The Admiral, the Queens Counsel & the Scam
We take a look at the hidden world of online scam's run by people who hide behind the stolen identities of some of the most trusted people and institutions in the world. In doing so we ask the question; "What can you do to mitigate the risk of identity theft and what responsibility do social networks have when it comes to bringing the issue under control." Join EntreHub editor, Matthew Tukaki, as he tells three real life stories that are sure to concern you - the story of the The Admiral, the Queens Counsel and the United Nations Agency.
We can now reveal that one of the people at the centre of our investigation into wide spread identity theft using the social network LinkedIn is Rear Admiral Michael van Balen, Deputy Chief of the Royal Australian Navy. The second person is respected London based Queens Counsel, Jacob Levy and the third is not a person, but an institution - the United Nations Office of Humanitarian Affairs. But, to unpack how these two men and this well known institution became caught up in a series of scams we need to start at the beginning: (select an image on the side bar for reference)
The reality is the world in which we live, work and play has changed dramatically as more and more of our lives are played out in the online world through social media platforms. According to a 2013 report nearly one in four people worldwide used social networks in one form or another and it’s been estimated that figure is set to rise to more than 2.55 billion by 2017.
Just as the pattern of our lives change so too is the criminal enterprise. In a report sponsored by McAfee (the online security software business) annual damage to the global economy now sits at more than $445 billion.
In 2012 an estimated $1.5 billion was lost to online credit and debit card fraud in the United States alone. Computer crime itself is not new. One of the highest profile (and oldest reported cases) was the Chief Teller of the Park Avenue Branch (New York) of Union Dime’s Savings Bank who walked away with $1.5 million in the early 1970’s right through to the more recent sophisticated networks believed to be based in Russia who, in 2012, reportedly walked away with 6.5 million passwords of LinkedIn users. In actual fact the level of cybercrime ranges from low level credit card transactions to all out identity theft.
It is the identify theft that can have long lasting implications and in the sights of many people is professional networking site LinkedIn. According to the company site, LinkedIn now reaches 300 million members worldwide and had a further 23 million users since December 31st of 2013 but, not all of them are who they appear to be and the problem is on the rise.
In August last year I had received a connection request from Rear Admiral Michael van Balen, Deputy Chief of Navy of the Australian Defence Force. Now, I get connection requests every day but this one stood out not because I did not believe Michael was real but because I just could not understand why Michael was connecting with me.
It had been more than a decade since I had involvement with the Australian Defence Force and even longer still since my involvement with the US Department of the Navy. On further inspection of the profile the tell-tale signs of identity theft were present including the summary being disjointed and not written in the style of someone who had a decent grasp of the English language. In the case of Rear Admiral Van Balen the fake profile had 91 connections and I made the conscious decision to report it. This included reporting the profile to LinkedIn. Today, more than six months later, the fake profile is still active. It remains unclear what the intended fraud may have been but a tell-tale sign can be seen in two more recent examples.
On Thursday the 8th of January I received a connection request from a man called David Marck, who, on his profile stated he was a member of the UK Judiciary. He had more than 500+ connections already and so I assumed with that number of people in his network he was legitimate. Less than a day later, I received an email through the LinkedIn service. In part the email said that “I am a legal counsel practicing in London. I am the legal representative to the late Engr. Fahad Tukaki, hereafter referred to as my client, who worked as an independent oil broker in England, and died in December 26, 2004 in Indonesia with his immediate family”
And that’s when you know it’s a con. Firstly my surname, Tukaki, is indigenous to New Zealand and we do not have any relatives in Indonesia. I know this because let’s just say it’s a very small family tree! The fraud itself is fairly simple – the writer will then go on to ask me for personal details such as date of birth, address and contact details. As I respond to each layered request I dig a deeper hole and by the end of it my entire identity is gone. I then decided to do something I had never tried before, take the photo of the person “David Marck” on the fake LinkedIn profile and upload it to the Google Image Search function on Chrome. This type of search will pull up images that are the same or similar and there was no surprise when the photo had a hit. It belonged to another real judicial officer who just happened to be a Queens Counsel, Jacob Levy.
