Archives for : September2017

Australian Tax Office fake calls: The scam that keeps on giving

As if the Australian Tax Office  – plagued by the Plutus payroll and Michael and Adam Cranston saga – didn’t have enough bad press at the moment. But the Australian Competition and Consumer Commission (ACCC) Deputy Chair Delia Rickard estimates around $2 million has been shelled out so far this year by unwitting victims to scammers claiming to be from the ATO.

“That’s around 40,000 people,” she said. “It’s really huge – and that is only the people who are reporting the calls. Most people are too embarrassed to complain or do anything about it when they are conned.

“It’s outrageous … these people are operating from overseas call centres they have a script, they are threatening. They are big organised crime and they make a fortune,” she said.

The ATO scam – where some one calls claiming to be from the ATO and that you owe them money – usually has a huge spike in calls from scammers at the end of the tax year. The Scamwatch website records there was a fourfold increase in the money lost in the ATO scam, known as upfront and advanced fee fraud, at the end of this financial year. The 2017 figures for June, show consumers lost nearly $1.4 million ($1,399,334) in fraud scams, which is almost four times the 2017 monthly average the scammers are bagging in cash. Last month (August) innocent tax payers were conned into giving $283,213 over to fraudsters – which has been around the usual 2017 monthly average.


Ms Rickard said there are usually two types of calls. The first is where a person calls threatening a warrant is out for your arrest and that you must pay a large sum of money, usually in iTunes gift cards. The second is when they keep you on the telephone while they walk to the supermarket to buy the iTunes cards.

“Usually they are older people who are conned or people who have turned off the rational side of thier brain and are just scared,” she said.

She said scammers have got smarter this year, and are avoiding scams involving banks. The ACCC has been working with supermarkets like Coles and Woolworths, whose staff are discouraging customers they feel are being conned into buying a large volume of iTunes cards.

If, like me, you receive a call from some one purporting to represent the tax office, be wary. Earlier this week I received a call on my mobile from a man purporting to be Gary Smith from the Australian Taxation Office. He said they had received a legal complaint about me for tax fraud.

“Before we take the matter into the Local District court and before we issue a warrant in your name kindly call us back.

“Do not disregard this message and do return the call as soon as possible,” he threatened.

Fortunately, as a former court reporter, I knew there was no Local District Court (there is a Local Court and a District Court but no such thing as the Local District Court).

So I called Gary Smith, on the number he gave me for the ATO.

“Australian Taxation Office, how may I help you,” the man answered the phone, in a heavy accent. I asked for Gary Smith and I told him my name. He asked if I was working as a freelance journalist. At this point I told him he was being recorded and he told me he “didn’t care”.

He repeated there was an outstanding amount in my name owing to the ATO. When I told him I was a journalist with The Sydney Morning Herald, and that I’d heard someone with a very similar accent be shamed on ABC radio that morning he said “oh no.”

Realising he’d been sprung he went on to tell me: “I am from the Russian mafia which deals in arms. Do you want grenades? I deal in bombs – fire in the hole.”

And then he hung up. And probably went on to another scam call.

How to spot a fake call from the Australian Taxation Office:

The ATO makes thousands of outbound calls to taxpayers each week, but there are key differences between a call from a scammer and a legitimate call from the ATO.
The ATO will not:
*   be abusive or offensive to you
*   threaten you with immediate arrest
*   ask you to transfer money into an account with a BSB that is not 092009 or 093003
*   request payment via unusual methods such as iTunes gift cards or other prepaid cards
*   request personal security information such as your TFN or your bank details via email or SMS or social media sites
*   ask you for money up front in order to receive a refund or other payment
*   direct you to download files from the internet.

The ATO will:

*   provide you with a range of options for paying debts, which are all set out on our website at
*   contact you by phone
*   if you are in doubt about the authenticity of a call claiming to be from the ATO, you can call us on 1800 008 540 to verify
*   you will generally be aware of any debt before it is due for payment, but you can check through your myGov account, your tax agent or by calling the ATO
*   send emails and SMS asking to you to take specific action such as: provide additional information required to process a BAS or tax return lodge

*   provide additional information required regarding an application that’s been made
*   verify changes to an account
*   send general notifications and reminders via SMS or email
*   send promotional and informational SMS and emails.

Source: ATO


Henry Sapiecha

How to Avoid This Common Craigslist Car Buying Scam

One of the most common automobile sale scams I hear about is Curbstoning, so named because the transaction often takes place in front of a residence, at the “curb.” Curbstoning lulls a buyer into a false sense of security. Here’s how it works – and what to watch out for, particularly in the aftermaths of Harvey and Irma.


If you or I sell a car from our home, we might meet the prospective buyer in the street and show them the car. The low key transaction is quite different from the buyer-seller experience people encounter when at a car dealership. People let their guard down when they are simply kicking the tires in someone’s front yard or driveway.

