• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara

The human impact of business email compromise - with Laura Jeffery

Content

In a very special episode, Gar is joined by Amy Holden from Mimecast and her friend Laura Jeffery who bravely shares her up-close and personal experience of how she became the victim of a business email compromise scam.

Laura walks us through the stomach dropping moment when she realised $65,000 in payments to a supplier for her home build had gone to cyber criminals. She talks about how the attack happened, the issue of responsibility, and the incredibly frustrating legal and criminal process.

Content

The Get Cyber Resilient Show Episode #69 Transcript

Garrett O'Hara: Welcome to the Get Cyber Resilient podcast, I'm Garrett O'Hara. Today's episode is special in our industry. We hear so many stories of business, email compromise, or BEC, and the impact on organisations, but much less often, we hear about the personal impact for victims. Today, we're joined by my colleague, Amy Holden, who I got to co-present with at AusCert this year.

And who's a member of our cyber resilience executive society in the interview today we speak with Amy's close friends, Laura Jeffery, managing director for Tundra resource analytics, who bravely shares her up close and personal experience of business. Email compromise the conversation dives into Laura's life and fight after the stomach dropping moments, when she realises large payments to a supplier for her home bills had gone to cyber criminals. We talk about heavy attack happened, the issue of responsibility, the incredibly complex and frustrating, legal and criminal process, cyber insurance, and fundamentally get a real understanding of what the human impact of cyber crime can be painful. Over to the conversation with Laura and. Amy.

Today, I'm joined by two people. Uh, firstly, we have Amy Holden, the co presenter at AusCert this year and my colleague for, I think we're up to six years now. Is it Amy? Something like that.

Amy Holden: Five. We're coming at-

Garrett O'Hara: Five.

Amy Holden: ... five years.

Garrett O'Hara: There you go.

Amy Holden: Yes.

Garrett O'Hara: So, we've worked together for quite a long time.

Um, and in what I feel like I said, kind of a special episode. We're joined by one of Amy's friends. Who's Laura Jeffery, the managing director for, Tundra resource analytics. Welcome Laura, how are you doing today?

Laura Jeffery: Great. And really pleased to be here.

Garrett O'Hara: Good times you guys are friends. You've been friends for uh, sometimes, which is where this all started.

Amy Holden: Yeah, we Laura and I met in 2007 on the gold coast when we were both studying abroad at Griffith uni. And then we, we both moved to Australia and found each other again, all these

Garrett O'Hara: Good-

Amy Holden: ...years later,

Garrett O'Hara: times. it's like a, like one of those Netflix romantic comedies or something [inaudible 00:02:09] Later in life.

Amy Holden: Friendship styles. It is.

Garrett O'Hara: There you go.

Amy Holden: Yeah.

Garrett O'Hara: So a- anyway, the, the episode is not about friendship, unfortunately, that's our other podcasts that we work on.

Uh, I wish no, we don't. Uh, this is obviously about cyber resilience. So, Laura, you've got a very specific story, which we're gonna get to in a moment. But before we do that, would you mind just giving us a little bit of your bio and then just a bit of an intro to the audience and then we'll get into, get into why you're here today.

with us.

Laura Jeffery: Sure. So, I'm, as you mentioned, the managing director of Tundra resource analytics, backing up a few steps. I spent my whole career in the world's largest mining and resources company. So, BHP, [inaudible 00:02:49] in a variety of roles, I have a finance background, so I'm an accountant. Um, but I've worked. across projects, finance, HR maintenance, a variety of functions within the mining industry.

And a few years ago sort of use that experience as the platform to start this consultancy business. So, we've got a few different streams, but the one of our primary streams is doing major mobile equipment strategy optimization. So, life cycle costing and trying to pinpoint most economical time to replace big infrastructure.

And the other one is I do acquisitions and divestments work. Um, so integration and separation specifically. So, I have quite a background in the ERP or enterprise resource platform space and managing the coming and going of smaller companies from the bigger ones.

Garrett O'Hara: Very cool. So, I'm, I'm guessing you've got quite a, a technical background.

It sounds like you're not a, yeah. You're not somebody who's, who's not tech savvy. I would say, given what you've just described.

Laura Jeffery: Yeah, I would consider myself relatively tech savvy, which is probably one of the parts I struggle most about with my story is that the, the embarrassment that I could find myself in the position that I do given my background is [inaudible 00:04:12]. Um, and it, it revealed to me that I'm obviously, or I wasn't obviously as tech savvy and aware, particularly of cyber fraud, as I thought it was.

