Jenny was home alone in her kitchen preparing spaghetti bolognese when she received a phone call that has haunted her for the past two years.
"The landline rang — we have an unlisted number — he said he was from the Commonwealth Bank and he wanted to tell me that our accounts were not secure and our Visa card had suspicious transactions on it," she said.
She immediately went to the study and logged on to her internet banking.
"I saw that was right — there were five transactions in one day and three of them were to a business in Shanghai," she said.
"I was thankful that someone had rung and told me."
But what happened next would come to cost Jenny dearly.
"He said there was someone trying to also hack into our accounts. Then he said, 'I will need to check the security on your computer' and asked me to download TeamViewer," she said.
"I was a little bit hesitant to do that, but I have used TeamViewer in my work, especially if I need IT help remotely."
For decades, Jenny had worked hard running her husband's GP clinic in eastern Melbourne.
The couple is no longer working, but the business accounts still contained hundreds of thousands of dollars — money to fund life after work.
Panicked that she could lose it all, she followed the caller's instructions.
"Then the screen went black and there was 'TeamViewer working securely' written on the screen."
The man told her he was dealing with live threats to her accounts, and asked her to read out token codes the bank was sending to her phone. Now locked out of her accounts, Jenny was feeling more and more uneasy as the man kept telling her he needed more time.
Four hours into the call, exhausted and rattled, she hung up and called the bank.
'I felt stupid. I felt conned'
Listening back to Jenny's call with the Commonwealth Bank, you can hear the panic rising in her voice.
Twenty-five minutes into the call, after a series of questions and ID checks, a bank employee tells her "quite a few transactions" have been made. "We're going to try our best to … recoup the funds," he told her, and put her on hold.
After 37 minutes, much of it spent on hold, the call ended. Despite repeatedly asking, Jenny still did not know how much she had lost.
But later that night, she discovered she had given the caller 31 token codes, and each code enabled him to transfer $10,000 from her account.
The bank stopped just one transaction, and $299,996 was successfully stolen.
"I felt sick," she said.
"I felt stupid. I felt conned and I just wanted to do as much as I could to try and retrieve that money."
'We are inundated'
After a series of calls with the bank, Jenny went to Victoria Police to report the crime.
Her file ended up on the desk of Detective Acting Sergeant Marc Callegaro, adding to his ever-growing pile of scam cases.
"It's got to the point where we are inundated, actually," he said.
With the help of the bank, the detective quickly discovered Jenny's money had been transferred to 11 "money mules" with BankWest and Westpac accounts.
"Basically the money hits the mule's account … [and] the mule has been given instructions with bank account information as to where they're to send the money," he said.
Most of the mules were identified as Indian nationals who set up accounts with legitimate IDs. CCTV cameras captured two of them withdrawing money from ATMs in Sydney and Melbourne an hour into Jenny's four-hour call with the scammer.
"It appears that they've pretty much fled Australia at the time of the offending, and in some cases, they were actually offshore when the transactions took place," Acting Sergeant Callegaro said.
"Once they're out of Australia, we don't have any jurisdiction over offshore, especially when you're talking about as individuals, relatively small amounts."
He put an alert in place so he'll be notified if they return, but otherwise, the trail ends there.
"I'm dealing with cases every day, hundreds of thousands of dollars and even in the millions of dollars, people have lost.
"It's frustrating as an investigator knowing that once the money goes offshore, there's very little that I can do."
A difficult problem for banks to address
Regulators were unable to tell the ABC how many money mule accounts are active in the banking system.
But the Australian Competition and Consumer Commission's Catriona Lowe says they are a huge part of the scamming economy, which fleeced people of $3.1 billion last year.
"We are seeing the use of money mule accounts in the majority of reports that we receive," she said.
A 2021 report by financial intelligence agency AUSTRAC assessed the risk of money laundering through Australian banks as "high", and noted the use of mules as a key feature of criminals moving money overseas.
Acting Sergeant Callegaro said many were recruited through job ads offering highly paid work-from-home roles.
"The job involves receiving money into your account and you'll be given instructions to move money to another account and to do that, you get a commission," he said.
"In my experience, in most cases, money mules tend to have been caught up in the scam without really having knowledge as to the enormity of what they're a part of."
Commonwealth Bank, which owns BankWest, said the money mule accounts in Jenny's case had been opened with legitimate IDs, including drivers licences and foreign passports.
The bank said it had "strict identification processes in place to ensure people who apply for and open an account are who they say they are".
Westpac said the accounts involved were blocked once the scam was detected, but would not comment further for privacy reasons.
'They didn't detect anything'
The banks have been under significant pressure to address record scam losses, and last week unveiled a new tool to facilitate faster communication about fraudulent activity.
The Australian Banking Association says it will reduce communication delays between banks once a scam is reported, increasing the chance of intervening before money is lost.
In Jenny's case, it's unclear how much that would have helped.
Most of the money was transferred offshore as soon as it hit the mules' accounts, Acting Sergeant Callegaro said.
But "some movement of funds" — about $40,000 — didn't take place until four to five days later, he said.
That has angered Jenny, who said she was told all the mule accounts were frozen once they were identified.
However, the CBA insists no withdrawals were made after the recall request was received by BankWest.
"The [March 8 and 9] dates … refer to when the funds were settled, not when the scammers withdrew the money," the bank said in a statement.
Jenny said the transactions from her account, which had been dormant for nine months, were highly unusual and should have been detected by the bank.
"They didn't detect anything," she said. "They didn't detect the Visa card fraud and they didn't detect the bank withdrawals until I rang them."
But in a letter, the bank told her there was "no banking industry practice requiring the bank to monitor or scrutinise its customer's transactions to ensure they are free from scams or fraudulent conduct".
The ombudsman, AFCA, agreed the bank had met its obligations.
The bank later told the ABC it was not at fault nor liable to repay Jenny, but it had worked with other banks to recover some of the funds as soon as it was notified of the scam.
"We advise all customers that if they are speaking to someone claiming to be from Commonwealth Bank, whether they seem to be legitimate or not, to never tell them any token passwords, NetBank passwords, NetCodes or usernames for the CommBiz Service," the bank said in a statement.
"In this instance, the customer provided information which allowed the third party access to their account as well as authorisation codes which authorised the funds to be transferred to the scammers."
In the aftermath of the scam, the bank was able to recover $8,823.72 and return it to Jenny.
The CBA also offered Jenny a "goodwill" payment of $8,000, which she described as "insulting".
She has backed consumer groups who are calling for banks to be legally required to compensate scam victims, except in cases of extreme negligence by customers.
"I think what that would do would incentivise the banks to make more of an effort to implement better fraud detection in their systems."
While she and her husband are running out of avenues to recoup their money, they're tightening their belts.
"The whole idea is we've worked hard all our lives, put money aside so that we can be independent and not draw on the public purse as a pension," she said.
"The more money that's stolen, the more pressure we'll be putting on government purses and we don't want to do that."
If you're unable to load the form, click here.
