Long Reads: A chance meeting cost this CIO £400,000

Betrayal, bewilderment and Bank of America

Tom Allen
clock • 7 min read
Wayne Johncock and his wife Nicky in 2014
Image:

Wayne Johncock and his wife Nicky in 2014

Why is an insider threat even more dangerous than the hacker in the shadows? Because it’s not the mugging in the dark that hurts the most – it’s the knife in the back.

Nobody is immune to a well-constructed scam; not the CIO, the CEO or even the CISO.

The story of Wayne Johncock, former CIO at Centrica and MOSL, illustrates that well. A chance meeting developed into a fraud and betrayal that cost him and his wife Nicky upwards of £400,000.

We're highlighting Wayne and Nicky's story as part of October's Cybersecurity Awareness Month.

"The proposition appeared perfect," he says. "The good Samaritan friendly neighbour who is a Bank of America senior executive wanting to invest in my dream and passion - SuperLearningSeries, my edtech startup."

Wayne met his scammer, Rajesh Ghedia, at a local Christmas party in 2018. At the time he was searching for an investor for SLS, and Ghedia promised Bank of America would support his personal investment of up to £1.5 million.

The best lies have a kernel of truth: Ghedia really did work for Bank of America. But rather than being head of derivatives trading for EMEA, like he claimed, he actually worked as an internal project manager in the tech team. He even mocked up business cards and his email footer - from Bank of America's own servers - to sell the illusion.

"He spent a lot of time ensuring that he had my trust and my confidence... Convincing me he was fully supportive of my education app. He saw the benefits, how it could help the world, and he produced paperwork which told me that the Bank fully supported it and they were right behind it.

"He got in and had a look at my website and could ask me questions about it, so I knew that he was taking it seriously from that point."

Wayne and Ghedia would meet at least twice a month, sometimes with Ghedia's 10-year old son, to discuss the plans for SuperLearningSeries - plans that depended on the money that had been promised.

"I put £180,000 into a personal wealth portfolio, which was his vehicle to deposit his £1.5 million into. In the end, he didn't put any money in despite the mocked-up bank statements showing it. I put my money in, he took it, and it took 15 months for me to expose him."

The sting of social engineering

Rajesh Ghedia won Wayne's trust so thoroughly that he defended the man to his friends. Image: Wayne Johncock

Some criminals adopt a spray and pray approach, maximising their chances of getting a bite through quantity over quality. Others go spear-phishing, choosing and stalking their targets carefully for a bigger payout.

Ghedia mixed the two, using the same approach on Wayne that he'd followed with other victims - all of whom he knew personally. They included his regular taxi driver, a parent at his children's school, and his own cousin.

"He threw out the hook, I bit - big bit of bait there - and from then on he knew exactly the buttons to press."

The worst part of social engineering scams is that the victim can be too embarrassed or too far in - the sunk cost fallacy - to admit they were wrong.

"I was defending him and supporting him against my friends," says Wayne. "He completely had me in a place where he needed me to be."

And yet, something did niggle. With his background in technology, Wayne decided to do some due diligence.

"I wanted to make sure was that his employer had full visibility of what we were doing. I said everything must go through your e-mail account, and I deliberately put words and phrases in I knew would trigger an internal monitoring alert.

"All information was in the emails, like the bank account details, the investment, the payout scheme, the way the money would be deposited, how it would be used. He even requested my passport in order to pass KYC."

But when Bank of America didn't raise an alert, Wayne's suspicions were allayed.

"For a company that spends billions and billions of dollars on cyber security and technology, and has one of the most secure, sophisticated, well-invested technology systems in the world, I had absolutely no doubt this would have been picked up by their monitoring software and made visible. So, the longer that went on the more assured I was that it was authentic."

At the same time, Ghedia had doctored emails - which Computing has seen - to appear as if they came from senior figures at the Bank, supporting his actions.

Bank of America had no comment when we contacted them about Wayne's claims.

You may also like
Cyber gang shifts focus to SaaS apps

Security

‘Scattered Spider’ is targeting vSphere, Salesforce, Crowdstrike and more

clock 18 June 2024 • 2 min read
Regulators block Meta from training AI on user data

Artificial Intelligence

UK and EU authorities have told Meta to pause plans to train LLMs on Facebook and Instagram data

clock 17 June 2024 • 2 min read
OpenAI expands lobbying team to shape AI regulation

Corporate

Global affairs team has grown more than 10x in a year

clock 14 June 2024 • 3 min read

More on Security

Cyber gang shifts focus to SaaS apps

Cyber gang shifts focus to SaaS apps

‘Scattered Spider’ is targeting vSphere, Salesforce, Crowdstrike and more

Vikki Davies
clock 18 June 2024 • 2 min read
Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

A relatively quiet month

John Leonard
clock 12 June 2024 • 2 min read
Cloud encryption rates are disastrously low, research

Cloud encryption rates are disastrously low, research

Come on in, the door's open

John Leonard
clock 05 June 2024 • 2 min read