Amy Holden: Yeah, I think it's hard. Like you think you're doing the right thing. And I think a lot of people we think about it because we have these conversations all the, all the time in, in this industry.

But when you told me your story, I, I, my, my jaw dropped and I just thought we need to, we need to share this with the community. Cause we talk about, you know, BEC so much from a a business perspective. And I think, you know, your story really shows that the humanized aspect from an, an individual. So, I would love for you to, to tell us a story from kind of that, that high level, what happened, and then we'll kind of dig into some of the, the detail.

Laura Jeffery: Great. So, the, the quick and dirty of our story is basically that my husband and I were building a house and he was engaged in an email trail with our cabinet maker on the, the final payments and pick up. Arrangement details for these, the set of cabinetry for our entire house. And this email trail was about 20 deep there, back and forth.

It was fairly rapid fire succession. And. An email came through from his account, basically saying that they changed the bank details since we made the initial deposit to make sure that we put the final payment, which was $65,000 in X, Y Z account. Um, and then further asked us if we could confirm the time that we would have the truck there for delivery.

Um, we, to be honest, didn't think twice about it. Over a period of three days, we made $65,000 worth of payments to the account as requested. And then the, the agreement was that we paid by Thursday night for pickup of the cabinetry. On the Friday, we were sending a truck down for that pickup. And on Thursday night, he called after we.

Made the payments and actually sent the confirmations to his email and said, where's the payment you're supposed to be picking up tomorrow. I haven't received any money for you. And that's basically where um, our whole story began revealing itself.

Amy Holden: Yeah. And I know you said initially it felt shock and then you spent, was it, How many how, like initial hours and you're traveling for work at the time? Like what happened? What happened next?

Laura Jeffery: Yeah. So, I had been traveling for work. It was actually the longest time I've ever spent away from my two small kids. Um, [inaudible 00:06:46] Amy is always a bit hard. Um, I'd been away for almost 10 days and I was on my, I was transiting through Cannes on my way home.

I'd made the two out of the three payments from my personal account while I've been away. And my husband had made the third from his and he called me on Thursday night. I had just landed in Cannes. It was late and he basically said the money's gone. And it was, it's just one of those moments that I could. I could recreate the scene, in such detail at the drop of a hat.

Like it, it's almost like the whole evening happened in slow motion for me. At, at first I was in shock and I couldn't believe what I was hearing. And he told me the conversation that he'd had with the cabinet maker that revealed what had happened. Um, he had called the bank immediately. but The bank because I had made two of the three payments.

They wouldn't take the case report from him. I had to do it. So, I spent from 10:00 PM until about 2:30 in the morning on the phone with the bank. Um, during which time there were periods, I was literally on my knees in the hotel room, sobbing hysterically. Um, it was, it was such a shock. I was so exhausted.

I Yeah. And throughout the process, I've gone from shock disbelief horror, anger, like the full um, spectrum of emotions. But yeah, [inaudible 00:08:10] forget that night and hearing those news, that news. And I actually called because she was one of the only people awake. I called my best friend back in Canada, and I remember sobbing to the phone.

Like, please tell me that we don't live in a world where the $65,000 will just be gone that I'll never see this again, that someone's stolen this from me. Um, and as I've mentioned to you before, Amy, it really felt like to me at that time in that mental state, that I was in it, wasn't just money. Like, I felt like someone had stolen time with my children. had stolen part of their childhood, away from me because I had to travel to make that money and be away from my family. And it was just that that's not a helpful mindset. And I I had to actively try to get away from that. But I remember saying to Jess Like tell me that this isn't real, this isn't the world we live in.

And I think it's revealed itself over the last 18 months, that actually that's exactly the world we live in um, where it could be that easy to. To have a loss that substantial so quickly.

Garrett O'Hara: Were you aware prior to this happening, Laura, were you aware of these [inaudible 00:09:21]? Was that something that was on your radar or something that you even knew was a thing in the world?

Laura Jeffery: It wasn't actually not, certainly not the term BEC I had, I would say. I had Extensive knowledge of um, the dangers of phishing links and phishing and all of the various issues. Um, I have extensive knowledge of fraud. just from my role of being an accountant and being involved in segregation of duties and systems controls.

But again, I, My knowledge of that was in the context of a major organization that has a billion dollar ERP system sitting around it to sort of put in place those controls in terms of my awareness of my vulnerability as an individual, I would say I had very little awareness and. Yeah, I hadn't actually heard the term business email compromise scam until that night.

And that's what the bank told me that I was a victim of.

