How cyberfraudsters fleeced JMMB of $50m

An “organised” band of criminals who stole nearly $50 million from an account at JMMB gained access to sensitive personal data through a cyber scheme, law-enforcement authorities have charged.

“We can confirm that there is an act of fraud that is currently under investigation. Due to the sensitive nature of the investigations, we will not publicly comment on the details.” a JMMB spokesperson told The Gleaner Tuesday evening.

“However, please be advised that appropriate steps have been taken, and additional steps will be taken, to protect our organisation against acts of fraud.”

Sources say it is too early to determine if the accused robbers had inside help.

Forty unauthorised wire transfers amounting to $46 million were made from the account between February 15 and 22 this year, said the Financial Investigations Division (FID), citing a statement made by the account holder.

The account was reportedly emptied over a 10-day period.

The cash was disbursed to accounts operated by more than 30 people mainly from communities in southern St Andrew in amounts ranging from $950,000 to $5 million, FID said in a public statement late on Tuesday.

The mastermind has not yet been identified, according to sources.

“It is not yet known who ultimately got the money. These are persons who allowed their accounts to be used and withdrew the funds and either made use of it or gave it to the mastermind,” said the source.

Five men who allegedly received cash transfers were apprehended on Tuesday in a series of coordinated operations by the FID and the police Counter-Terrorism and Organised Crime division.

Among those arrested is a 21-year-old BPO employee who the FID said is being held on reasonable suspicion of breaches of the so-called lottery scam law.

The agency claims that he was “providing shelter and privileged client information” to one of his co-accused.

The others are two unemployed men, ages 22 and 23, both of Penwood Crescent addresses; a 25-year-old man who is employed as a warehouse supervisor and resides on Waltham Avenue; and two unemployed women, aged 48 and 28, both of Caladium Crescent.

Their names are being withheld pending charges, which could come after a question-and-answer session with investigators set for today.

Since the outbreak of the deadly coronavirus disease, Jamaican financial institutions, like their counterparts globally, have seen an increase in cyberattacks, both against customers and individual entities, said Septimus ‘Bob’ Blake, president of the Jamaica Bankers Association.

“And, as you move to digital, the attacks increase exponentially and financial institutions are among the most targeted right across the world,” said Blake.

Dane Nicholson, manager for special investigations at National Commercial Bank (NCB), explained that the increase is not necessarily in the number of cyberattack cases, but in the methods employed by criminals.

The $50-million theft reportedly came to light after the holder of the account visited the financial institution to conduct a transaction and discovered that the account had been “hijacked”, a source disclosed.

According to one source, personal data obtained through unauthorised means were used to gain access and make changes that gave the accused fraudsters control of the account, including the ability to change the password.

“Evidence indicates that the victim’s account was compromised by the fraudsters who were able to change certain security credentials. This resulted in the creation of an online banking profile for the victim,” the FID statement said.

The swapping of cell-phone SIM cards is one of the more common methods used by cybercriminals to “easily” hijack a customer’s bank account, Nicholson said.

SIM card swapping, he explained, occurs when fraudsters gain access to a mobile phone number and approach the telecoms companies to get a replacement SIM card under the guise that they are the legitimate owner.

“All the time they present an identification card to support the SIM swap,” the NCB executive said.

A majority of local financial institutions rely on text messaging and email as part of their authentication or registration processes for Internet banking.

Consequently, Nicholson wants lawmakers to enact stronger punishment for SIM card swapping “because of how easy it is for fraudsters to take over a person’s cell phone” and the “significant financial impact” this could mean for customers.

“They know that at this time, it is a slap on the wrist, so they will continue despite our best efforts,” he said, referring to cybercriminals and the current sanctions in the Cybercrime Act.

“So, if fraudsters get access to your cell phone or your SMS [messages], then they can get access to your email. And from getting access to your email, they can either create or take over your Internet banking,” Nicholson said.

He said NCB – the largest commercial bank in Jamaica – has, over the years, invested “heavily” in its cybersecurity architecture and customer education.

“If customers continue to do things which expose themselves, then that will bring all the investments we have made in cybersecurity to naught,” said Nicholson.