Business Email Compromise Case: Victory for Timor-Leste’s Security Agencies, or Lesson Learned for Organised Criminals?

Business Email Compromise Case: Victory for Timor-Leste’s Security Agencies, or Lesson Learned for Organised Criminals? post thumbnail image

Photo: INTERPOL/PCIC

In late July, an unprecedented cross-border operation involving Timorese, Singaporean and international law enforcement agencies resulted in the recovery of more than US$40 million in funds stolen in a “Business Email Compromise” attack. Criminals operating from Timor-Leste used a fraudulent email address and bank account to trick a Singapore-based company into sending the money to them rather than to its legitimate business partner in Singapore. The fraud was discovered several days after the funds were transferred, when the two companies realised that the money had not arrived. They reported this to the Singapore authorities, who contacted INTERPOL, which then contacted authorities in Timor-Leste. The latter immediately launched the operation – codenamed “Operation NetClean 3M” – which successfully recovered the stolen money and apprehended several suspects.

The collaboration between Timor-Leste’s Scientific and Criminal Investigation Police (PCIC) and National Intelligence Service (SNI), Singapore’s Anti-Scam Centre (ASC) and INTERPOL demonstrates the importance of international cooperation in combating financial and cyber-crime. However, this incident also serves as a stark illustration of concerns that Fundasaun Mahein (FM) has raised for many years: Timor-Leste’s vulnerability to cyber-crime and the urgent need for strengthening domestic law enforcement capabilities to detect such activities and deter would-be criminals. Moreover, the case has revealed critical weaknesses in accountability systems which are supposed to prevent these kinds of criminal activities. FM has produced this article analysing the implications of the business email fraud case for Timor-Leste’s national security, and providing some recommendations for measures which the state can take to increase its capacity to combat financial and cyber-crimes.

Before discussing the broader implications of this case, FM would like to clarify some of the technical terms being discussed in the public related to this case. The crime has been described officially as a case of “Business Email Compromise”, whereby criminals gain access to a company’s private electronic communications and use the private information to convince other parties to send funds or share other valuable information. The compromise usually occurs through “phishing” attacks, which use fake email addresses or links to enable criminals to access sensitive information. Often, the victim shares such information with the criminals because they believe that they are communicating with a legitimate business partner; in other cases, the criminals gain access to the victims’ internal systems by installing malware on the latter’s computer, usually after the victim clicks on a fake link shared by the criminals.

According to information released to the public, the criminals used two key methods to trick the buyer company (Company A) into sending them money: they created a fraudulent bank account in Timor-Leste using the name of the Singaporean supplier company (Company B); and they created a fraudulent email address which was almost identical to Company B’s real email address but contained the letter “l” instead of “i”. They then used this fraudulent email address to request a transfer from Company A to the new bank account based in Timor-Leste. It is also likely that the criminals gained access to internal company systems or private communications using more sophisticated means or “hacking”, and then used private information about the ongoing business relationship to convince Company A that they were, in fact, communicating with Company B. However, FM has not heard any specific confirmation of this.

As a result of the operation, the criminals have been charged with computer fraud and money laundering. FM congratulates the Timorese security authorities, particularly PCIC and SNI, for their swift and decisive response in this case. Upon receiving notification from INTERPOL, they acted promptly, freezing US$39 million in the fraudulent account and recovering an additional US$2 million in cash. The operation led to the arrest of nine suspects, including four foreign citizens. According to recent reports, the foreign citizens plus one Timorese citizen remain in police custody.

As acknowledged by PCIC, the crime was detected after the two Singaporean companies realised that the money had not arrived in the supplier company’s account. After receiving notification from INTERPOL, the Timor-Leste authorities took action to freeze the accounts and arrest the suspects. Thus, while Timor-Leste’s authorities responded quickly and effectively once they received information from INTERPOL, the fact remains that illegal activities were not detected on Timor-Leste’s side until the victims reported the crime. This gap highlights that the Timor-Leste authorities still lack the ability to independently detect and prevent financial fraud and cybercrime activities.

Another critical factor underlying this case that FM finds extremely troubling is that in order to convince the Singaporean buyer to send the money, the criminals opened a bank account with Mandiri bank in the name of the Singaporean supplier company. This implies that the criminals either registered a fake company with SERVE using an existing foreign company name, then set up a bank account using the registration documents issued by SERVE; or they simply created false company documents and used these to open the Mandiri bank account. At a minimum, this illustrates that SERVE, Mandiri, or both, are failing to conduct adequate checks aimed at preventing such criminal activities. An even worse possibility is that unknown persons within either institution may have collaborated with the criminals to facilitate their crime. It is also highly suspicious that criminals were apparently able to withdraw millions of dollars in cash from multiple bank branches in just a couple of weeks.

In Timor-Leste, it well-known that the inefficiency and corruption of the state bureaucracy makes is easy – and indeed often necessary – to pay people “inside” to process documents and perform other administrative tasks. Without a contact on the inside, it is often difficult, even impossible, to access basic documents such as certificates and passports in a timely fashion. A notorious example is the Government’s ongoing inability to issue passports to citizens, which has led to a thriving “industry” of bribes due to the necessity of paying people for appointments to obtain a passport.

