On-Line Scams
Part of the Solution Blocked by Government Inaction
The Police have virtually conceded defeat in the battle against international scam crimes. In a report in the NZ Herald for 18 July 2023 it stated that investigators have all but shelved attempts to solve international scam crimes due to complexities in identifying offshore offenders and their use of “money mules” to mask the trail of stolen cash.
Detective Inspector Chris Barry who is in charge of Auckland City CIB investigations and the police district’s 19-man financial crime unit acknowledged that scams were becoming more innovative and victims were suffering financial harm but it was nearly impossible for police to trace funds sent offshore or identify the criminal masterminds due to their remote locations and ability to hide identities online.
Rather than trying to bring the international criminal to justice, police were concentrating on identifying local people who helped facilitate the crimes through the use of domestic bank accounts, and educating the public to raise awareness about scams.
The Police place some of the responsibility on banks, suggesting that it was up to banks to track stolen money overseas and to invest in security systems to detect suspect transactions and stop New Zealand money being siphoned offshore. Calls have gone out for banks to do more to protect customers and to provide some sort of refund facility when victims have been defrauded by scams.
The Police explanation points to a number of investigative difficulties for online scam offending. They seem to be as follows:
1. Identifying the scammers who, Police say, hide behind the cloak of anonymity
2. Tracking the money trail through numerous accounts – basically money laundering
3. The location of offenders and difficulties in identifying them – a variant of problem 1 above.
DI Barry acknowledged that co-operation with international agencies was easy in theory but because scammers operated out of countries like Russia and Nigeria “it would be very difficult if not impossible for us to send a team over there to try and track down people. Given how many offenders are out there, us trying to police other countries would be a massive drain on our resources.”
There was rarely intelligence such as the names of offshore scammers or an identifiable bank account but on the local front police rigorously pursued domestic fraud cases and were having success targeting local mules whose accounts were used to move money abroad.
Many scams involve the co-operation of a bank account holder here in New Zealand. The scammer sets up the sting but needs to have a local account where the mark may deposit the money. The account holder will have been approached by the scammer and will have been offered a fee for the use of the account. This person is the “money mule”. The money mule gives the scammer access details to the account so that when the funds are deposited the scammer can transfer them offshore. If apprehended the “money mule” can face money laundering charges.
Tracking down the “money mule” isn’t that difficult but pursuing the scammer can be more complex. In addition the “money mule” business model isn’t the only way that scammers work. Recently an investor was “scammed” of a significant sum of money which was sent by way of foreign exchange transfer to an offshore account. The victim was warned by his bank that this was a possible scam and the bank would not facilitate the transfer. The victim went elsewhere.
In the Herald article anti-cybercrime consultant Bronwyn Groot explained that it was vital to take the fight to scammers to demonstrate that New Zealand was not an easy target. She recounted a case where the Police said they could do nothing but she obtained details of the money transfers and has reported the matter to the FBI. Homeland Security investigators have now identified the offshore mules and taken on the case.
Ms Groot also helped an elderly couple recover nearly $1m in a share trading scam by engaging a Hong Kong lawyer and taking civil proceedings against Hong Kong businesses, culminating in a repayment order.
The activities of Ms Groot make it clear that something can be done. The problem is that the solutions are of some complexity and, as was the case with the Hong Kong scam, involve spending money to recover money.
The Police have a problem. Cybercrime investigations are not adequately resourced. Dealing with crime in the Digital Paradigm can be difficult and requires a different mindset from that involved in the investigation of kinetic crime or fraud that is locally based. It is much easier to follow the money or the paper trail when it hasn’t gone offshore, or the emails and digital material is still locally available.
Two issues are usually raised in the discussion about dealing with cybercrime. The first is that of jurisdiction. The second deals with international co-operation.
The issue of jurisdiction is not that difficult. There are provisions in the law that deal with extraterritorial criminal activity – for that is what off-shore online scamming actually is. How can you sheet liability home against an offshore scammer.
