside the Chinese consulate in Manchester makes clear we have to act to safeguard those in the UK from increasingly belligerent measures being undertaken by those acting on behalf of the Chinese state.”
Potential clients please note . . . we will check you out!
January 2023 ~ New Year’s resolutions?
Anticipated 2022 figures for commercial fraud in the UK show no sign of abatement; costs to business continuing to reach eye-watering sums. So, how can companies protect themselves against scammers in 2023? Improving cybersecurity to counter bots impersonating humans, and meeting multiple compliance mandates, remain the safest ways to stay ahead of the game.
Letting customers and suppliers know you are keeping efficiencies on track, and introducing or maintaining measures to reduce monetary loss, can actually enhance customer and brand reputation. Those customers and suppliers would rather trade with a company which demonstrates the highest levels of IT cybersecurity, and meets strict compliance guidelines, particularly in managing data.
Of course, a chain is only as strong as its weakest link and, invariably, that weakness is human. No doubt, at IPFGB, in 2023 we will again investigate cases where staff, either accidentally or deliberately, have compromised a company’s processes. Perhaps it’s also time to review staff training, and strengthen those employment contracts.