Garrett O'Hara: No good. No good. So, like given that was when it sort of came to light for you I'm guessing there was an investigation's started, et cetera, and you kind of briefly mentioned it's that's, you know, I think they'd been monitoring your supplier's emails. Can you kind of just dig into that a little bit and then tell us about what, you know, how the attack was actually executed.

Laura Jeffery: So, I'd be happy to, some of the details are still a bit fuzzy. And one of the challenges through this whole process is that we've really struggled to get concrete information and answers, but from what we've been able to piece together, the. Um, the assumption is that the cabinet maker must have clicked on a phishing link that therefore compromised his emails because the scammer definitely had control of his emails.

So, the email, as I mentioned, came through in an existing trail, it wasn't even a separate clean email. Um, and he had been monitoring clearly monitoring our conversations because the scammer was deleting the. Responses that we were sending to him so that the cabinet maker wasn't aware that these payments were being made and didn't try to reconcile with those accounts.

So, there was some sort of active monitoring of his emails, which was apparent. Um, and yeah, obviously the instructions for us to pay this money, to these changed bank account details. Hadn't been written by our um, cabinet maker and didn't come from him, but were confirmed to come from his email. So, from an investigation perspective, it like those details were vaguely apparent to us from the beginning.

Um, but in terms of. Um, what laid behind that there's a whole web of the story underlying that as I'm sure we'll get into today. Um, and that really only came to light over the course of 18 months. And to be honest, the details behind that are still just coming to light. So, as I said, I spent, you know, a number of hours that night on the phone, with the bank when I, as I was finishing up that conversation with the bank, it sort of occurred to me in this weird fog that I was in.

Should I be calling the police? Like, is that the next step? Do I have to call the police? And Surprisingly, the bank was really hesitant to advise me to do so. So, she started, you could almost hear her sighing or rolling her eyes through her, through the phone. And she basically said, well, if that's what you want to do, but basically like, we're gonna investigate this, but it was palpable to me even in that.

Moment that they almost didn't want the involvement of the police that that would create more work for them, which was a red flag that instantly went off even in that moment for me. And I can see why. So, I. I sort of disagreed. Like for me, it felt immediately that the, this was a crime. This was criminal activity and I was the victim of a crime, or we between me and us and the cabinet makers.

We were crime victims. Um, but I did call the place that night through the there's like a 1-300 number for the police in general and was told that I can't make that. Um, kind of complaint over the phone. I had to present at my local branch in person. So, I flew home. The next day went literally straight from the airport to the police station.

And I spent an hour, at least in the police station with an officer, showed her the full email trails, handed everything over. She printed it out. and read through it. I gave a verbal account. Um, and she basically said that she couldn't see Any crime at this point that it was a civil matter between us and the cabinet maker.

Um, which really confused me. But again, I took her at her word and then just walked away. That She basically said you need to wait until the outcome of the bank investigation until they determine that there's criminal activity. And after that point, you can file a police report, which was actually complete misinformation, but it took me weeks to realize that, and it wasn't until the cabinet maker went to his local police station.

Um, and that police officer sort of advocating for him called me and just read me the right act about, you know, accusing me of not caring and not doing anything and almost being sly. Like, because we did pick up the cabinets the next day, he said, did you think you could just receive these goods and not pay for them?

Um, so there was a, there was a bit of, Confusion and like misinterpretation there, but that particular police officer ended up becoming a really good resource for me. And one of the only people from whom I got straightforward answers after, as the, as the story unfolded,

Garrett O'Hara: uh, for real quick question, just on the, on the law enforcement side of things and, and the person that you spoke to from the police force the first time, did you get a sense that they understood.

Cyber security uh, in general. Cause I think that's a, a question I would have as if I went to my local police station, you know, I, I don't think they were, you know, by default they wouldn't receive cybersecurity training. Right. So, they may not understand the evidence that you're presenting to them. And, yeah, just, did you get a sense that they kind of got it or this was just not something they normally have to deal with?

Laura Jeffery: No, that, That's a great pickup. I specifically got the sense that she was completely underprepared for receiving this type of complaint and probably hadn't gone through that training. I I even. So, I live in country Victoria, and I thought as I was on my way home, that the chances of my local police in country, Victoria, dealing appropriately with this situation or having that cyber security awareness would be low.

So I intentionally, instead of going to my actual local unit, went to the biggest police station in Melbourne that I could find thinking that I would have better chances there, but as it turned out, I did not. Um, and then the jurisdiction issue has caused all sorts of headaches. And I actually think that's part of the design.

My own personal theory is that the way that the legal system is set up in Australia and this type of fraud being state regulated in police, as opposed to having a national framework allows for the proliferation of this kind of fraud to happen. Because every time. The case moved across state borders.