Some unscrupulous sellers take advantage of this and purposely move their sales to such a setting. For example, a car dealer having a hard time moving a car off of his lot in an ugly part of town might advertise the car on Craigslist and give out a cell phone number to call. When a prospective buyer calls, the dealer will tell the shopper to meet him in front of his house where the car will be parked. The car’s perceived value is higher when being sold by an individual in a nice neighborhood than it would be when sold by a used car dealer in a bad part of town.

While the negotiation takes place in front of the residence, the seller will often provide paperwork showing the true seller is a dealer. In some states this practice is not illegal but shoppers should be wary of it. Clearly, the seller is putting one over on the seller by misrepresenting the nature of the sale.

Curbstoning also encompasses the sale of cars by people who ought to be licensed as used car dealers but aren’t. In Michigan, anyone selling five or more cars in a calendar year needs to be licensed as a used car dealer. But there are many car flippers who don’t bother getting the licenses because of all the regulatory baggage they carry. Every neighborhood seems to have one of these people. The guy who has a different car For Sale in his driveway every few weeks.

The car shopper cannot always tell if they are dealing with someone who is in violation of this portion of the law. But many of these sellers–to try and stay off the radar of authorities–will “skip” the titles to the cars they sell. They’ll show you the title to the car has already been signed off by the previous owner–not the seller you are dealing with–and want to sell you the car without their name appearing in the chain of title. In most states this practice IS illegal if the seller is not a licensed dealer. And while these transactions may work out alright for the buyer they are rife with potential problems. Among other things the buyer cannot prove who they bought the car from. And they have to hope that the title was executed properly by the previous owner, the one who owned it before the Curbstoner sold it to them.

What has this got to do with the recent hurricanes? Hundreds of thousands of cars have been damaged in the past few weeks, many of which will end up in the stream of commerce being sold by unscrupulous sellers. Suppose a car flipper in another state gets one of these cars. What better way to unload it than to pretend it was a family car and is now simply being sold out in front of the family home far away from the hurricane zones?

If you are a car shopper and find yourself in front of someone’s house looking at a car for sale, there are a few things you should watch for. Ask to see the title to the car and make sure it is titled to the person you are talking to. If it’s not, I’d advise against purchasing the car. If the curb you are standing in front of is not in Texas or Florida but the car has a title from one of those two states, it might be a problem as well.

If you find the car listed on Craigslist or some other free platform, scan other ads to see if this seller’s phone number is listed with any other cars. Some Curbstoners will have several cars listed at the same time–which is a sign that the person you are dealing with is not a typical individual simply selling a car.

If the seller tells you that the paperwork for the car will be completed by a car dealer who is doing someone a “favor,” know that the car is being sold by a dealer. It is not a private sale. This may or may not matter to you but it is something to factor into the equation: The seller you are dealing with started off your relationship with a lie.

Curbstoning is always a problem you should be on the lookout for. It is even more important now, though, in light of how many flood damaged cars will be foisted on unsuspecting car shoppers.

Steve Lehto is a writer and attorney from Michigan. He specializes in Lemon Law and frequently writes about cars and the law. His most recent books include Preston Tucker and His Battle to Build the Car of Tomorrow, and Dodge Daytona and Plymouth Superbird: Design, Development, Production and Competition. He also has a podcast where he talks about these things.


Henry Sapiecha



Thieves are preying upon consumers when they need help the most by claiming to fix their bad credit.

In the credit repair scam, con artists claim they can erase bad credit, remove bankruptcies or liens and even create a new credit history. The thieves usually ask for an upfront payment in cash.

Legitimate credit repair companies are required to provide a person’s legal rights in a written contract, give a three-day window to cancel without any charge and provide the cost of the services.


  • Check your credit history and dispute inaccurate information
  • Do not pay for services before they are rendered
  • Obtain legitimate credit counseling from a nonprofit credit repair agency or your bank or credit union

For more information, you may contact the Fair Trade Commission at and the Consumer Financial Protection Bureau at


Henry Sapiecha

How to Avoid Being Scammed By a Flood-Damaged Car

Hurricane Harvey will put thousands of flooded cars through auctions and possibly in to your hands as one example. Here’s how to know what to look for so you don’t buy a lemon of a car.


Hurricane Harvey has been devastating on the residents of Houston and the surrounding areas. Many will return to discover that their cars were damaged by the flood waters and will hopefully be able to work with their insurance companies to replace them quickly.

It is no surprise that these flooded cars will end up at salvage auctions in the region; many will be bought by rebuilders and sold on the used car market. These vehicles will be marked with a salvage or total-loss title, but there are many unscrupulous sellers that know how to hide the flood damage and even wash the titles so that they appear to be clear.

