Nigel's Eyes

20231210 Indonesian banks must be careful to avoid complicity in widespread fraud.

It was early in the evening on a Sunday but the support desk replied to Telegram messages instantly.

"Real businesses don't do that," I said to the woman sitting across from me at a dinner party in Jakarta. "You've lost your money."

It had, she told me, all started with a post she saw on Instagram, owned by Facebook.

The pitch made some kind of sense to her and it did not promise outrageous returns. It didn't even ask for a large "investment."

In effect it said that the company pooled everyone's money and took out short-term contracts on commodities, with a settlement date in three days. So no money was tied up long term. The deal was simple - the company invested the deposits and shared the profits equally.

That didn't seem like a terrible idea so the woman said she would invest IDR1 million. She admits to not being a sophisticated investor but as that amount is worth only about USD50, she decided it was worth a punt.

The money was transferred from her account with an Indonesian bank to an account in the name of the purported investment company also with an Indonesian bank.

"Let me guess," I said. "You sent a million and the very next thing they did was thank you but say there's a problem and they need at least two million so would you please send at least one million more straight away."

That was exactly what had happened. She declined, saying that she wanted to see results before sending more money. The disgruntled response was to say that the company would see if another investor would let her piggy back on that other investor's activity.

Over the next two months, the woman, who I will not name, received a steady diet of good news stories through Telegram showing images purporting to be confirmation of payouts to various people and some hilariously bad images of e.g. a hand holding a pile of IRD100,000 notes. They were bad because the notes and the hand, or an ATM, were different resolutions.

Yet at no point did the woman receive a statement showing her current balance.

"Show me the money

So, "look, I'll prove your money is gone," I said. "Send a message saying "Can I have a statement of my current balance, please?" - and you will either get a statement which will be evidence or more likely you'll get an excuse as to why you can't have one."

It was the latter: no statement could be produced because her investment was currently in a contract which would mature in two days and then its value would be known.

"How much was my investment before you rolled it into the current contract."

The reply was predictable but not expected: the money is bundled with that of another investor. If she wants her own investment account, she should send an additional one million as she had been told in the previous e-mail.

"You agreed to accept one million then you told me I would need to increase it. Well, that wasn't the deal."

Again, the excuse that the money is bundled with another investor's and she will have to wait.

"I would like you to refund my money, please."

That, apparently, is not possible because the money is in a contract.

So, a little jiggery pokery from our end: "Look, this isn't complicated. You have pooled my money and you have put some of the pool in an investment. But you still have the pool so you can repay me from that. Give me my money back now."

There was no reply. A system message from Telegram said that the other account holder had "set all messages to auto-delete after one day" but they disappeared immediately and another system messages said "no messages here." And the woman was removed from the user group but not before I spotted that it had thousands of members. The messages disappeared from her phone so the history is no longer available to her. But I had read enough.

"I hate to say I told you so," I told the woman. "It's OK: my daughter told me to be careful and not give them any more money no matter what they said."

More reasons to be suspicious

Suspicions were further raised by looking up the company through Google. Here's what it says about its office hours:

Wednesday 9 am–6 pm
Thursday 9 am–6 pm
Friday 9 am–6 pm
Saturday Closed
Sunday Closed
Monday 9 am–6 pm
Tuesday 9 am–6 pm

That is what we would expect and yet, the instant responses kept on coming in the evening or a Sunday.

So, given that every thing points to a fraud, what comes next goes beyond the obvious.

Facebook, Instagram and Telegram are to blame

Again, the fraud began with a post in Instagram owned by Facebook. The fraud is two telegram groups, ADM INDODAX and ADMIN PT INDODAX Indonesia both of which use bastardised versions of logos from Indodax's legitimate webpage.

IndoDax began life as "Bitcoin Indonesia" in 2014 and changed its name to "Indodax" which means "Indonesia Digital Asset Exchange." The company's actual name is " PT Indodax Nasional Indonesia"

The company's founders are still at the helm and it says it has 5 million members. This does not look like a business that is willing to defraud people of the equivalent of fifty pounds.