It was like the investigation started from scratch and there were months more activities that followed and it allowed nothing but time for these people to basically clear their tracks and get away with it and hide the funds. And so the, the account that we sent the money to. Initially was actually held physically in Sydney.

So, the new south Wales and the way that the that the police system is set up is that the jurisdiction that gets assigned the case is where the perpetrator is. So, the, the fraudulent account was considered the perpetrator. So, it first it went to, instead of my local police, it as the victim, it went to the new south Wales police.

From there. They noted that even though the account was physically held in Sydney, the owner of that account lived in south Australia. So, then after the new south Wales police did what they did, it went across the s- to south Australia where an investigation commenced. And I don't know how long new south Wales had it versus south Australia.

But I do know that. The every, all these events that unfolded themselves, that we, when we realized that the fraud had taken place was October 4th, 2019. And the first time I heard from a police officer in terms of any answer or direction, their progress on our case was March 6th, 2020. So, a full five months later, which I attribute to in part this jurisdictional sort of complexity and.

And then I, I'll, I might later on in this conversation, maybe get to what was revealed at that point, but just on the note of jurisdictions, it was then found that the south Australian, the account holder transferred the money on to an account in Victoria. So, then the south Australian police finished their investigation.

Couldn't progress it any further. They could only progress the investigation up to the transaction when the money was in Australia or south Australia. And then it went to Victoria. Um, the case went over to the Victorian police. Um, there was a bit of a schmozzle there where the case fell between two desks and there was months of inaction um, on their sides and a whole slew of events that happened.

Um, and then they were eventually after probably six more months able to pinpoint that the, the money ended up in Nigeria or at least a portion of it did. Um, and at that point they just said, well, there's nothing we can do about that. Um, but I do wonder if that is part of the design of these scams. because yeah, every movement, it gets harder to trace.

Garrett O'Hara: I I think you're spot on like, that's exactly what happens, you know, it hops around cans. Um, and I was actually gonna ask you, was there a point where it jumped out of Australia 'cause I think that's the bit where it starts to get really, really difficult when you're dealing with international jurisdictions.

Um, super quick follow up question from me, like how did it go once the funds left Australia, was there a collaboration with international police forces? or How did that sort of side of things go.

Laura Jeffery: So it's basically been considered immaterial and they've, the police has said full stop, that they're not going to progress the investigation.

That there's nothing that they can do, which is why I think again, there's. There's so few cases where there's any justice and any real action taken against the real root cause of the problem, which is the overs- overseas perpetrators that. it's, were, as Australians we're easy targets for them, like there's so little chance of repercussion.

It almost makes you think why not progress, this as a lifestyle, you know? Um, not that I'm advising that, certainly not, but it-

Garrett O'Hara: Is this the bit where the three of us spin up uh, like a separate company and start making some mad coin.

Laura Jeffery: Yeah. [laughs]. I mean, it, it seems pretty uh, pretty easy way once you can get in

Amy Holden: it's it sounds all of the sounds so time and stressful.

Ho- How much time has this taken up for, yeah- for you to, that you've been so active in, in chasing this and he- trying to help the police? And I, some people, I mean, it's so much money, but so much, so many people would give up by now. How much time would you say you've put into it?

Laura Jeffery: I actually know specifically how much time I've at least or I've estimated how much time I've put into it because.

We are some of the minority cyber fraud victims that actually see their case progress to court. And as part of that court process, I've done a victim impact statements where we've talked about not just the financial impact of what we lost, but also the emotional impact, the impact of our family and the financial impact beyond the money.

that was Stolen essentially. And as a, as a contractor and consultant, I've got an hourly rate, which is pretty, you know, widely available. And I, I log all my hours from a work perspective in a time sheet. So, I was basically logging all the time. I was spending on talking to the police, talking to the banks, talking to the cabinet makers, filing more reports.

And I estimated you know, that it probably costs us another. $20,000 of what would have been billable time for me that was spent progressing this. And I also recognized that I had a huge position of privilege in that I worked for myself and I can sort of use my time at my discretion and just think that so many victims of this type of crime just would not have the luxury of being able to take that time off work and dedicate towards this because I.

I know that I would have, not that there would not be, I can say with certainty, there would not be a case in court right now. Had I not been like a dog with a bone constantly fo following up? I actually the experience with the Victorian police was so terrible. Um, I ended up filing a report with the, or a complaint with the independent body of anti-corruption for the Victorian police based on a failure to, to do their jobs.