The transmission of information via the internet, and the ability to use it to access other computers or communications devices and execute commands, is inherently multi-jurisdictional. Because of the distributed nature of the internet, it is possible for commands or information to be routed to an offshore server before returning to a destination server within the jurisdiction. Information and commands cross existing geographical and political borders without regard for jurisdiction and, by virtue of the technology e-crime will, in many cases, be multi-jurisdictional in nature.
The principle that a person, who, outside of a country, wilfully puts in motion a force to take effect in another place is answerable at the place where the evil is done, is recognised in the criminal jurisdiction jurisprudence of all countries. Thus, a country may assert jurisdiction relating to an activity that occurs extraterritorially when the intent of the activities was to have a substantial effect within the state’s territory.
Section 6 of the Crimes Act 1961 states the general rule governing criminal jurisdiction in New Zealand. Nothing done or omitted outside of New Zealand can be tried as an offence in New Zealand. This is based upon the common law principle that statutes are not to be construed as giving extra-territorial jurisdiction unless there are clear words to that effect. Crime is local in nature. The jurisdiction over crime belongs to the country where the crime is committed.
However, s 7 of the Crimes Act 1961 provides a measure of extraterritoriality. Where any act or omission which forms a part of an offence or any event which is necessary for the completion of the offence occurs in New Zealand, the offence shall be deemed to have been committed in New Zealand whether the person charged with the offence was in New Zealand or not at the time of the act, omission or event.
The act or omission in s 7 refers to those which together comprise the actus reus of the offence. The event refers to any occurrence necessary to complete the offence. Not every offence or crime requires both an act-forming part and an event necessary to completion.
Thus the actions of persuading the mark to transfer money, the action of transferring money, the actions of the “money mule” are all necessary elements that make up the criminal behaviour. And because they take place locally, section 7 of the Crimes Act grounds jurisdiction in New Zealand.
Much of the mythology of the internet has developed as a result of concepts such as “cyberspace” or “virtual reality”. One of these “myths” is the myth of anonymity. Although users may operate behind Internet Protocol numbers (which are geographically based) or Virtual Private Network devices (which can be detected) no one is completely anonymous online.
The result of this and other “cyberspace myths” is that those who are technologically naive have a tendency to approach the internet and its environment with a sense of dislocation. However, the fact that this is a new technology does not automatically mean that existing rules are inapplicable.
Jurisdiction depends upon the ability of the state to exercise control over a particular area. In some respects the internet, with the free transborder communication of information on which people order their affairs, creates problems. The rules relating to jurisdiction and conflicts of laws are broad and, at best, principles that offer general guidance.
The other issue about dealing with cybercrime involves international co-operation and it is this area that the Government has been sadly lacking. Faced with weekly accounts of online scams, the Government has had an opportunity for three years to complete the formalities necessary to accede to the 2001 Budapest Convention of Cybercrime.
The 2001 Budapest Convention on Cybercrime (the full title Council of Europe Convention on Cybercrime) was the international community’s most significant step to regulate the internet. It established parameters that member nations may use to communicate between one another when prosecuting cybercriminals. There are 69 member states and a number of others, including New Zealand, have been invited to accede.
The convention does not define cybercrime, although numerous forms of a criminal activity are prohibited. Cyberterrorist activities can fit within many of the prohibited cybercrimes listed in the convention and deal with illegal access and tampering of computer systems. By its very nature, cyberterrorism can entail actions such as these.
The Budapest Convention sets out a consistent international framework for defining computer crimes, for enabling lawful access to evidence, and for placing expectations on relevant international agencies to assist each other. The Convention aligns member countries’ laws covering acts that are considered computer crimes, and the powers that can be used to secure electronic evidence of serious crimes. This makes it easier for countries to cooperate on criminal investigations on cybercrime and wider crimes involving electronic evidence.
The Convention sets out basic policies, and it is up to each country to determine for itself how to implement them to enable an effective response in the context of its own constitutional arrangements, privacy settings and security policies.
The Convention requires member countries to have domestic laws that protect human rights and liberties, and to have judicial or other independent supervision over the use of procedures and powers.