But someone is.

Follow the money

Obviously, I can't start digging around in bank accounts or even the accounts of a crypto-exchange in Indonesia. But I do have something. The payment was made from an account with a mainstream bank via the instant payment system Espay. Espay is a real thing. It's a Payment Gateway Provider Company that has been authorised by Bank Indonesia for five years. Basically, it's a fast payments system that is popular because bank to bank transfers are slow. In this scheme, it is simply a conduit but it knows a lot about its users.

To register as a business, the information required is extensive and although a low-document account is opened immediately, and the account activated, it will not be "live" until the Know Your Customer information has been looked at by an administrator.

The information required includes: Company Establishment Deed, Business Licence, Certificate of Company Registration, Minister of Law and Human Rights Decree , authorised representative ID Card, Company Domicile Certificate, Company Tax ID Number, Business Profile. So it's pretty comprehensive especially given that money must come from and go to a bank account on which similar KYC has previously been performed.

We know that the money was sent from Bank Mandiri to an account in the name TMONEY PT INDODAX.

We don't know what happened to it after that.

But we can hazard a guess.

The account number is not with a mainstream bank. It's with Indodax and it's a virtual bank account number. It's the kind of account that is often known as a pass-through account, a payable account, a stakeholders' account or even clients' or trust account with a lawyer. The bank which stands behind the account sees the money and details of where the IDR comes from and goes to but it does not know which customer of the account holder the transfers relate to.

Now, guessing again. Why would anyone use such an account as a quasi bank account.

Well, not long ago that would have been a question with a foregone conclusion but since the advent of e-wallets, the answer is that many businesses - and individuals, use the wallets because of ease of use. I know: I have one and it's used for payments and occasional - small - receipts. And when I say "small" it's still a lot more than the equivalent of GBP50.

Why, though, in an account with a crypto exchange?

That answer is simple: first, the crypto exchange is legitimate. Secondly, the account name does not relate to the fraudulent use of the crypto exchange. Third, the fraudster is able to use a security measure to his advantage. When the account number is entered into the transfer system, it looks up the name on the account and displays it, along with the name of the bank - except that in this case it's not a bank, it's the provider of the wallet. The payer looks at it, sees what seems to be the name on the fraudulent Telegram account, knows that IndoDAX is a reputable company and says "ok."

Again, we have to speculate: once it's in the account in IndoDAX, the fraudster can transfer, without question being asked, the money to a related crypto-wallet and from there one more step - send it to a wallet hosted somewhere other than IndoDAX and. for all practical purposes, given the amount involved, it's gone.

Exploited

There are very few holes in this system. On the face of it, there may (I emphisise "may") have been a lacuna that allowed the fraudster to create and use Espay without full approval. There may have been insufficient KYC and monitoring at IndoDAX but it the reality is that FinTechs have been allowed something of a generous interpretation of the requirements that banks have to meet. They have, in particular, the right to operate pass-through accounts even in jurisdictions where such accounts are, for the most part, illegal.

Again, on the face of it, the mainstream banks do not see information that might raise suspicions.

The real culprits

The only place where there is sufficient information to identity and demonstrate suspicion is outside the financial sector: it's the social media companies that have the technology but not the will to prevent this and many other types of fraud that rely on social engineering and grooming.

These have become unfashionable terms as an ever more facile and superficial world becomes excited over a new buzzword: pig butchering.

That's a term that is offensive in so many ways and, worse, does not describe an offence but only part of the modus operandi.

Facebook / Instagram is a popular place for such advertising (as, incidentally, is Google Ads as shown on Android TV ads. They all claim to have the technology necessary to identify, say, extremism but they choose not to deploy it to detect fraud.

But the most culpable here is Telegram with no controls and no record keeping plus the provision of the kind of tools that allow fraudsters to set up using a free and completely anonymous mobile phone number for verification of an account which is always intended to be disposable. I just did it: 62853555291 is an Indonesian number, It took less than a second. But often such numbers go offline. For the swindler, this does not matter because Telegram etc. won't reverify for long enough for the fraud to work.