And it was to my surprise actually. So, that triggered another investigative process Separate to the [inaudible 00:23:08] cyber crime. Um, but it was found to be valid. And I got a, an official letter of apology and a note of what was put in place as a reaction to this. Um, but at the same time, it didn't give me that much comfort because those were locally applied to the police station where.

The problems in investigating our case incurred and that's one police station. So, if you go one suburb down the road, you might have a cyber fraud victim that has the exact same experience as we did, which is just, it gets put in the too hard basket and isn't followed up, which is yeah, really frustrating.

So, it was really costly for us and time consuming. and we're. Approaching the better part of two years after the initial fraud. And we still don't have a resolution yet. Um, so yeah, it's ongoing. and Open-ended at this point.

Amy Holden: Yeah. And what was I know a lot of people would think that their insurance would cover this type of a scam or even that the business that you were working with the cabinetry maker, that their business would cover it.

What, what ended up happening there?

Laura Jeffery: Well, that was exactly what I thought as well. And that was one of the points where I realized that I was a bit naive to how the world works as pertains to cyber fraud. So, I went through this period after everything unfolded where I. Just as a survival mechanism, I think I would just got really optimistic about everything.

And I was like, you know what? I'm not gonna stress about it because his insurance, the cabinetmaker's insurance will cover this. This is a business loss or you know, the bank will. Sort of restitute the losses and they'll have accountability for this, cause this is cyber fraud. And I remember I was working with the vice president of risk and insurance for one of these major mining companies at the time.

And I mentioned an offhand comment. Well, you know, this is a frustrating process and it's a shame, but at the end of the day, insurance will take care of it. So, we'll be fine. And she just said, oh no, Laura, your expectation around that. is completely off base. First of all, no sort of general and public liability or business insurances covers cyber fraud as a risk.

And there is cyber insurance that you can get apparently, but in Australia, that industry is completely juvenile and underdeveloped and she was like, let go of any expectation that there'll be any form of insurance in place that will cover you, which ended up being correct.

Garrett O'Hara: It's kind of true actually, as you talk about cyber insurance, it's a big Topic of conversation within the industry. And I think what we've seen is of the cyber insurance policies, but they're very specific and we've had actually cyber insurance uh, experts on the, the pod in the past. And they've talked us through some of the glitches but there's a lot of kind of air quotes get out of jail, clauses in the policies and they don't cover the things that you may expect.

Uh, And this sort of exclusions for things like acts of war and in our industry, it's actually really difficult to do attribution. So. You end up in court, sort of arguing about whether a breach was an act of war or if it was just a, you know, sort of uh, gung ho um, attackers sitting outside of s- state nations.

It's bizarre. And so I, I definitely think it's an evolving field or area and [inaudible 00:26:35] which I'm sure. you, You know, if you read the news, you see a lot of at the moment that's changed the field again, because there, are, the [inaudible 00:26:43] are so big. That there's no premium almost that can cover the, the amount of costs that it would be for the insurance companies. So, I think a lot of them are certainly slowly backing away from you know, the, the cyber insurance policies. It's definitely a bit of a minefield.

Laura Jeffery: It, It is. And that, that was our experience. And even if those policies were a bit more sort of developed, For small businesses, they'd probably be cost-prohibitive as well.

And it would be out of the reach of a local cabinet maker in Melbourne, I think, to access that sort of thing. So, that was a big learning and something that I um, try to make people aware of when sort of showing their vulnerability. And the other thing is. I know I've heard of people having unauthorized access or um, transactions on their credit cards and that sort of thing.

And, or their banks being cleared out because years ago it was really prevalent to have like sort of chip reader machines, like you'd go in to pay at a petrol pump or something like that. And your card would you know, some how your bank account balance, which the, you know, they read the, your card. And this was a big thing a few years ago.

And the few people that I knew that that happened to. Always had their bank account balances restored, and it was considered unauthorized access. So, I was thinking, well, just like in those situations, the bank will just um, restore my bank account balance and this is on them. It's, you know, cyber fraud. It's obviously a big.

Banking was central to the scam. Um, but I also found that that is not true. So, there was, I I willfully made the transaction. So, the bank has zero liability. And I do think that there is a role for the banks. in Taking responsibility. I think that there's actions that the banks need to collectively take to take more responsibility and to recognize the losses.

And it seemed to me through this process that the bank's interest was more in protecting the privacy of the offenders rather than assisting the victims. Um, and I've heard in the UK that at least they were trialing. A levy on um, online banking transactions that would then fund the banks to be able to restore victims of cyber fraud's, you know, accounts.

