The retired detective superintendent - who headed up the Queensland Police fraud and cybercrime group and now runs Brisbane-based Cultural Cyber Security (CCS) – is calling on banks to improve their electronic online verification system after organised criminals set up four fake bank accounts under his name to launder money.

Hay – who during his time on the digital beat issued countless warnings to Queenslanders to be vigilant – says banks failed in their legislative obligations to know their customer by allowing the accounts to be opened without his knowledge.

Hay says the problem stems from banks adopting a new electronic online verification system during Covid-19 that was deficient and “was facilitating a potential tidal wave of fraud and crime operations.” Over the course of a few weeks, the cyber-sleuth uncovered how criminals used his driver’s licence details to open four accounts under his name at St George, Bank SA and Bank of Melbourne, which all fall under the Westpac Group, and then finally a Westpac Bank account.

Hay is a current Westpac customer, and was offered no explanation as to how the bank did not seek to verify the fake account opening with him.

“I asked how was this possible because under the 100 points system to prove an identity a driver’s license was only worth 40 or 50 points and insufficient by itself,” he says. “I was advised that during Covid-19, Westpac adopted a new electronic online verification system and that system was still being used today.”

Hay says the digital crims were most likely involved in “muling”, which is when criminals set up fake accounts to launder the funds obtained as a result of their illegal activities.

They are transferring the money into these fake accounts – unbeknownst to people like Hay - and then they withdraw the money and send it to a designated domestic or offshore account, usually using a wire transfer service. Hay says he is frustrated with the response he has received from the bank, labelling it “absolutely disgraceful.”

He says the millions of accounts and documents hacked in the Optus, Medibank and Latitude cyber-attacks, means every Australian was basically compromised. “Criminals now have access to millions of Australian identities, and they are taking advantage of poor banking practices that fail to meet the required legislative standards,” he says.
A Westpac spokesperson declined to comment on individual customers but said “it has robust identification processes in place, in line with legal and regulatory requirements.”

“We encourage customers to be vigilant around fraud and scams. If you think your identity has been compromised, we encourage you to report it to the relevant government agency,” the spokesperson said. According to its website, to complete an identity check and open an account online, two forms of ID were needed. They included an Australian passport, Australian driver’s licence or Medicare card