When we contacted Jacob Levy’s office on the 8th of January needless to say they were shocked with Director of Business Development (Criminal and Civil), Michael Goodridge reacting “outrageous isn’t it.” In this case the identity thief had just stolen an image and created a fake name to the profile unlike the case of Rear Admiral Van Balen where the whole identity was taken.
The third example is where an entire organisations brand has been hijacked – in this case it was the United Nations Office of Humanitarian Affairs who, on January 18th, sent me an email through a LinkedIn group stating that “You have been granted the sum of $985,000.00 USD in the United Nation Development Program UNDP world Aid/support promo, for your Personal, community and education development and do note that at least 60% (Percent) of this total fund must be use for such purpose.”
In theory no one in their right mind would believe that a United Nations institution involved in humanitarian aid and, let’s face it, desperate for money to fund its work would somehow be giving close to a $1 million away. Not only that, no agency of the UN is able to provide funds to a project or activity that does not come as the result of a sanctioned procurement process. The latter itself also highlights the information being sought and the contact details of the person to respond to. The email address was not an official UN address. When contacted a source at the United Nations indicated that "this isn't the first time this has happened and its a source of frustration that people are being pulled into these scams. Whats even more frustrating is the increasing brazen use of the UN brand and logo to try and legitimize the scam."
Of course these are but three examples related to a single user of LinkedIn, me. On further analysis of my own connection requests the team at EntreHub identified more than 100 within the last 12 months with the majority purporting to be public or legal professionals - all of which we deemed to be fake.
When we reached out to LinkedIn in the case of Rear Admiral Van Balen last August and Jacob Levy on the 8th of January for comment we had no reply. We then emailed LinkedIn’s press team posing the following questions:
What does LinkedIn intend to do to “clean up” the problem of fake profiles across its platforms
What do you say to allegations we have been sent that LinkedIn is a facilitation service for fraudulent activity
Will LinkedIn take action similar to that of Instagram where phising accounts or those tagged as being obvious fakes, are withdrawn?
Will you offer an apology to Jacob Levy QC
To date we have still not received a response from LinkedIn.
When we reached out to the Australian Defence Force about the theft and ongoing presence of Admiral Van Balen’s identity on LinkedIn we asked: “How seriously does defence take the theft of Admiral Van Balen’s identity and what measures will it take to investigate and protect it”. An Australian Defence Force spokesperson told EntreHub that: " Defence takes these matters seriously and will investigate the matter.
The Department of Defence takes the security of our information, capabilities and reputation seriously, including the security of Defence social media activities. All members are encouraged to manage their social media profiles/pages and ensure privacy and security settings are switched on."
Now that the Australian Defence Force have launched an investigation into the theft of Rear Admiral Van Balen's identity we expect LinkedIn to respond fairly quickly.
This all may be interesting but some serious questions need to be posed not only about the seriousness of the problem and how widespread it has become, but also, what role and responsibility do online providers such as LinkedIn have? Now, in fairness LinkedIn does have a page dedicated to what users should do if they are concerned about a fake profile and there is a feature where users can report someone, but we wanted to go much deeper and asked the question of the legal fraternity that is very serious: “Could LinkedIn be party to the fraud by allowing users to establish a profile without validation of identity?”
Two law firms EntreHub spoke to (one in the United States and the other in the UK) indicated that LinkedIn was treading a very slippery slope: "Here in the UK it would be an interesting test case given that LinkedIn has already accepted fraudulent activity does occur through the use of its site" said one senior QC who wanted to remain anonymous. "We think that just because LinkedIn is nothing more than a platform that individual users own the responsibility but thats not the case as different jurisdictions across Europe are looking at how they can protect the privacy of citizens data - there could be a case to answer" he said.
A legal expert in social media and commercial law in New York also said something similar but noted "It probably is time for a reality check with many of these larger social media sites in so far as they somehow think they are protected entities and users can always switch off, just as they switch on" she said "LinkedIn has a significant issue on its hands and if you were to take away all of the fake profiles a question hangs over just how many credible users they have." she commented.
Not stopping there we turned to Jodee Watts, a respected private investigator based in Wellington, New Zealand and who's job it is to often get to the bottom of fraud. When we asked Jodee if she was seeing a rise in identityu theft more broadly this is what she had to say: "Identity Thieves and Fraudsters have more tools at their disposal to use like never before. Back in the old days your biggest worry in regards to Identity Theft was someone stealing your personal Cheque book and writing cheques all over town in your name. Today, you get home to find someone has stolen your visa card, then the phone rings, its a fraudulent tech from Microsoft or the likes saying you have a bug on your computer and you need to buy his fraudulent software."