Um, and there was speculation as to what that would do to the Incidents but I don't know if that passed or not, but yeah, my personal opinion is that the banks could, you know, are more liable than they except, and that there's actions that they could take to better protect consumers.

Garrett O'Hara: Yeah. I tend to agree with that.

I think it feels to me like BEC has exploded in our industry, we talk about it all the time and the numbers are staggering, and frightening BEC and ransomware, those two things. And it sort of feels like BEC, it's like the days of online shopping where, I mean, you guys probably remember you could buy things, but also there was so many scams and stolen credit cards.

It was just, it was like the wild west. And you know, you saw the banks then introducing things. to, You know, lock down online payments. They, they are at a point where I think they've got pretty good algorithms in the backend. That spot when things are a little bit weird, but my credit card got canceled. uh, It was probably like three weeks ago.

I got a phone call on a Sunday evening um, from the bank saying, hey, did you just buy something in Burleigh heads? And I'm like, no, no I didn't. And yeah, [inaudible 00:30:16]-

Laura Jeffery: [inaudible 00:30:16].

Garrett O'Hara: [laughs]. Yeah. exactly. Um, but yeah, it was one of those weird things where I went back over everywhere. I'd been. Literally couldn't think of anywhere that there would have been credit card skimming, you know, this chips on the cards, as you said, and the, the guy from the bank said, look, they just try numbers sometimes.

And they hit upon a card that works. And today was your lucky day. So, now you get to reset all your scheduled payments and all of that stuff, but you know, I guess the point is where early days with BEC, And I think there's a bit of a lag quite often. with, to your point, Laura, the protections, the responsibilities within the sort of broader society, like who owns it, who should be protecting the customers.

Definitely agree. Um, that there's responsibility that can often be externalized in this case, horrible [inaudible 00:31:01] unfortunately but there's, there's cost involved in security, but I do think there's a big conversation. [inaudible 00:31:08] Like to your points. Okay. We that's, it's gonna be expensive, but we kind of need to do it because it's so common these days.

Laura Jeffery: Yeah. I signed up. So, to the point, the question that I haven't yet addressed Amy, about the national fraud reporting report that I made with the ACCC. So, as part of doing that, I signed up for these Scamwatch alerts from the ACCC. And I got an email just this week saying that the numbers are in for 2020 and Australian small businesses and individuals lost $128 million.

In business, email compromise and payment redirection scams in 2020 alone, which is a staggering amount of money considering that. Um, it's highly unlikely, any significant percentage of that will be returned or restored. Um, and that anyone will be brought to justice or held to account for those losses.

Um, but yeah, shortly after the conversation with the police officer that called on behalf of the cabinet maker, he was the one that informed me that. Unfortunately, in the police, there's few people that have the level of cyber security training that they require. And I've been led astray actually by the police and what I've.

Um, and luckily I was taking record of these conversations that I had. So, once I one all this came out, he really backed down and then came onto my side and sort of informed me what I should have done. So, he said that there's a national reporting agency. It used to be called [inaudible 00:32:44]. I can't remember the.

Um, I think it's just sort of cyber fraud. You could Google it anyways. The, There's an online reporting system and he directed me to that. I, I made the, the complaint straight away that night. So, this was still weeks after the fact. And that's when I got this reference number and it said, this is your reference number.

This is the part that usually makes me cry, but I'm prepared this time. So, I'm not going to this is your reference number. Please note it is highly unlikely. You'll recover any of your money. This is the number to lifeline, and this is the number to Beyond blue. And that was another really significant moment for me.

Just the, the impact that this can have. And I just think, thank goodness it was us who can recover. for, From this who can fight for some sort of resolution rather than, you know, my retired parents or someone's granny or someone that, for whom this could be life altering, life ending stuff.

Amy Holden: Yeah. I think that's amazing that like, you've found The silver lining in, what's been such a traumatic and awful experience.

And I know you, you've, you've become so passionate about sharing your story for that exact purpose, to make sure that you can prevent other people from needing a lifeline to having to go through this, this world of pain. What's been the feedback. I know you, you, you had a video produced [inaudible 00:34:08] that they share to educate their staff as well.

And what's been the feedback that you've received.

Laura Jeffery: Yes. So, as part of cyber security awareness month [inaudible 00:34:18] who are one of my primary clients within my business, someone reached out to me to share my story and it evolved from, can you stand up in front of a group of people and tell this story to, Can we write a little business case on it to, Can we actually produce this video and share it globally with our network of 40,000 employees and contractors? Because there's some powerful lessons to be learned. Um, even outside the, the work context, but from a, a personal protection level. And I was hesitant at first because I struggled, as I mentioned earlier with the sort of shame of being caught up in an experience like this, but then quickly worked out that we're not gonna see any real justice like that.

