Need to know
- The multimillion dollar swindle started with a scam ad on Google for investment opportunities with ‘St George Capital’
- The scammers directed the victims to transfer money to accounts they controlled at Westpac, ANZ, Commonwealth Bank, and Bendigo Bank
- Taking a 'blame the victim' stance, none of the eight banks involved have agreed to reimburse their share of the millions lost
Four months after it became clear they had been scammed, Kim Sawyer and his wife are still trying to find out the names on the accounts they sent about $2.5 million to.
Each large deposit was ultimately transferred somewhere else by the scammers or their accomplices – probably overseas – and now looks to be gone for good.
The banks that held the accounts have declined to provide the information, citing privacy restrictions.
The Sawyers currently have no idea who they sent their money to. They made the transfers using account and BSB numbers only.
How the scam worked
This multimillion dollar swindle started with a scam ad on Google for investment opportunities with 'St George Capital', a legitimate arm of the bank bearing the familiar dragon logo of St.George Bank. (Once the scam was discovered, the St George Capital domain was taken down and the name changed to St. George Private.)
The con artist was engaging and friendly and used the name of a real St.George Bank employee
Kim and his wife clicked on the Google ad, left a contact number, and received a phone call from a man with a British accent.
He cultivated a relationship with the couple over a series of calls between July and September 2023, during which time the Sawyers made 26 transfers into accounts controlled by the scammers, many of them in the amount of $100,000.
The con artist was engaging and friendly and used the name of a real St.George Bank employee.
"He always said, you know, have a good weekend or have a good night," Kim says. "He mentioned that his wife was pregnant. We believed that we were dealing with St.George Bank."
Not a get-rich-quick offer
The scammers directed the Sawyers to transfer money to accounts at Westpac, ANZ, Commonwealth Bank, and Bendigo Bank. They thought it was going into term deposits under their name.
Scammers are becoming increasingly sophisticated at impersonating bank employees.
It's possible that the scammers used "mule accounts" to transfer the money, a technique that involves using the legitimate bank account of someone not directly connected to the scam, known as a money mule, and paying them a percentage of the proceeds.
The investment opportunities didn't seem far-fetched.
The promise was preservation of capital, protection from the ups and down of the share markets and a guaranteed return of up to 6.5%.
Later, the Sawyers were persuaded to send money to invest in so-called Commonwealth Bank corporate bonds paying a 9% rate of return. The bonds they received by email, for which they paid over $1 million, were fake.
It was all meant to be a safer way to invest money from their pension fund, with the smooth talking scammer leading them along with phone calls and other players with fake St.George Bank email addresses (such as email@example.com or firstname.lastname@example.org) sending through confirmations of the money transfers.
It was all meant to be a safer way to invest money from their pension fund
Everything looked legitimate as far as the Sawyers were concerned.
In retrospect, there were signs that something might not be right. For instance, emails to one of the generic St.George addresses bounced back on several occasions, and login details for the "online client portal" sent by the scammer – where the Sawyers could supposedly track their investments – continued to fail.
The friendly tone of the back-and-forth emails between the Sawyers and the scammers as the huge money transfers were arranged is chilling and the realisation that they were communicating with criminals has left the couple deeply traumatised.
Response from the banks 'just terrible'
As shocking as the scam was, the response by the banks only made matters worse, Kim says.
The Sawyers authorised money to be sent to the scammers' accounts from three banks – AMP, Citibank, and Macquarie Bank.
Three months after they started sending money, they were contacted by Macquarie Bank and informed that their money was in the hands of a scammer. Macquarie was the only bank to contact the Sawyers, far too late to prevent their losses. The bank has refused to reimburse any of the funds, which total $850,000.
They wanted to write off the victims as quickly as possible. We don't count and we have all the liability, which I think is very cruelScam victim, Kim Sawyer
In an attempt to track down their stolen money, the Sawyers requested the names of the accounts controlled by the scammers at the receiving banks – Westpac, ANZ, Commonwealth Bank, and Bendigo Bank.
Bendigo Bank's unhelpful response was typical: "All funds have been withdrawn. We are unable to return the funds and close our file."
"The scam was bad enough, but the response from the banks has just been terrible," Kim says. "They wanted to write off the victims as quickly as possible. We don't count and we have all the liability, which I think is very cruel."
Account name matching sorely absent
At the time, there was no "confirmation of payee" system in place with any of the three banks involved in transferring money to the scammers, though the banking industry has since committed to establishing one over the next couple of years.