If the investigation in this case proves that the criminals were indeed able to conduct their activities due to “inside” assistance, the case will provide a clear demonstration of how the politicisation and “familiarisation” of institutions – the appointment of functionaries based on personal connections and party affiliation rather than on experience and capacity – opens the door for criminal groups to conduct their activities in this country. The lack of adequate checks and the ease of buying access to official documents reflect a broader culture of informality and minimal adherence to formal rules and procedures across state, private sector or non-governmental organisations. Such conditions are highly attractive to criminals wishing to conduct fraudulent activities.

While many view this case as a victory for Timor-Leste’s security agencies and an example of effective international collaboration, FM is worried that it may serve more as a “lesson learned” for criminal networks. At the same time, foreign investors are surely taking note of this case, including the fact that inadequate checks within private and public institutions may have indirectly enabled criminal activities, or that staff may have directly facilitated the crime. Such weaknesses do not only attract criminals – they deter legitimate investors who may be interested in working in Timor-Leste. Considering the importance and urgency of increasing foreign investment for Timor-Leste’s national development, widespread corruption, inefficiency and informality are more than just an inconvenience – they are a national security threat.

Resolving these systemic problems requires implementing comprehensive solutions over the long-term. This itself requires sufficient political will on the part of Timor-Leste’s top leaders to combat nepotism, politicisation and corruption within the state administration. As FM has discussed many times, replacing the Rule of the Deal with the Rule of Law is challenging in a country where personal relationships and party affiliations dominate decision making, and where formal rules and procedures are routinely ignored. The relationship between corruption, nepotism and informality and the fight against serious and organised crime is too complex to discuss in this article; FM will produce a separate article analysing this topic in more detail.

In the meantime, we have identified several areas which can be strengthened in order to boost the State’s capacity to detect and prevent cyber-crimes and financial fraud. First, we strongly recommend strengthening mechanisms for detecting unusual financial activities, particularly enhancing the capabilities of state institutions tasked with combating financial crimes, particularly SNI, PCIC and the Financial Intelligence Unit. Timor-Leste is a member of the Asia-Pacific Group on Money Laundering (APG), which provides opportunities for technical assistance and training. Other key partners in the fight against financial and organised crime include Australia and the European Union, both of which have supported anti-money laundering and organised crime prevention initiatives in Timor-Leste. The Government should take advantage of the opportunities for training and collaboration provided by these partnerships.

Strengthening regulation and oversight of commercial financial institutions is also essential to detect fraudulent activities. First, preventing criminals from opening company bank accounts requires increased checks by commercial banks, including coordination with state authorities managing business registration. It also requires mandatory checks of international corporate databases to ensure that fraudulent companies are not registered in Timor-Leste using the name of existing foreign companies without adequate controls to ensure that those opening the account truly represent that company. Advanced anti-money laundering systems such as mandatory Suspicious Activity Reports, if not yet implemented, should be adopted to detect and flag potentially fraudulent activities. Commercial banks should also be required to implement training programs for staff to recognise potential fraud attempts.

Finally, evidence suggests that Timor-Leste’s inefficient immigration system indirectly facilitates the activities of foreign criminals. A major problem is that the Timor-Leste Government currently issues thousands of “tourist” visas to non-tourists each year. This is due to a combination of bureaucratic rules which lack clear rationale, inefficiencies causing long delays approving other visa types, and a lack of alternative visa categories to enable short-term work and other activities. As a result, thousands arrive in Timor-Leste each month on “tourist” visas, with intent to conduct other activities. As a result, it is impossible for the authorities to accurately track foreign arrivals, including monitoring for potential criminal intent when people arrive at borders. FM will analyse this issue in more depth in a later article; however, it is important to point out here that reforms are urgently needed to streamline and modernise the immigration system to ensure that foreign citizens are issued with the correct visa, and that they can access visas and related documents without having to pay bribes, which promotes corruption and a lack of checks in the immigration system.

In conclusion, the case of email fraud can be seen, in part, as a victory for Timor-Leste’s law enforcement agencies. However, it also serves as a stark reminder of the vulnerabilities that organised crime networks can exploit in Timor-Leste. Addressing these challenges will require comprehensive efforts to implement more robust financial surveillance mechanisms, improve monitoring of foreign arrivals and support interagency coordination. At the same time, authorities must recognise that systemic corruption and inefficiency in the public administration, including the ease of buying access to official documents, lack of robust checks and weak immigration controls, incentivise criminal groups who wish to use Timor-Leste as a base for their activities. These issues can only be addressed through broad-based measures aimed at promoting adherence to formal rules and procedures, tackling nepotism and corruption, and reforming processes and systems within key institutions such as SERVE and the Immigration Service. Only through such measures can Timor-Leste effectively safeguard itself against the growing threat of financial and cyber-crime and ensure a secure environment for its citizens and businesses.

Leave a Reply

Your email address will not be published.

Related Post