Has become clear to me from the beginning. No, one's gonna be actually held to account even if our court case ends up successfully for us. Um, I think that that person will end up being a big player in this overall global fraud network and the ultimate people that ended up with the money probably won't ever be held to account.

And so. If there's any silver lining, like you mentioned, then it can only be that if I just get over this embarrassment of and except a little bit of vulnerability in this space, then maybe I can help protect other people from doing that. So, I participated in this video, which [inaudible 00:35:42] produced and then distributed to their networks and.

When they released it 'cause my husband also was he's an engineer and has worked in mining for his career and previously worked for this company and still has a lot of network or connections in his network. Within the company. Both of our phones just started blowing up instantly with colleagues that had seen this video and had been impacted by it.

and Had had had no idea. And since then, I've, I've received hundreds, literally hundreds of emails from people in the organization saying that they were impacted and touched by the story that they've shared this with their networks and with their elderly parents and with their, you know, sister-in-laws who are doing home renovations.

And There was a staggering lack of awa... Well, it's not staggering because I was the same. I'd had such little awareness of how vulnerable I was, but I think the overwhelming consensus was that most people were really unaware to how vulnerable they are. and That people were taking action to protect themselves, which even if I just received one of those emails would have been made it all worthwhile and would have been a really satisfying experience.

So I, and it's one of the reasons why I'm happy to come on here and have a chat with, I'd be happy to have a chat with you guys any day, but particularly to have this broadcast there to a wider audience, even if it's to my detriment, because. Um, I think, yeah, if I can help someone, then it just eases the cost and the pain of our experience a little bit.

Garrett O'Hara: Yeah. 100, 100%. Um, and look, I, I applaud you Laura. I mean, the the reality is, you know, you don't work in cybersecurity and I think that's one of the things we talk about quite a lot is the expectation that people who are expert accountants, expert business managers, experts in HR. Like, why should they know about cyber security concerns?

I think it's become a broad issue. Right. So, I, I definitely get your point, but yeah, given some of the, you know, very clever tech people that get caught up with this stuff, including cybersecurity professionals, it does, it happens more than we'd probably like to admit. Um, yeah, I personally kind of applaud you for sharing the story.

I think it's just critical that we have the conversations you know, at a personal level, like as you were doing. But I think one of the things and Amy and myself talked about this actually at our [inaudible 00:37:58] where we, you know, we talked about. the, The openness, the collaboration, the conversations that are happening now, when somebody does get breached, there was a sort of psychology of don't tell anybody, you know, it's, it's kind of, it's embarrassing at a company level, you know, it's bad for our brands Um, but I think we're seeing more and more that's, you know, there's a collaboration.

Happening in cybersecurity where it's, it's important to have the conversation and say, Hey look, we just got done. We got pupped. Here's what happens? We're sharing this information because it's important for everybody else around the world to know, you know, our story so that they can protect themselves and to think you're, you're doing exactly the same thing.

So a massive applause to you. Uh, you know, and can see the video during the applause uh, on the video. I think it's critical that we actually uh, have these conversations.

Amy Holden: Yeah, it's so admirable that you've been able to find that, that silver lining and share your story. Um, just the, the la- last question from me, Lauren, just curious of where, where everything is up to now and with the court case.

And I know you said it'll probably never kind of, it'll never have 100% closure, but what's the, what's the next step and where's it at now?

Laura Jeffery: Great. So, to get to that answer, I might just back up a few steps and let you know some of the details around the initial investigation. So, the accountants south Australia that I told you about that even though it was based in Sydney, the account holder lived in south Australia.

She was like a 20 year old girl that was contacted by someone on Instagram that it actually apparently. we've just story about being in the American military, a friend of a friend that's in the American military in Australia and needs. I'm not sure the details of a story that made this remotely believable, but with some story requesting her to receive some funds and transfer it to another account that somehow.

Might've seen must have seemed legitimate to this girl at the time. And so, and this is where there's actually a positive note in our story where things could be much worse. So, this girl agreed to do this and the scammer behind the scenes had obviously not prepared. her because They wouldn't have known for the fact that the money was gonna come in in three different lump sums.

And so she received the first one of about $25,000 and transferred it to this account in Victoria. But when 40 more thousand dollars rolled in. she Clued in that something was amiss. And she actually went to the bank immediately that day and said, some, I've done something wrong and this has happened. And so they froze her account and it's frustratingly.

