No one is safe from a well-crafted scam, not even the CIO, CEO or even the CISO.
The story of Wayne Johncock, former CIO of Centrica and MOSL, illustrates this well: a chance encounter turned into fraud and betrayal, costing him and his wife Nicky more than £400,000.
As part of October’s Cybersecurity Awareness Month, we’re featuring Wayne and Nicky’s story.
“The pitch seemed perfect,” he says. “A good Samaritan-like neighbor, a senior executive at Bank of America, wanted to invest in my dream and passion: an edtech startup called SuperLearning Series.”
Wayne met fraudster Rajesh Ghedia at a local Christmas party in 2018. At the time, he was looking for investors for SLS, and Ghedia promised Bank of America he would help him make a private investment of up to £1.5m.
The best lies have a kernel of truth. Ghedia really did work for Bank of America. But rather than being head of EMEA derivatives trading as he claimed, he actually worked as an in-house project manager on the technology team. He even forged business cards and email footers from Bank of America’s servers to perpetuate the illusion.
“He spent a lot of time earning my trust and confidence. He convinced me to fully endorse my education app. He understands the benefits, how it can benefit the world, and he provided the paperwork showing that his bank fully supports and stands behind it.
“He had seen my website and asked me questions about it, so I knew at that point he was serious about it.”
Wayne and Gedea met at least twice a month, sometimes with Gedea’s 10-year-old son in attendance, to discuss plans for the Super Learning series, which would depend on the promised funding.
“I invested £180,000 into a personal wealth portfolio, which was the vehicle through which he deposited £1.5 million. He didn’t put any money in it, although it ended up showing up on forged bank statements. I put the money in, he stole it and it took me 15 months to expose him.”
Social Engineering Threat
Some criminals employ a spray-and-pray approach, maximizing their opportunities through quantity over quality, while others resort to spear phishing, carefully selecting and pursuing their targets to reap the bigger rewards.
Ghedia used a combination of these two methods with Wayne, the same way he had with his other victims, all of whom he knew personally, including his regular taxi driver, a parent from his children’s school, and even his own cousin.
“He cast the hook, I took a big bait there, and from then on he knew exactly which button to push.”
The worst thing about social engineering scams is that the victim is either too embarrassed or too involved (sunk cost fallacy) to admit they were wrong.
“I was his protector and supportive friend,” Wayne says, “and he totally guided me to where he needed to be.”
But something was bothering him, and Wayne, who has a background in technology, decided to do his due diligence.
“I wanted to make sure his employer knew full well what we were doing. I told them it had all to do with going through your email account, and I purposely included words and phrases that I knew would set off internal surveillance alerts.”
“All the information – bank details, investments, payment plans, how to deposit the money, how to spend it – was given in the email. They even asked me to show my passport to complete Know Your Customer (KYC).”
But Wayne’s suspicions were allayed when Bank of America failed to issue a warning.
“I never doubted that a company that spends billions of dollars on cybersecurity and technology and has the most secure, sophisticated, well-invested technology systems in the world would have their monitoring software detect this and make it visible. So as time went on, I became more and more convinced that it was real.”
At the same time, Gedea was falsifying emails. Compute These statements are made to appear as if they came from bank executives who supported his actions.
Bank of America declined to comment when contacted about Wayne’s allegations.