Long Reads: A chance meeting cost this CIO £400,000
Betrayal, bewilderment and Bank of America
Why is an insider threat even more dangerous than the hacker in the shadows? Because it’s not the mugging in the dark that hurts the most – it’s the knife in the back.
Nobody is immune to a well-constructed scam; not the CIO, the CEO or even the CISO.
The story of Wayne Johncock, former CIO at Centrica and MOSL, illustrates that well. A chance meeting developed into a fraud and betrayal that cost him and his wife Nicky upwards of £400,000.
We're highlighting Wayne and Nicky's story as part of October's Cybersecurity Awareness Month.
"The proposition appeared perfect," he says. "The good Samaritan friendly neighbour who is a Bank of America senior executive wanting to invest in my dream and passion - SuperLearningSeries, my edtech startup."
Wayne met his scammer, Rajesh Ghedia, at a local Christmas party in 2018. At the time he was searching for an investor for SLS, and Ghedia promised Bank of America would support his personal investment of up to £1.5 million.
The best lies have a kernel of truth: Ghedia really did work for Bank of America. But rather than being head of derivatives trading for EMEA, like he claimed, he actually worked as an internal project manager in the tech team. He even mocked up business cards and his email footer - from Bank of America's own servers - to sell the illusion.
"He spent a lot of time ensuring that he had my trust and my confidence... Convincing me he was fully supportive of my education app. He saw the benefits, how it could help the world, and he produced paperwork which told me that the Bank fully supported it and they were right behind it.
"He got in and had a look at my website and could ask me questions about it, so I knew that he was taking it seriously from that point."
Wayne and Ghedia would meet at least twice a month, sometimes with Ghedia's 10-year old son, to discuss the plans for SuperLearningSeries - plans that depended on the money that had been promised.
"I put £180,000 into a personal wealth portfolio, which was his vehicle to deposit his £1.5 million into. In the end, he didn't put any money in despite the mocked-up bank statements showing it. I put my money in, he took it, and it took 15 months for me to expose him."
The sting of social engineering
Some criminals adopt a spray and pray approach, maximising their chances of getting a bite through quantity over quality. Others go spear-phishing, choosing and stalking their targets carefully for a bigger payout.
Ghedia mixed the two, using the same approach on Wayne that he'd followed with other victims - all of whom he knew personally. They included his regular taxi driver, a parent at his children's school, and his own cousin.
"He threw out the hook, I bit - big bit of bait there - and from then on he knew exactly the buttons to press."
The worst part of social engineering scams is that the victim can be too embarrassed or too far in - the sunk cost fallacy - to admit they were wrong.
"I was defending him and supporting him against my friends," says Wayne. "He completely had me in a place where he needed me to be."
And yet, something did niggle. With his background in technology, Wayne decided to do some due diligence.
"I wanted to make sure was that his employer had full visibility of what we were doing. I said everything must go through your e-mail account, and I deliberately put words and phrases in I knew would trigger an internal monitoring alert.
"All information was in the emails, like the bank account details, the investment, the payout scheme, the way the money would be deposited, how it would be used. He even requested my passport in order to pass KYC."
But when Bank of America didn't raise an alert, Wayne's suspicions were allayed.
"For a company that spends billions and billions of dollars on cyber security and technology, and has one of the most secure, sophisticated, well-invested technology systems in the world, I had absolutely no doubt this would have been picked up by their monitoring software and made visible. So, the longer that went on the more assured I was that it was authentic."
At the same time, Ghedia had doctored emails - which Computing has seen - to appear as if they came from senior figures at the Bank, supporting his actions.
Bank of America had no comment when we contacted them about Wayne's claims.
Long Reads: A chance meeting cost this CIO £400,000
Betrayal, bewilderment and Bank of America
Why is an insider threat even more dangerous than the hacker in the shadows? Because it’s not the mugging in the dark that hurts the most – it’s the knife in the back.
Crashing down
Finally, after Ghedia convinced Wayne and Nicky to transfer another £40,000 into a separate fund - while cooked statements showed the original growing nicely, up to £1.7 million - they alerted Bank of America. A month later, Wayne got a call that changed everything.
"On June 12th, 2020, at 13:02, my world came crashing down. I got a call from Action Fraud to say my case was being handed over to the City of London Police and to expect a call. Shortly after, a detective constable called to brief me. He said he would check again with BofA Internal Investigations to see if my investment account did actually exist."
The follow-up call confirmed it: There was no such account. Ghedia, a criminal employee operating inside Bank of America, had manipulated systems, bypassed safeguards and stolen more than £600,000 from his victims.
The fallout
Ghedia was fired from Bank of America on 3rd June. He was arrested two months later, in August 2020, and went on to pull off another scam - this time against his insurer, for £1.2 million. He spent 2021 in and out of police stations.
While Covid-19 delayed Ghedia's day in court, he was eventually sentenced to nearly seven years in jail in June 2022 - by which time he had already been behind bars for six months, for breaching bail.
"I went to the sentencing day in court. First time I've ever been in a court. I wanted to see him, to make sure that he knew what I'd done [to put him there]."
Still, it was weak salve for a wound that had cost Wayne and Nick £400,000. As well as the £180,000 they deposited - £150,000 of which they have got back - they also took money from their own savings and used government Bounce Back Loans to keep paying staff when the investment failed to pay out.
Looking back, Wayne is still sure he did almost everything right - but it's the "almost" that cost him.
Speaking now from a position of regretful experience, he says anyone who thinks they might be in a similar situation should always speak directly to senior people in the organisation they're dealing with. He missed out on that because Ghedia was so careful to ensure he had his victims' trust.
Not trusting anyone at face value is, understandably, his second maxim.
"Do a bit more work just to be 101% sure. I might have been 99% sure, but the good criminals know how to get around things."
And finally, verify everything. If someone is urging you to transfer money, even - especially - if they're in a position of trust, check them out; from their digital footprint to their work history.
"When I look back on it, every step, I now say, ‘Why did I not pick it up?' But then talking to other people who've been done over, they say, ‘Look, it can happen to anyone.'
"Maybe it can, but these criminals are becoming more astute. They're using technology to their advantage, and they're able somehow to bypass controls and governance.
"And I don't know how he - or maybe they - did it."
Even the most experienced IT leader can fall victim to the right scam, and as Wayne can attest, being a victim is horrific - the journey before, during and after is a rocky road.
Thankfully, there are initiatives like the Security Awareness Special Interest Group, National Insider Threat Awareness Month (September) and Cybersecurity Month (October) that offer support and help.
Wayne is pushing for his story to drive more accountability on financial institutions, tighten regulations on cyber fraud, and act as a wake up call for regulators like the ICO and FCA that these crimes are real and have a huge personal impact on victims.
Computing is following the data protection side of the case up with the ICO now. To date, the regulator has insisted it won't deal with criminal cases. At the same time, the police insist anything involving data should go via the ICO.
It appears that cases like Wayne's have fallen down the cracks.
If you or someone you know has suffered a similar incident, and had trouble dealing with the ICO and law enforcement, please get in touch.