Engagement with an impersonator

from Women In Security Magazine Issue 12

by source2create

Saman Fatima

NATALIE PEREZ

by Natalie Perez, Senior Internal Auditor - Enabling Functions, Medibank Private Ltd

Narrator: It was 28 December 2021 when I received a Facebook message at 6:24am from my sister’s account.

Sis: Hi Nats! Good morning.

Me: Good morning. Hey, it’s only 3:30am there. Why are you awake this early?

Sis: I woke up early today. Hehehehe. Can I ask a favour?

Me: Yes, what is it?

Sis: Can I borrow some cash for funding? I will return it before the New Year.

Me: Sure. How much do you need?

Sis: P40,000, keri?

Narrator: Keri is a Philippine slang word to ask “if you can do something”.

Me: I can, but I will ask hubby before I take the cash out. Can I ask you what is it for? P40,000 is a large amount. That is around $1200.

Sis: I plan to expand a business. Me: No worries. Okay, I will ask hubby. I just paid our credit card bills.

Sis: Really? If possible, I need it now.

Narrator: I checked the online remittance service that I use to send money overseas. The earliest date that the cash would be credited to my sister’s bank account is 4 January 2022.

Me: Sis, the online remitter can only credit the cash on 4 January. You cannot have the cash earlier than that date.

Sis: Why? I have iPera. Can you not send via iPera? Here is my cellphone number: 091NNNNNNNN.

Narrator: I noticed that the mobile number given to me is not my sister’s usual mobile number.

iPera is a remittance facility of a major telecommunications company in the Philippines. The recipient is notified via SMS that the cash is available for collection from different agencies such as pawnshops, supermarkets or department stores. iPera can also be set up to link to a bank account for fast and seamless crediting of remittances. It is a very popular and well-accepted remittance tool because

it is very convenient, and remittances can come from within and outside the Philippines.

Me: Did you change your mobile number?

Sis: Yes, I did. I am using a prepaid SIM card.

Me: Ah okay. The fastest I can do is to remit via credit card. It will be a cash advance, and I will be charged 22 percent interest.

Sis: That should be fine. Just go for it because I really need the funds now. And don’t worry, I am expecting a large return on investment from this business.

Narrator: That is when I became suspicious. I knew my sister would not let me have a cash advance from my credit card. I decided to engage with the person whom I think was impersonating to be my sister.

Me: Which business are you getting into?

Sis: I am investing in cryptocurrency. I will place P50,000, which will give us a 50 percent or P25,000 return in three days, which is December 31, 2021. I will return your P40,000 on January 1, plus your P20,000 interest. It will be a happy new year in 2022 for both of us.

Me: Sis, be careful with crypto. The industry is unregulated, especially in the Philippines.

Sis: Don’t worry! I know someone who plays Axie Infinity. The cash being invested by him is what he uses to buy his teams, this enables him to fund his scholars for the online gaming platform. I have my bank account details. The Bank name is “X Bank”, and the account number is ‘NNNNNNNNNNNN’. My account name is: Xxxx Xxx.

Narrator: I can confirm that my gut feeling was that the person I was engaging with, was impersonating my sister. The name given is my sister’s alias, which is also her Facebook account name. I know my sister does not use her alias with banks. My sister is a busy person who would not have time to get into online gaming.

Axie Infinity is a token-based online video game which uses Ethereum based crypto currencies. The person pretending to be my sister is advising that they will be investing in crypto currency to someone who funds players on the online gaming platform.

Me: I need the bank address so I can send you P40,000.

Sis: Wait. I will give you a bank address: NN XXXXX Street, XXXXXX City, Zip Code NNNN. You got everything you need to send the money, okay?

Me: Thanks, but please wait! Let me ask hubby. We are just having dinner.

Sis: Nice, enjoy your dinner. If I were you, just go and send the money! You don’t always need to ask your husband for permission. He doesn’t have to know everything you do.

Narrator: Our FB messaging initially ended at 7:33am in Melbourne. It was 4:33am in Manila.

On another messaging platform, I alerted my family that I suspected my sister’s Facebook account had been hacked and someone else was impersonating her. My sister confirmed she had never asked for money. She was asleep between 3:30 to 4:30am Manila time (6:30 to 7:30am in Melbourne), which was when I was exchanging messages with her

Facebook account. She was worried that the hacker/ impersonator might have contacted someone else.

My sister checked her Facebook Messenger for the history of messages in her account. She could not find the exchange of messages we had from the screenshots I shared. She checked the messages with our family members, and there were no messages of her asking for money. She also checked if there were messages to her Facebook friends whom she hardly contacts, and there were no messages sent from her account.

Two hours later, I got a follow up message from the impersonator using my sister’s Facebook account:

Sis: Have you asked your husband? Have you sent the money? I really need it. Axie has a cut-off in 30 minutes. I need the cash ASAP. I will not bother you again when I receive the P40,000 because I get notified by text as soon as you send it.

Narrator: My sister changed her account name and password on Facebook. I did not receive further messages from the person impersonating my sister.

Five people have reached out to my sister to check on how she was going and if she received the money they had sent via iPera. They were dismayed and heartbroken when my sister told them that someone had hacked into her Facebook account and it was not her who was asking for money.

We could not find the messages from my sister’s Facebook account that were sent to the five people who remitted money to the person impersonating my sister. The five people captured and sent screenshots of the messages with the impersonator from their Facebook accounts. They asked my sister how they could get their money back. My sister had no answer for them but advised them to call their banks and tell them not to release the funds sent.

The impersonator’s iPera account and mobile number were linked to his bank account therefore, the remittances were automatically credited. From the five people who reached out to my sister, it was a total of P150,000 (around $A3500) that was remitted into the impersonator’s bank account.

In the Philippines, complaints of online scammers, impersonators or hackers are reported to a local government agency called National Bureau of Investigation (NBI). With COVID-19 and lockdowns many people have become vulnerable to online scammers and impersonators, and the process to report scams and hackers has been complicated.

I investigated the bank account given to me. It was a valid online banking account. Because of lockdowns many banks introduced online banking products, accepted account applications online and opened new accounts after personal details were entered. The bank’s marketing pitch was that the banking product is virtual, easy and seamless to open, even in a pandemic lockdown. I did walk through the process of opening an online bank account, and I learned that it did not require me to provide evidence to verify my identity and address.

I rang the bank’s cyber customer care to report the bank account details the impersonator had used to scam my sister’s friends via Facebook. The cyber customer care person advised that I should call NBI and report the incident. The bank could do nothing further to investigate the account because of the Philippines’ Bank Secrecy Act.

I have three questions from this scenario:

• Whilst we love automation with the speed and convenience it features, how can we ensure it is ethically implemented and protects our customers? • How can we make legislation not become a roadblock against countering threats that were unknown or unheard of at the time the legislation was written? • How can we make it easy for ordinary people to report or complain when they become victims of scammers or impersonators?

www.linkedin.com/in/natalie-hingco-perez-74298436