CEO scams where businesses lost upwards of €250,000 are part of a recent cybercrime trend, Inspector Timothy Zammit, who leads the Police Force’s Cybercrime Unit, told The Malta Independent in an interview.
Zammit gave an example of such scams: “A company’s accountant would receive instructions from the CEO to affect an urgent payment in relation to a particular purchase. Subsequently the company, after payment has been made, would discover that the instructions would not have come from the CEO but from elsewhere.”
Sometimes, he said, such situations would be due to a compromised email account, where the perpetrator would have gained access to them and been able to make use of said email accounts. In other cases, it could involve the perpetrator identifying the financial controller and CEO’s email addresses, creating a fake account similar to that of the CEO, fooling the financial controller into believing that the request is coming from above.
“We’ve had losses of upwards of a quarter of a million Euros on one email account. In most cases it would be a few thousands or a couple of tens of thousands, but we’ve seen a few cases upwards of that.”
Zammit explains that accountants and financial controllers should make checks before carrying out any out of the ordinary transaction, such as through verbal confirmation.
CEO scams have been around for the past five years, and in the past banks were the main targets, he said, through scam artists impersonating bank clients. Nowadays banks conduct their own checks, so perpetrators are targeting businesses rather than banks, he explained.
Another issue businesses are facing is called “the man in the middle attack”. So for example, there would be an ongoing relationship with a supplier and all of a sudden one side receives a notification saying to pay make payments to a different bank account, instead of the usual one, he said.
“Any change in circumstances should be questioned, and the main issue seen is that people act on an email, asking questions later. It should be the other way around.”
Is cybercrime rising in the Maltese islands?
Yes, and the reason for that is that the more people use technology the higher the probability that someone would come across issues. In terms of our case load, when the unit was established back in 2003 the unit handled around 50 cases in an entire year, which averaged to around one new case a week. Last year we reached almost 900 cases for the year. If the first six months of this year are anything to go by, we will see another increase. In the first six months of this year we tackled over 570 cases.
What are the most common types of cases?
The main ones have always been the same. Issues of computer misuse – what people would commonly refer to as hacking, such as unauthorised access to an online account - a compromised computer system etc…
Then there are issues related to fraud. Most of the time, in terms of the financial crime aspect, it used to be issues related to online shopping, yet recently financial cybercrime is becoming more targeted. So you would have a large organisation receiving a fraudulent message and falling victim to it, with losses running into thousands if not hundreds of thousands, rather than how it was before where one would send out scam messages in their thousands with the hopes of one or two people fall for it. More recently, perpetrators are doing more homework and targeting their attacks even more.
The third main type of crime is unique to Malta since we are a small country. We are a small community and everyone feels entitled to speak about everything and everyone but the moment someone says something about them they expect a remedy from the police, going to lodge a report. This is perhaps unique, in terms of the amounts of reports, to other countries due to size.
Are the individuals conducting targeted attacks locals?
Most would originate from oversees. So it would mostly be the same people who carried out the same kind of offence in the past using other methods. While we used to receive scam letters in the post and by email, today we receive over the phones or through other methods. It’s basically the same people readjusting their way of doing things.
It seems like online scams are becoming more complex as time goes on. Are you concerned that these criminals are becoming more sophisticated in their scams?
They are improving themselves, and continuously looking out on how to improve their scams to be in a better position to fool the victims. I came across the first scam email in Maltese around seven years ago. The Maltese was rubbish, where they used an online translator, the language was terrible and it was evident that the email was fraudulent. As translation tools improve, so will the language of these scam emails being sent. We have already started receiving scam messages in Maltese asking us to call them back on that number. What we continuously work on is reminding society to be on the lookout. Prevention is better than cure in this area, as once the money left a bank account, been cleared by another bank, withdrawn and transferred, it is very difficult to get back.
In the past it has proven hard to catch these kinds of criminals primarily due to the international aspect of things, and the fact that many of these individuals come from countries outside of the EU. Has there been an improvement in catching these scam artists?