"Having dealt with that, head spinning you sit down with a cup of tea to read your emails and find your best mate is now in a terrorist jail and requires URGENTLY that you wire thousands of dollars. After a hell night the next day you are so pleased to be back at work and away from it all of that. At your desk opening your professional social networks you realise you are no longer able to access one of your accounts. You do a little searching and before long realise that your professional friends think you are now employed by a non-profit organisation requesting donations to an account you have no knowledge of. And your professional friends because they trust you, your reputation and have empathy are sending their hard earned money to a fraudster by the truck load, ouch."
Given that response we wanted to go further and asked Jodee the same question about whether or not LinkedIn could be seen a party to the fraud by way of allowing users to establish fake profiles and, therefore, a criminal enterprise: "I am not a lawyer. If I was requested to look at this on behalf of a client who has had their identity stolen the first step I would take is to inform LinkedIn formally by writing and request the account be immediately suspended. Followed by informing as many of the connections as I could so they do not full further victim to the fraudsters objective. I would suggest my client makes a formal report with the Police in the case of future criminal activities occurring using that identity. In the first instance, I would be more concerned with my clients legal liability than LinkedIn."
Jodee went on: "Why? Kim Dotcom known around the world based from New Zealand is enduring a costly legal battle fighting big organisations over a similar accusation, and more so. In simple terms, if I provide a service and then that service is used by some of my customers for criminal activities, should I be convicted of criminal charges? Kim Dotcom thinks not, his business providing the service was as much a victim as anyone else?!? Some will say a blind eye was turned while criminal activities pursued. Others will claim no appropriate investment is made by the business to adequately monitor or police criminal activities. A few will blame the law or lack of. Either way, it does not seem legally straight forward. "
One solution Jodee identifies is the possibility of "legislation put into place that requires members who sign up to to use a particular networking platform must provide identification in the form of a scanned passport or licence to obtain full membership. This practise is already used by some financial online services. In addition, that these platforms are given a time period where they must suspend or delete accounts once formerly notified of criminal activity. These are only some suggestions regarding identity theft."
"It could be argued the industry has grown faster than the law can be written. However, there seems room to make some improvements rather than waiting for an entirely new legislation to be introduced. Improvements that put more responsibility on the service provider to monitor and manage criminal activities. Keeping in mind however, it usually takes the members to notify the service of a suspected crime instead of the service notifying its members."
What is evident is the problem is not unique to LinkedIn. Instagram announced in December it would be cracking down on Spam that saw one agency estimate the removal of more than 10 million fake accounts. What is unnerving is the silence from LinkedIn on the issue as I report it. After many phone calls and emails I have not yet had a response to the questions posed earlier in the article. In the case of Rear Admiral Van Balen a legitimate question should be posed in relation to the fact one of Australia's highest ranking military officials, at a time when cyber terrorism and terrorism is a major domestic and local issue, of why the fake profile is still active?
In the mean time these are the simple things you can do now to mitigate the risk of your identity being hijacked online:
Never accept a connection request unless you know the person or know of them - at a minimum the person should be no more than a few steps removed directly from you in your current circle of freinds
Limit the amount of personal information you publish about yourself in the public domain including details that could be used to access further more valuable information about yourself
Pull down your LinkedIn profile, review it and only reload it once your information is brief and need to know as opposed to everything to know
If you are concerned that a connection is fake use the Google Image search engine to validate the person's identity as much as possible
Just because someone has built a social media platform doesn't mean you need to use it
About the Author: Matthew Tukaki is Editor and CEO of EntreHub.org. He is a former board member of the United Nations Global Compact and current Chairman of the Advisory Board of Deakin University CSaRO. You can follow him on Twitter or contact him via
Notes: Images used in this article have not been reproduced. They are originals of screen shots taken at the time. LinkedIn was contacted for comment but, at the time of writing no comment had been received. This article may be reproduced in its entirety however a link back to the original article should be included in addition to the "About the Author" summary.