Wednesday, April 2, 2014

Can You Spot The Fake SWIFT Transaction Document?


UPDATE (4/6/14): I've just updated this post with how I determined which SWIFT document was a fake. Scroll down to find the answer.
----------
We've been working our way through almost 1GB of documents that were part of the Russian Industrial Investment Fund leak last month by Russian Cyber Command (@Rucyborg on Twitter). Most of the documents have to do with business projects and project proposals by a wide variety of companies ranging from South African mining concerns to a shell company set up by a convicted former Romanian government official. It has been and continues to be a very interesting process of discovery and investigation. So much so that we'll be including some of the financial data, companies, and actors involved in our REDACT database as part of a financial intelligence offering.

I mentioned a South African mining project which was legitimate and one involving a former official of the Romanian government that was fraudulent. The only way that we could tell which was which was by closely examining the SWIFT transaction documents. It wasn't easy, especially since neither myself nor my Russian researchers have a background in international money transfers. So I'm posting both documents for interested readers to look at and see if you can tell what's wrong. I've made it easy by telling you which is authentic and which is fraudulent. Feel free to post your ideas in the comments. I'll follow up in a few days with some guidelines on what to watch out for.

Fraudulent
Authentic
--------------------
UPDATE (4/6/14): Here's the process that I used (as a non-banker) to identify the fake SWIFT transaction purportedly sent by Softworks Corporation (HSBC) to Best Global Publishing Ltd (Barclay's Bank) in the amount of one billion Euro. 
  1. Confirm the names of the bank officers listed in the transaction. 
  2. Confirm the address of the banks who conducted the transaction. 
  3. Use a SWIFT guide to check the codes used.

The Receiver's bank officer is listed as "Mr. Murry" who works at Barclay's Bank, 1 Windborne Rd., Poole Dorset, UK. I searched online but couldn't find a Barclay's Bank employee named "Murry", although I did find a Jack Murray who worked for Barclay's bank as a foreign exchange trader until he was suspended in November 2013 for alleged rigging of the foreign exchange market. And while "Murray" isn't the same as "Murry", it could have just been a typo, right? 

So I tried to confirm the street address of Barclay's Bank where Mr. Murry supposedly worked. The address on the SWIFT form says 1 Windborne Rd in Poole Dorset, UK. When I looked it up online, the address of Barclay's Bank in Poole Dorset was on "Wimborne Road", not "Windborne Road". Another typo, I thought? So I called Barclay's headquarters just to make sure. There's no Barclay's Bank on 1 Windborne Rd, Poole Dorset, UK.

Would a cursory inspection have caught those two typos? Probably not. Even the Barclay's employee that I reached by phone first confirmed "Windborne" as correct until I asked her a second time to confirm Windborne with a "d" instead of Wimborne with a "b". Then she said - Oh, sorry! There's no Barclay's bank on Windborne road, only Wimborne Rd.

Whoever came up with this scam was careful to use person and street names that were almost identical to the real ones. Ironically, the real Mr. Murray at Barclay's was suspended for alleged wrong-doing a year later but I have no idea if that person had anything to do with this SWIFT document or if it was just a coincidence. 

However, I wanted to find additional clues to establish that the document was a fake, so I checked an online copy of a Luxembourg bank's SWIFT user guide (.pdf) for 2013 and verified the line codes for an MT103 credit transaction. Notice on the above image for the HSBC SWIFT document that there's a bunch of text next to line 79? Not only is it out of order on the form, but according to the guide I found, MT103 forms only have line numbers as high as 72. The only document that has a line 79 is a MTn92 cancellation request. 

The above findings were intriguing enough to keep me digging and as it turns out both parties to the above fake transaction have questionable backgrounds, but those details as well as whether they have anything to do with the Russian Industrial Investment Fund will have to wait for a later post.

No comments:

Post a Comment