Scammers have conned the Canadian Imperial Bank of Commerce (CIBC) Caribbean’s T&T operations of millions of dollars, police confirmed yesterday.
Police revealed that in June, the managing director of CIBC Caribbean reported that he was authorised to transfer $14,811,094.06 from the bank’s suspense processing account to other external accounts.
A suspense processing account is described as a temporary holding area for cash that cannot be classified or properly understood by a bank’s accounting system.
The managing director reportedly received authorisation from the bank’s CEO via WhatsApp and emails, prompting him to fulfil the transactions. However, further enquiries—after the transaction was completed—later revealed that the CEO was unaware of the transactions.
A report was made to officers of the T&T Police Service’s Fraud Squad, who later found there were 19 transactions to accounts in Hong Kong, Singapore and Bulgaria.
Sources further disclosed that several of the accounts were eventually closed and money returned to the bank. However, up to yesterday, an estimated $9.4 million remained unaccounted for.
Guardian Media emailed questions to CIBC, through their public relations agency, yesterday, but they said they were “not prepared to comment” on the matter.
The questions sought to verify the incident, whether any officials were suspended following the reported fraud, the amount of money still unaccounted for, the company’s response and whether they would be introducing additional security mechanisms following the incident.
Police investigators yesterday said while the matter is still being probed, it was possible the fraudsters may have used an elaborate phishing scam to get personal information and details to carry out the scheme.
One officer warned that such scamming techniques were becoming more prevalent against financial institutions.
Phishing is a practice used by fraudsters, whereby they pretend to be reputable individuals or organisations to get people to produce personal information like passwords, bank account numbers or other sensitive data that can be used to access money.
Contacted for comment on how such scams work yesterday, Checkpoint Software Technologies security engineer and advisor Travais Sookoo said there has been a gradual increase in the number of cyberattacks in the Caribbean since 2020 and partly attributed this uptick to the development of AI tools. He said while scams like ransomware and phishing usually took weeks and sometimes months to execute, the use of AI has increased cyberattackers’ efficiency.
“With the use of AI, it takes about 15 minutes to create a stream of ransomware. For someone to do phishing before, they would have to go and learn, look at the social media profiles on different platforms, correlate that data and build a message targeted to that end user. With AI that cuts it down significantly,” Sookoo said.
“AI can cut it down significantly and do analysis on a person within minutes, so it’s not going away and it will be even more targeted.”
He warned that the key element to phishing in particular was to get the would-be victim to lower their guard and click on links by tricking them into believing they were legitimate representatives of a specific institution.
He said while AI has been used by criminals for scams, it can also be used by companies like his own to develop defences and strengthen networks.
But as scammers continue to grow and adapt to new defences, Sookoo said another valuable defence for companies would be to sharpen the skills of employees in recognising suspicious messages or potential tricks.
“It is hard, so the other thing would be to augment that with security tools that would help in detecting and remediating. In addition to that user awareness, they should do phishing stimulation exercises and this would not be at allocated or specific times but at random,” Sookoo said.