Such a system matches account and BSB numbers with account names to make sure a bank customer's money is going where they think it's going.
An initial check that the five account and BSB numbers provided by the scammers were for accounts with the Sawyers' name on them would likely have stopped the scam in its tracks, but no such checks took place.
A Macquarie Bank spokesperson told us "we're not able to comment on individual customer matters for confidentiality reasons" but confirmed that the bank doesn't match account names and numbers, though it does alert customers about the danger of scams when money is sent to a new recipient.
AMP and Citibank didn't respond to our inquiries regarding confirmation of payee checks.
The Sawyers ended up sending approximately $2.5 million from three source banks to four accounts controlled by the scammers at major Australian banks.
Better scam protections overseas
Despite his requests, none of the banks involved have agreed to reimburse their share of the millions lost.
For Sawyer, it's yet more evidence of the banks' "blame the victim" mentality.
In recent years, support for scam victims has greatly improved in other jurisdictions, particularly the UK. On the back of recent banking reforms there, the five banks that reimbursed the most to scam victims reimbursed from 63% up to 91% of total losses.
Notably absent from the Australian banking industry's recent commitment to establishing a confirmation of payee system is any commitment to reimburse scam victims
A report by the Australian Securities and Investments Commission (ASIC) released in April last year found scam reimbursement rates by Australian banks were pitifully low by comparison, with 96% of scam losses borne by scam victims and banks reimbursing an average of just 2–5% of their customers.
Notably absent from the Australian banking industry's recent commitment to establishing a confirmation of payee system is any commitment to reimburse scam victims.
Sawyer hopes going public with his case will help push lawmakers and regulators to enact reforms to better protect bank customers from scams, reforms that would put the liability on banks rather than victims.
What the banks say
A St.George Bank spokesperson tells CHOICE the bank took appropriate steps when it learned a scammer was posing as an employee.
"We posted warnings on our website and on social media, including images of the scam materials, and had the domain name [St. George Capital] removed."
The bank says it works "proactively" with other financial institutions to stop scams through the Australian Financial Crime Exchange, the Australian Banking Association's Scam-Safe Accord, as well as working with other authorities and regulators.
An ANZ spokesperson told us "the ways in which cyber-criminals are scamming and defrauding customers is constantly evolving" but the bank "is focused on keeping customers safe".
ANZ says it's using AI and machine learning to identify potential mule accounts and has detected nearly 1400 high-risk accounts since April 2023.
A Bendigo Bank spokesperson suggested that mule accounts were probably used in the scam, saying "some money mules know they are assisting with criminal activity; others are unaware that their actions are helping to move the proceeds of crime".
Bendigo says it has recently doubled the size of its fraud prevention and response team and stopped $38.6 million in fraudulent transactions, around $105,000 per day, in the last financial year.
Some money mules know they are assisting with criminal activity; others are unaware that their actions are helping to move the proceeds of crimeBendigo Bank spokesperson
Commonwealth Bank told us that when accounts are suspected of being involved in mule activity the bank will take steps to protect any money remaining and return it to the sending bank, though this hasn't happened in the Sawyer's case.
"Due to privacy reasons, CBA cannot disclose a customer's account information to another customer or third parties. CBA is however permitted to share information with relevant authorities to assist with their investigations," the spokesperson says.
CBA spent $750 million to combat scams in financial year 2022–23 and prevented the loss of, or recovered more than $200 million for customers, according to the bank.
Westpac opted not to answer our questions about how the scammers moved money through the bank and why it didn't trigger alarms.
'They won't accept liability for their failure'
One thing keeps coming back to Kim Sawyer. Both the scammers and the banks knew something that the Sawyers didn't: bank transfers could be made with just an account and BSB number.
The point is that the banks had that information, and if they would have only shared it with us, we would have known it was a scamScam victim Kim Sawyer
Only the banks were in a position to know the name of the accounts the money was being transferred to, and whether the transfers looked legitimate.
"The point is that the banks had that information, and if they would have only shared it with us, we would have known it was a scam," Sawyer says. "They won't accept the liability for their failure to protect us from that loophole."
Kim Sawyer has lodged a complaint with the Australian Financial Complaints Authority (AFCA), but with no laws in place requiring banks to prevent scams and reimburse customers, he's not sure the outcome will be of much help.
AFCA took on 8987 complaints related to scams in 2023, up 95% from 2022.