Cooperation on specific investigations takes place through the long-established system of mutual legal assistance, using the aligned powers and procedures set out in the Budapest Convention. Member countries commit to cooperating to the widest extent possible on investigations, and to providing a 24/7 point of contact for urgent cooperation requests.
The types of offending covered by the Convention are:
- pure cybercrime: a criminal act committed through the use of information and communication technologies or the internet, where the computer or network is the target of the offence. An example of pure cybercrime is deploying malicious software like a virus; and
- cyber-enabled crime: any criminal act that could be committed without technology or the internet, but is assisted, facilitated or escalated in scale by the use of technology. This includes a range of serious and organised crime, such as cyber enabled fraud, the distribution of child exploitation material, and terrorism.
It took long enough for New Zealand to sign up to this Convention. New Zealand finally signed the Convention in 2021. It was announced on 18 February 2021 that New Zealand would become a signatory but it took a recommendation from the Royal Commission of Inquiry into the Christchurch terror attack to prompt accession to the Convention.
This followed a Cabinet Paper and Minutes dated 3 June 2020 prepared for release by the then Minister of Broadcasting and the then Minister of Justice seeking approval to accede to the Budapest Convention
Public consultation on acceding to the Budapest Convention took place in 2020 with a focus on Māori, telecommunications companies, and civil society groups. This was to ensure that the Government had an informed view of the implications of New Zealand joining the Convention.
In 2021 it was announced by Mr Kris Faafoi, Minister for Justice, that “we have made a number of changes to the policy proposals, and we are looking at ways that Māori can have an ongoing oversight role in the implementation of and participation in the Budapest Convention.”
The process thereafter was that The Convention would be submitted to the House of Representatives for Parliamentary Treaty Examination before a bill is introduced to amend New Zealand legislation to meet the requirements of the Budapest Convention.
As matters stand at the moment – over two years later – no Bill has been introduced. In fact it seems that the process may have stalled.
The briefing to the Incoming Minister for Digital Economy and Communications dated 31 January 2023 has a section on accession to the Budapest Convention. It observes in fact that New Zealand complies with most of the requirements of the Convention but in order to accede would need to adopt additional measures enabling law enforcement agencies to order preservation of computer data to support cooperation on international investigations.
The briefing document expected a Bill to be introduced to Parliament dealing with a data preservation regime along with several other procedural changes by April 2023. No such Bill has been introduced.
In addition officials are working to establish a mechanism for the government to engage with Māori stakeholders on the implications for Māori of acceding to the Budapest Convention, and to authentically integrate te ao Māori into the development of policy proposals for any other future cross-border data access agreements.
Ironically the current Minister who would have received this briefing (or something like it) Ginny Anderson is not only the Minister for the Digital Economy and Communications but is also the Minister for Police.
Acceding to the Budapest Convention will not be the silver bullet that will immediately stop online scamming. But what it will do is provide another investigative weapon for the Police to deploy in detecting cybercriminals, prosecuting them and hopefully obtaining some redress for victims.
Sitting back and doing nothing because it is “too hard” is not good enough. The message that sends to off-shore cybercriminals is that New Zealand is a “happy hunting ground” where one can scam with impunity.
In fact what should happen is that the present Government – one known more for gestures and announcements rather than positive and meaningful action – should move swiftly to take the necessary legislative steps to accede to the Budapest Convention so that its advantages and processes can be effectively deployed in investigations.
The Police should beef up their investigative techniques and acquire the necessary expertise to properly and effectively investigate online scams. If this means employing former hackers – poachers turned gamekeepers – to assist in investigations, so be it. Aggressive use should be made of extradition processes so that the word goes out among the scammers that New Zealand is no longer a soft target.
It is frankly astonishing that although online scams have continued and increased, and although victims are losing millions of dollars to scammers, the Government seems to have sat on its hands in providing a tool to the Police in the form of the Budapest Convention. The Government in this area has failed to do its duty to ensure that citizens are protected.