The Evans and Partners-brokered investor says Computershare exposed itself and investors by allowing a fraudster to create an online account in his name without his knowledge by simply impersonating him with information contained in mailed letters.

Unlike competitors such as Link Market Services that block key information such as shareholders’ unique holder identification numbers (HIN) in mailed correspondence, Computershare sends letters with all the information a fraudster needs to create a new online account.

Jonathan Harding says he is “traumatised” by the experience, having bought shares for the first time in 2018 after inheriting some money from his grandmother and deciding to keep the same E&P stockbroker she had used, as he did not feel sophisticated enough.

“This is my first time ever owning shares,” he told The Australian. “I didn’t even know what the hell a share registry was,” he said.

“Apparently a CPU Investor Centre (online) account was set up in my name. I didn’t have an existing one because I used Evans and Partners for everything, and CPU’s fraud department said it was done through mail theft.”

Following an internal investigation, Computershare’s own fraud department concluded that fraudsters had used stolen mail to create a new account through Computershare’s website.

That online account then allowed the scammer to change the banking details linked to his HIN, redirecting $13,000 in dividend payments from nine ASX-listed companies, including BHP, Scentre Group, and NAB.

A further $26,000 in proceeds from Sydney Airport’s takeover in 2022 also went into “fraudulently controlled” bank accounts, according to correspondence sent by Computershare’s financial crime officer, Chris Vickery, and seen by The Australian.

The Abbotsford-based company is not taking responsibility for the $39,890 in losses resulting from the hoax, arguing that it is “satisfied that at all times that our fraud prevention controls have been followed,” the letter addressed to Evans and Partners says.

“I am traumatised by this,” Mr Harding said. “I am not somebody who has ever followed the stock market. My grandmother had a broker at Evans and Partners and so I went OK, can you please just invest this.”

Evans and Partners then opened a bank account on his behalf in late 2018 and created his unique HIN for his new holdings. Things seemed to be going normally until he received a letter from ANZ in July 2022 notifying him that a dividend payment had been returned because his account details were incorrect.

Mr Harding immediately notified Evans and Partners, who started investigating why the payment had failed and why the bank details had changed compared to the bank account instructions tied to his HIN.

About two months later, Mr Vickery, who heads Computershare’s financial crime department, wrote to Evans and Partners: “Our investigation has concluded that an unidentified third party has created an online, Computershare Investor Centre account in your client’s name.”

The letter said the fraudulent account had been opened on March 26, 2021 and that “as part of Computershare’s security validation protocols when an IC Account is created” online, Computershare had sent a “security confirmation letter” to the investor’s registered address in Elwood, Victoria.

On the same day that the account was set up, “the banking details were subsequently amended with a view to diverting any dividend payments into a fraudulently controlled bank account,” the letter says.

Computershare then again sent “security confirmation notices relating to the account changes” to the same address, the letter adds.

“You can see from the above timeline Computershare sent several security confirmation notices to your client’s registered home address at (address) each time we received a request to amend your client’s bank account details, which has been confirmed by your client as his genuine home address,” the letter says.

Since the mail was being stolen, Mr Harding never received the many “security” confirmation letters Computershare had sent.

In the letter, Computershare’s officer finally states: “In the circumstances we are not prepared to reimburse your client for any funds associated with this fraudulent activity.”

Mr Harding moved brokers to Ord Minnett in October 2022 after feeling Evans and Partners had lost interest in trying to hold Computershare accountable over the security breach. An E&P spokesman declined to comment on the case, but said that there were no similar cases among its clients.

He pursued complaints with AFCA and with ASIC but both bodies told him they had no jurisdiction to be able to help him.

“My new broker at Ords couldn’t believe how easy it was to open a new online account, so he tried to do it under his wife’s name. He was shocked that all you needed was the name, a HIN and a postcode,” Mr Harding said. “All of the sudden he had access. There was not even a multi-factor verification requirement,” he said.

Mr Harding was then forced to go to the police, even if he felt Computershare should take responsibility and pursue the crime, since he says it was their security protocols that had made them vulnerable.

“My view of the whole thing is that the crime occurred at the point when Computershare dealt with a third party and allowed somebody in, to open up an account in my name,” he said.

“While I may be a victim of mail theft – and that’s just Computershare’s theory – I am not a victim of financial fraud. It is Computershare that is the victim of the financial fraud. They dealt with the fraudsters exclusively, allowed them to open an account and were tricked into paying the moneys to the wrong accounts.”

Share registries – of which Computershare and Link are the largest in Australia – are entrusted with distributing dividends to shareholders, handling the issuing of new shares and maintaining accurate records of ownership and transactions.

They are appointed by the company whose shares they are registrars of, and investors have no say on who handles the registries in the companies they invest in.

Media representatives from BHP did not return a request seeking comment. A Scentre Group spokesman said the company had encouraged Mr Harding to report the mater to police, while those at Sydney Airport and NAB declined to comment.

Correspondence between Mr Harding, E&P and Computershare shows the company repeatedly ignored requests for details about how a fraudster could open an account with the information in the stolen correspondence.

When asked by The Australian, a Computershare spokeswoman said the company could not comment on the “alleged fraud” without the permission of the shareholder. Mr Harding said the company did not seek his approval.

The spokeswoman said: “We can confirm that we would always fully support shareholders that experience external fraud, including closely monitoring their accounts, and co-operate with any police inquiry.”

In the letter from Mr Vickery, Computershare says the bank accounts to which the funds were transferred had been in his name. But police currently investigating the case have already told Mr Harding that the fraudulent accounts to which the funds were transferred were in fact not in his name as the letter claims, he said.

The Computershare spokeswoman said the company managed “many millions of shareholdings worldwide and, like other financial organisations, see the techniques employed by fraudsters grow more diverse and sophisticated every year.”

“We are constantly improving our systems to best defend against crime and have a number of resilient security measures in place, including two-factor authentication for all Australian Investor Centre accounts.”

Earlier this month Computershare said its earnings jumped 95 per cent in the year ending June 30 to a record $444.7m.

More related stories

Wealth

Ten ways to save our super system

The reputation of big super funds hit the rocks in 2024. Here is what needs to happen this year if we want the system to improve.

Read more

Trading Day

ASX 200 hits fresh record; Zip, Lynas up

Rinehart lifts Lynas stake. Broker upgrade for Zip. Origin down after cutting APLNG output expectations. Lendlease selling Capella. Ramsay Health Care loses key executives in restructure. Apple's iPhone sales dip.

Read more