So the bank knew that on that day, when I was calling them crying in the middle of the night, they had, you know, someone else at the bank, probably not the same individual had already been made aware of this. This transaction that had happened and her accounts had already been frozen. So. while I, I. I sometimes also like between like rage and fury with this girl for being so naïve And so down to accept this sort of request via Instagram, I also owe her a massive debt of gratitude because if she hadn't have twigged after the. That first transaction, we would've lost the entire $65,000. So, the, the real positive story for us was that we only lost $25,000. We actually had $40,000 restored, which makes us, it, it's almost a miracle.

Like the, we were told over and over again, you will not see a cent of this money back. So, you've never seen two people celebrate losing $25,000. So, hard. Like we were popping bottles. and We were pretty thrilled. Um, and so the police determined in that case with that particular girl in south Australia, that there was no criminal intent.

And so therefore they couldn't press charges against her. I would personally love to see the details of that investigation and to make sure myself that there was no sort of kickback that we, she received, but at the end of the day, I'm just grateful to her that she didn't transfer the entire amount because once it hit Victoria, it very quickly thereafter went to Nigeria.

And so had she not done that we would have lost the entire amount had no um, path of recourse, I guess, to get that back. Um, when it got to Victoria, I'll be a bit careful about what I say, because this is still an active court case, but it was another female involved who is an account holder who was allegedly a romance scam victim, or that's what she purported to be.

So we really covered the full gamut of fraud scenarios in this one case, but It was only after I filed my complaint for failure of duty. Did they actually progress further and then say, actually she's been involved in this kind of activity before, and we'd never connected the dots which is why they felt that they had a case to press charges.

And that has been in the. system for quite a long time, it was scheduled to go to court in April. And I wrapped up. I, We did the victim impact statement, which um, we volunteered to read in person and we wrapped up and they at the co- court case was adjourned. And so who knows when it will happen, but the police are repeatedly telling me, like, don't expect them to, they'll probably sort of have pity on her.

She won't know. Necessarily justice will come of this. Um, so we're still, we're still in the system I guess, and progressing it and don't expect to receive any further funds back. But I mean, if this were a movie, what would happen is she would cut a deal with the judge and like reveal her contacts overseas in exchange for getting off scot-free.

Um, but we're not in the movies. So. [laughs].

Amy Holden: Exactly. And finally, we could finally end this process. It sounds like there's still um, a lot of ways to go, but I think it just shows that, you know, you're passionate, you're still fighting the court case, even though, you know, there's no additional gain for you that yet, but you're able to tell the story and continue to share your experience and, and bring this to justice.

Laura Jeffery: Yeah. And what I would like is to like, give a message to people that there are. Like just keep pressing. There are avenues, like don't let them get away with it so easily. Make the police, do their jobs, make the bank, do their jobs. Um, I, I wish there was sort of an advocacy network for victims. Um, and interestingly, there was an article in, I think it was the Herald sun or the age about the, a cyber conflict in which almost word for word it could have been me.

It was like a young female business owner with small. kids And they lost about the same amount of money. And there was this big article in the paper. I tracked this girl down on Facebook and messaged her and just said, just so you know, I've had the exact same experience. Our cases are so similar. Um, and we've had this ongoing engagement back and forth where if we've shared with each other, what different routes we've taken to progress the investigations and what the outcomes were and share tips on how to do it.

And I think that's It's really important that people feel like they've got some sort of option.

Garrett O'Hara: I feel like you're the Erin Brockovich of uh-

Laura Jeffery: [laughs].

Garrett O'Hara: ...business, email compromise at a personal level. Um, Laura we've, we've hit time here. So, so at a personal level and I'm sure for the audience. we've Huge, huge. Thank you for. Uh, sharing your story.

I think there's lots uh, to take away from that. And if, you know, the message I got is just be tenacious and keep pushing to you know, hold people to account and get the job done. Um, and don't, don't take the first answer you hear as, as the truth necessarily. Um, so yeah, look a huge. Thank you uh, for joining us today.

It's been an incredibly uh, interesting conversation.

Amy Holden: Thanks so much, Laura. It was great to have you, and it's great to be on the show as well. [inaudible 00:45:53].

Laura Jeffery: Yeah,

I've enjoyed this and best of luck with your podcast and thanks for having me on genuinely.

Garrett O'Hara: Thanks so much to Laura for that valuable conversation for fighting and for sharing her story in a way that will help other people and huge. Thanks to Amy for joining today and the work leading up to the recording. As always thank you for listening to the Get Cyber Resilient podcast Jump into our back catalog of episodes and like, subscribe and leave us a review for now.

Stay safe. And I look forward to catching you on the next episode. .

 

Tags
Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara