Felicity Tonkinson was defrauded of her retirement investment because of intercepted e-mails. Picture: JACKIE CLAUSEN
Felicity Tonkinson was defrauded of her retirement investment because of intercepted e-mails. Picture: JACKIE CLAUSEN

Beware of fraudsters getting wind of your investment plans. They can do so by hacking into your e-mail or that of your financial adviser, resulting in you unwittingly paying money into a fraudster's bank account instead of the financial services provider's.

This happened to Durban psychologist Felicity Tonkinson late last year, when she was defrauded of R1.2-million while attempting to make an offshore investment.

Tonkinson describes the trauma of losing such a large sum of money so late in her working life as devastating. "I was not negligent with my personal information nor the safety of my computer. To be robbed of your financial security is comparable to being psychologically mugged," she says.

Tonkinson fell for "man-in-the-middle" fraud - when a fraudster intercepts communication, usually e-mails, between you and a trusted party. The fraudster poses as one of the parties and supplies his own bank details to divert payment to himself.

In Tonkinson's case, the fraudster, posing as her financial adviser Nando Menin of Bay Union, advised her to use alternative banking details to those originally supplied to her to make the offshore investment.

During the course of her communication with Menin about her investment, Tonkinson received an e-mail from a Gmail account in his name. In the e-mail the fraudster, posing as Menin, advised her to transfer the funds into a local bank account.

'Watering holes' attract predators

Cybercriminals compromise "watering holes", usually law firms, financial services providers and other organisations with clients who engage with them in large financial transactions, digital forensic expert Jason Jordaan says.

When the criminals become aware of a big transaction, they "insert themselves" into the transaction to divert payments.

"The organisations that are compromised usually defend themselves by simply stating that the victims were negligent because they didn't check the e-mail addresses that they responded to."

Jordaan says this approach is problematic because the e-mails sent to victims from the fraudsters are so specific in terms of the information contained in them, that no reasonable person would suspect that the e-mail was not legitimate - even if they were to notice that it came from a different e-mail address. If the organisation was not compromised, the perpetrators would not have been able to engage the victim with sufficient information to convince them that the e-mails were legitimate, he says.

Organisations often "simply pass the buck and say the victims must have been compromised. Most victims never think about having a proper digital forensics analysis done to prove or refute that."

When Tonkinson realised she had been swindled, she had digital forensic expert Jason Jordaan examine her computer to establish if the breach was on her side. Jordaan found no sign of compromise on her computer. Meanwhile, Bay Union engaged its own forensic experts to investigate, but no breach in Bay Union's systems was found.

When Bay Union asked Tonkinson to make her computer available for inspection by their experts, her lawyer, Mark Heyink, informed them that Tonkinson had already had her computer forensically investigated.

He offered her computer and her forensic expert's report on the basis that the report commissioned by Bay Union be made available to Tonkinson.

After many letters and phone calls from Heyink to Bay Union, its insurer, iTOO, offered Tonkinson the report on condition she waive all her rights against Bay Union. When she refused, iTOO released the report on a "without prejudice" basis, meaning Tonkinson cannot use the report in legal proceedings against Bay Union.

The report reveals - despite claims by Bay Union and its insurers that Bay Union's "systems" had not been breached - that the forensic analysis was of one laptop only.

Menin told Money that in addition to an investigation of his computer, a review of his e-mail logs was performed. Since there was no evidence that the breach was from his computer, an analysis of all computers and network infrastructure "wasn't necessary".

Jordaan says when cybercriminals compromise an organisation they will compromise multiple devices, one of which could have been the nexus for the interception of the data. "In this instance, Menin was not the only person within Bay Union that had knowledge of the transaction, so there are other computers that could potentially have been compromised. Significantly, no analysis was done of the server and mail infrastructure within Bay Union that could very well be compromised."

Jordaan says the report prepared for Bay Union states simply that they "scanned for malware", but provides no detail as to how this was done. He says the report also states that they could not find any malicious software. But there are many ways to compromise a system without using malware.

Menin says Jordaan had reviewed an "interim report". Bay Union's forensic experts recommended "a phased approach", he adds. "When no breach was found on my computer, the next step would be to conduct an investigation on Ms Tonkinson's computer, before considering the wider expansion of the investigation. Access was requested to Ms Tonkinson's computer and M-Web webmail access," he says.

Tonkinson's offer to make her computer available has been on the table since November, says Heyink. He has asked only that Bay Union's forensic experts sign a confidentiality agreement - their own or one drafted by him - owing to the sensitive nature of Tonkinson's work. But Bay Union has yet to take up this offer.

As for the stipulations made before Bay Union would share the report, Menin says: "As per discussions with our insurers, reports are generally not provided from a legal point of view. However, given the relationship between Bay Union and Ms Tonkinson, and in order to show our willingness to assist, it was agreed to share the report on this basis." Bay Union's insurers have proposed that investigators from both sides meet to discuss the investigation.

A claim under FAIS for advice-related fraud?

If you were to be defrauded in the same way as Felicity Tonkinson, you may be able to complain to the Office of the Ombud for Financial Services Providers, also known as the FAIS Ombud.

The Financial Advisory and Intermediaries Services Act is the law governing the rendering of financial services and advice.

The FAIS Ombud adjudicates on complaints relating to a financial service rendered by an FSP, including a representative, where it is alleged that the FSP has contravened the Act or carried out a financial service causing financial prejudice or damage to a customer or treated a customer unfairly.

Loraine van Deventer, a legal adviser for the Financial Sector Conduct Authority, says for Tonkinson to have a valid complaint to the FAIS Ombud she needs to show that the information used by the fraudsters was obtained from Bay Union and that Bay Union failed to take reasonable steps to eliminate the risks to her as a client, or, that Bay Union failed to act with "due skill, care and diligence".

Van Deventer says the General Code of Conduct [under FAIS] requires of an FSP to have systems and procedures in place to safeguard the security, integrity and confidentiality of information and it will be a factual question to determine whether Bay Union’s procedures were effective and adequate.