Wayne Johncock and his wife Nicky in 2014
Why is an insider threat even more dangerous than the hacker in the shadows? Because it’s not the mugging in the dark that hurts the most – it’s the knife in the back.
Nobody is immune to a well-constructed scam; not the CIO, the CEO or even the CISO.
The story of Wayne Johncock, former CIO at Centrica and MOSL, illustrates that well. A chance meeting developed into a fraud and betrayal that cost him and his wife Nicky upwards of £400,000.
We're highlighting Wayne and Nicky's story as part of October's Cybersecurity Awareness Month.
"The proposition appeared perfect," he says. "The good Samaritan friendly neighbour who is a Bank of America senior executive wanting to invest in my dream and passion - SuperLearningSeries, my edtech startup."
Wayne met his scammer, Rajesh Ghedia, at a local Christmas party in 2018. At the time he was searching for an investor for SLS, and Ghedia promised Bank of America would support his personal investment of up to £1.5 million.
The best lies have a kernel of truth: Ghedia really did work for Bank of America. But rather than being head of derivatives trading for EMEA, like he claimed, he actually worked as an internal project manager in the tech team. He even mocked up business cards and his email footer - from Bank of America's own servers - to sell the illusion.
"He spent a lot of time ensuring that he had my trust and my confidence... Convincing me he was fully supportive of my education app. He saw the benefits, how it could help the world, and he produced paperwork which told me that the Bank fully supported it and they were right behind it.
"He got in and had a look at my website and could ask me questions about it, so I knew that he was taking it seriously from that point."
Wayne and Ghedia would meet at least twice a month, sometimes with Ghedia's 10-year old son, to discuss the plans for SuperLearningSeries - plans that depended on the money that had been promised.
"I put £180,000 into a personal wealth portfolio, which was his vehicle to deposit his £1.5 million into. In the end, he didn't put any money in despite the mocked-up bank statements showing it. I put my money in, he took it, and it took 15 months for me to expose him."
The sting of social engineering
Some criminals adopt a spray and pray approach, maximising their chances of getting a bite through quantity over quality. Others go spear-phishing, choosing and stalking their targets carefully for a bigger payout.
Ghedia mixed the two, using the same approach on Wayne that he'd followed with other victims - all of whom he knew personally. They included his regular taxi driver, a parent at his children's school, and his own cousin.
"He threw out the hook, I bit - big bit of bait there - and from then on he knew exactly the buttons to press."
The worst part of social engineering scams is that the victim can be too embarrassed or too far in - the sunk cost fallacy - to admit they were wrong.
"I was defending him and supporting him against my friends," says Wayne. "He completely had me in a place where he needed me to be."
And yet, something did niggle. With his background in technology, Wayne decided to do some due diligence.
"I wanted to make sure was that his employer had full visibility of what we were doing. I said everything must go through your e-mail account, and I deliberately put words and phrases in I knew would trigger an internal monitoring alert.
"All information was in the emails, like the bank account details, the investment, the payout scheme, the way the money would be deposited, how it would be used. He even requested my passport in order to pass KYC."
But when Bank of America didn't raise an alert, Wayne's suspicions were allayed.
"For a company that spends billions and billions of dollars on cyber security and technology, and has one of the most secure, sophisticated, well-invested technology systems in the world, I had absolutely no doubt this would have been picked up by their monitoring software and made visible. So, the longer that went on the more assured I was that it was authentic."
At the same time, Ghedia had doctored emails - which Computing has seen - to appear as if they came from senior figures at the Bank, supporting his actions.
Bank of America had no comment when we contacted them about Wayne's claims.