There is continuous improvement. If we have to talk about what the police need to be able to apprehend these kinds of individuals it boils down to three issues. Firstly it in terms of human resources, you not only need quantity but also quality. Secondly you need the technical means, the equipment needed to trace back and identify the people behind these acts. Lastly you need the legislative framework which is the most relevant aspect in terms of international cooperation. The largest issues we face in terms of cross-border cooperation is not that the other country does not want to cooperate, but there isn’t the legal framework that allows for that cooperation. Looking at EU level, the European Commission has published a legislative proposal, in terms of the transfer of evidence between different countries.
Right now if we need information from an overseas service provider currently, whether it is Facebook, Microsoft or Google, the formal legal way would be to send a request to the authorities where the provider is hosted. In Malta we would send the request to the Attorney General for example, who would endorse it, and send it to the Department of Justice in the USA for example, who would then seek a court order there. Once the court order is issued, the service provider would be obliged to provide the information.
Describing the process is tiring in itself. The turnaround for this process, called mutual legal assistance, is around one or two years, taking that long to conclude. In terms of effective investigation this is too long. What we have been doing over the years, which is a feather in our cap, is that we have been able to build good relationships with service providers like Google, Facebook and Microsoft, where we are sending requests directly to them and they are voluntarily providing information to us. Unfortunately this is not backed by a legal framework, so we are at the mercy of these service providers as to whether they want to cooperate with us or not. This should not be the case.
A service provider who is economically present in Malta, making money out of the Maltese population should also be in a position to provide information to the Maltese authorities when the same Maltese person who is paying for a service has suffered an attack and we need information from that service provider.
You mentioned having a relationship with service providers and asking them directly for information. What about Data protection regulations for individuals?
When we work with service providers in relation to these kinds of requests there are thresholds. So we are working on serious offences which carry a certain degree of punishment. There are obviously boundaries. We are not asking service providers to break the law, but we are working with them to ensure that their platforms are safer for their users. What we are trying to do from a legal point of view, and this is where the legislative proposals from the Commission come in, is to formalise what is already happening. We don’t want the police to have more powers than they already have, but want the legislative framework to formalise what is already taking place.
In the same way, when we are travelling we accept the fact that our hand luggage needs to go through an X-ray machine, we need to empty our pockets and walk through a metal detector. That is the same thing as online, we need to accept that the authorities responsible for ensuring our safety on the internet have the powers to ensure that whatever we are doing is being done in a safe environment.
What about potential abuse by the police?
Having a legal framework would ensure that safeguards are in place. Right now the safeguard is that we are always at the mercy of service providers. So providers who are suspicious that our request might be abusive would simply refuse to provide us with the information. I am confident that the legal framework will also have a system of checks and balances, be it judicial review, whether there is the need for a judge or magistrate sign a request.
The legislative proposals, once accepted, would need to be implemented across all EU countries. This framework was proposed in April by the EU Commission.
You mentioned the importance of human and technological resources when coordinating with international entities. To deal with the large increase in cybercrime, have you seen the same increase in terms of investment in personnel and technology?
There is a continuous investment in terms of training provided to our officers and equipment made available to the police. We also try to tap into police funds to further build our capabilities Is it enough? It is very difficult to say whether what we are doing is enough. When the technological landscape is evolving at such a fast rate it is very difficult to keep up. One has to also keep in mind that it is a very specialised area, and the private industry might be providing better conditions. All our officers are regular police officers and are bound to the remuneration and conditions of service they have which are perhaps not as restrictive in the private industry. There is also an issue of staff turnover, and this is the same in the private sector – an individual might be looking for better opportunities and conditions. It is a very intense environment, continuously on the go. When one speaks of such turnover it is an issue other countries are also facing.
Do you have any concerns regarding Crypto currencies? Are you worried about fund theft, possible fraud etc?
From a local perspective, the fact that we are moving towards a regulation is better than having unregulated territory. So that is a plus. When you regulate a business area you attract the service providers of goodwill, keeping those who don’t want regulation and don’t want to be on the right side of things away from the jurisdiction.
We have been engaging in discussions with Europol who are interested as a law enforcement agency in relation to those exchanges who might be moving to Malta, as there is a potential for cross-border cooperation there in international investigations. In the same way we reached out to social media providers, we are doing so with those virtual currency exchanges that will be based in Malta to see about areas we can cooperate so that we can ensure that anyone making use of their platforms is better protected.
At the end of the day, our work revolves around the availability of information.