As Internet Crime Grows, Victims Have Few Options
A DBS Bank branch in Hong Kong. (Source: Google Maps)
In September, Sergio Narvaez, a physician in Manhattan, sought out a high-interest certificate of deposit and found one on a website. That’s where the trouble started.
Narvaez found an Iowa-based bank called VisionBank that was offering market-leading rates. The simple website had a phone number, which he called. He spoke to someone named Paul R. Smiley, a senior account executive with Vision Banking Group.
“He had no foreign accent,” Narvaez says. “He had a complete American accent. He sounded like somebody that you would picture was sitting at a desk in a bank in the Midwest, honestly.”
He invested $200,000, sending two $100,000 wire transfers from his Chase account on Sept. 16 and Sept. 17. Chase called him after he initiated the first wire transfer to double check that’s in fact what he really wanted to do.
The money moved from New York to an ING account in Poland and from there to a DBS Bank branch on Hong Kong. The bogus VisionBank website, which spoofed a real bank’s site, went offline. The money has disappeared.
Since then, Narvaez and I have been trying to figure out who is behind the scam and locate his money. His case illustrates the legal complexities in investigating cross-border internet crime, privacy laws that ironically favor cybercriminals and one core problem: There’s so much internet crime, law enforcement can’t address all of it.
Last year, the FBI’s Internet Crime Complaint Center recorded more than 350,000 complaints worldwide, comprising reported losses of $2.7 billion, nearly double the amount in 2017. Still, the losses are likely only a small slice of the true scale of internet crime because the IC3 reports are voluntarily filed by victims.
Four Complaints Filed
Narvaez has filed complaints with four law enforcement agencies in three countries.
The physician filed a report with the IC3, but filing a report doesn’t necessarily trigger an investigation. The agency is a clearinghouse for fraud complaints, which are then forwarded to relevant agencies. The FBI did not respond to my query about Narvaez’s incident.
He also filed a report with the New York City Police Department’s 24th Precinct in Manhattan, which recorded a complaint of grand larceny by deception. But Narvaez says a detective told him the fraud was beyond their reach because the money went overseas. So he filed a report with Lithuania’s national police as well as with the Hong Kong Police Force.
The NYPD report filed by Narvaez
Unfortunately, it doesn’t appear any agency is investigating. That’s not surprising, says Alana Maurushat, a professor of cybersecurity and behavior at Western Sydney University. “If it involves a jurisdiction outside their own, they tend to do nothing about it,” she says.
Maurushat says the exceptions are the FBI and the U.K.’s Metropolitan Police, which will take on complex cases with international angles. But Narvaez’s case illustrates how it’s difficult for even high-dollar internet crime victims get the attention of law enforcement.
Many victims take large fraud investigations to private investigation firms, Maurushat says. She’s a director at one such company, IFW Global, based in Sydney, which specializes in asset recovery, including from business email compromise and other types of internet-based fraud. Many other consulting firms offer similar services.
From the US to Poland to Hong Kong
Over the years, I’ve written many stories about fraud cases and scams, which has lead to a steady stream of emails from internet crime victims. Most of the losses are in the range of a few hundred dollars, but Narvaez’ experience stood out: No one had ever contacted me with such an astounding loss. I said I’d look into it.
The wire transfer instructions show that Narvaez’ money went to the ING account in Poland that belonged to Paysera, which is a legitimate Lithuanian payments provider.
To its credit, Paysera was helpful. Mantas Ambrazevičius, who is head of Paysera’s anti-money laundering and due diligence department, says as the result of being alerted by me, the company suspended the account of its business client who received Narvaez’s money.
By the time it was alerted, however, the money was already out of Paysera’s account, Ambrazevičius says. It was transferred the same day it arrived in the Paysera account to a DBS Bank branch in Hong Kong.
Narvaez has filed a complaint with the Hong Kong Police Force.
Typically, there’s only a short period in which wire transfers can be blocked or reversed. When that period expires, there’s not a lot of recourse.
“You need to be in a position where you can act on it immediately,” Maurushat says. “And if you don’t, you’re going to lose the money.”
Ambrazevičius says he can’t reveal the business client’s name because of the General Data Protection Regulation, which is Europe’s strict privacy law. But Paysera warned DBS about the client and asked it to return the money if possible.
DBS Bank told Narvaez on Dec. 2 that the account that received his money was closed last month. The bank didn’t provide more information on where the money went from there.
“We have also alerted the HK [Hong Kong] authorities accordingly,” Elvin Lim, senior vice president of financial crime and security services at DBS, wrote in an email to Narvaez. “Unfortunately due to banking secrecy, we are not able to reveal further information. If you would like to pursue further recourse, you can do so through an international legal assistance channel, by lodging a report with your relevant country authority.”
Although Narvaez has filed the complaints that DBS Bank suggests, it doesn’t mean law enforcement is going to take the case. The odds have long been in favor of internet fraudsters due to complexity in international law.
Law enforcement agencies in different countries often exchange information in accordance with a Mutual Legal Assistance Treaty that has been signed between two nations. A MLAT lays out the protocols for requesting electronic data, querying witnesses, forfeiting assets, collecting evidence and much more. The U.S., for example, has an MLAT with Hong Kong.
But the MLAT process can’t keep up with the pace of internet crime and the speed at which money and data can be flicked around the world.
“This [MLAT] process often takes months, and it’s widely accepted that the MLAT structure is opaque and under too much stress due to the volume of requests,” writes Dan Jerker B. Svantesson, a professor in the Faculty of Law at Bond University in Brisbane, in The Conversation.
The U.S. has sought to make exchanging data easier. In March 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act, also known as the Cloud Act.
The act allows a communications service provider in one country to directly respond to a lawful order from another country. But that exchange can only take place if the two countries have signed an agreement ensuring that both countries have commensurate due process procedures and judicial oversight. In October, the U.S. reached a Cloud Act agreement with the U.K.
For internet crime victims like Narvaez, the Cloud Act could mean more enthusiasm by law enforcement to take on cases, knowing they could get the data. But it’s early days for the Cloud Act.
SEC: Beware of Fake CDs
Just weeks after Narvaez was defrauded, the U.S. Securities and Exchange Commission warned on Oct. 23 of spoofed banking websites offering fake certificates of deposit.
The SEC’s Office of Investor Education and Advocacy says these websites often have warning signs, such as minimum deposits of $200,000, promotion of only CD products, bogus clearing partners and wire transfers instructions to institutions outside the U.S.
The fake VisionBank website ticked most of those. Narvaez acknowledges he should have seen the warning signs and that the fault remains his.
The real VisionBank in Iowa had been aware of the scam. Narvaez eventually contacted the bank, which confirmed that its brand had been targeted. The page for its CD offerings now carries a warning.
VisionBank of Iowa warns CD shoppers of bogus banking brands impersonating it. (Source: VisionBank)
There are indications that the criminal group that ran the fake VisionBank site has launched many others. Some of the sites shared the same boilerplate text for the abnormally high CD rates and as well as other similarities.
I called a number on a suspicious website, southcaliforniabt[dot]com (Note: Web Archive link, safe to click), that appeared to be run by the same criminal group. Although the bank was purportedly based California, the call rang to a call center in Margate, Florida.
I was told that the bank was closed at 4 p.m. even though the call center employee had just told me the bank closed at 5:30 p.m.. This strange chat occurred after Paysera suspended the account of their unnamed client, so it’s possible the group suddenly had trouble getting money out of the U.S.
Inquiries around domain name registrations only go so far these days because much of the data in the whois database is either private or fake. Even fake information, however, can result in new leads. I had no luck. Most of the domain name information was private.
Still, some patterns emerged. Some of the dodgy bank domain names were bought from Reg.ru, the large Russian hosting and domain registration company. It seems extremely unlikely any U.S. financial institution would buy a domain name from Reg.ru. Plus, the registration dates were far too recent. Southcaliforniabt[dot]com, for example, was registered through Reg.ru on Oct. 4.
The whois data for southcaliforniabt[dot].com.
There also was another tenuous Russia link that emerged. Southcaliforniabt[dot].com had reused a Google Maps API key. Google Maps is a product for business and metered based on usage. Anyone can pluck a Maps API key out of a website’s HTML web coding. To prevent that, controls can be set to limit calls only from certain HTTP referrers or IP addresses.
The Maps API key for southcalifornia[dot]com was shared across more than 2,300 other domains, according to PublicWWW, which indexes the code of websites across the internet. Many are Russian language or have country TLDs of .ru.
This finding doesn’t mean much because it’s possible whomever controlled the Maps API key forgot to set the security configuration, which then resulted in many other websites trying to scrimp free API calls.
Threads to Pull
This was all unsubstantiated suspicion of something shady, for sure. But there were also U.S. tangents that U.S. law enforcement could pursue.
For example, some of the fake banking websites were hosted on Wix.com, a San Francisco hosting and web design company. Wix.com didn’t answer my inquiries about who paid for those sites.
There are strict privacy rules around domain name registrations, so I didn’t expect to get much. As a journalist, I can ask for information, but it’s entirely up to an entity whether it wants to share. But law enforcement agencies could serve binding legal requests to service providers that compel an entity to turn over the data.
With Narvaez’s case, there are plenty of threads to investigate even within the U.S., such as Wix.com and the call center in Florida. Who paid or contracted for those services? Where are they based? Could there be U.S-based cybercriminals involved?
The answers to those questions could shed light on a group that has likely defrauded many more people in the U.S. than just Narvaez – that is, if anyone wants to ask the questions.