Thousands of vehicles are already arriving at Insurance Auto Auction and Copart auction lots and soon enough they will be approved for sale to dismantlers, exporters, rebuilders, and, in some cases, even the general public, so it won’t be long before we see some of these cars back on the road.

There are some guides out there on spotting flood damaged cars, but many are out of date and easily circumvented by modern rebuilders. But have no fear. Here are some tips that provide a much better method of spotting flood damage.


The first and easiest step to spotting a salvage car is to check the history based on the VIN. You’ll notice I did not call it a CarFax report because checking the history requires using multiple sources. The best place to start is the free national database from the National Insurance Crime Bureau. This database will tell you if a vehicle has been marked as salvage or stolen and allow you to eliminate it from your list before you spend money on any of the more detailed reports. If the VIN clears the NICB check, the next step is to run it through an NMVITS provider. Luckily, there is also a free option there through which will tell you if the vehicle has been through a salvage auction along with some additional registration and sales data.

Once you’ve run the VIN through free sources, then you should run it through CarFax and AutoCheck. Even though it can get costly to run these reports, I always recommend running both as each one has some unique data sources that can offer additional information. The best strategy is usually to buy the multiple report option which will let you check multiple vehicles at a discounted rate. You may also find that dealers will offer a free CarFax for vehicles on their lot. It might be free, but I prefer to run them for myself as they can often be outdated or at worst, incorrect.


Even if a vehicle is clear on the reports, it doesn’t mean that nothing happened to it. Many cars without comprehensive insurance coverage will never see an insurance adjustor or a salvage auction, so they will continue to keep their clear title. Owners may try to repair them or sell them to rebuilders who will look to flip them. That’s what makes a pre-purchase inspection (PPI) so important. The traditional mindset to look for mud or rust on the car in order to spot flood damage does not always match with reality. This is due to the fact that a lot of the cars get partially cleaned up at the salvage auctions that they are carted off to immediately following a flood event. The last three flooded cars I’ve purchased at a salvage auction were all partially cleaned up by lot workers. We did not start to see signs of flood damage until we started peeling back the layers of the interior.

Some of the salvage auction cleaning services can get pretty in-depth. The ones near me usually wash off the exterior, clean and wash the engine compartment, vacuum the water out from the interior, and then detail it. Most importantly, they lubricate any visible electrical connections along with parts that are prone to rust. Once the cleaning is complete, they will usually insert a moisture absorber bin in the car in order to collect any residual moisture that evaporates. These detailing services are not malicious and meant to hide damage, but are an effort to preserve as many usable parts as possible in order to get the most money when they are auctioned.


Some of the cars that are sold at auction will go straight to a salvage yard and turn into recycled parts, but others are sold to dealers–or to shady curbstoners–who will try to quickly flip the cars. Some of these cars will get a proper cleaning and repair and go on to be sold with a disclosure of the damage, but others will get a superficial once-over in order to hit the spots which most buyers look for.

The proper way to spot thoroughly cleaned flood damaged cars starts with the seats. The seat rails will usually receive some cleaning and lubrication but the bolts which hold them to the floor are often covered by plastic trim, trapping water inside. Look underneath that plastic trim–it can easily be popped off with a common screwdriver. If the bolt head shows rust, the car is likely to have taken on water. The next step is to check under the dash. While visible electrical connectors may have been cleaned and lubricated, it is rare that wires and connector higher up behind the dash are cleaned. You will often spot mud or water staining on these connectors if the car has been submerged.

The carpet can also be another giveaway that the car has seen water. In most cases, the carpet will have been cleaned and dried so it will not be visibly damp. If it looks too new for the car or like it does not fit snugly then it is likely that it has been removed for cleaning or replaced with a new one. There are also more invasive methods of checking the car, such as pulling back the carpet or removing a door panel to see if there is a water line. Most unscrupulous sellers will get spooked as soon as you start looking at seat bolts or under the dash.

These are all advanced inspection tips. The general guidelines of checking for visible water or rust damage should be your first steps before wasting your time digging deeper into the damage.

The Effects of Water Damage


FLOODED CARS: From exotic cars to mini vans, nearly 10-thousand now at the “grave-yard” car lot at the Royal Purple Raceway.

Even if a car is disclosed as being previously flooded and appears to have been repaired properly, there are still items that can pose issues in the future. The first thing I can tell you as a rebuilder is that if the car saw saltwater, then it is junk and can never be totally repaired as it will deteriorate over time. Avoid these cars at all costs. I have repaired freshwater cars and an NB Miata we own now is one of them.


Cleaning up that car involved removing the entire interior in order to clean the car down to the bare metal with a regimen of anti-bacterial and anti-mold cleaners along with replacing damaged electronics and taking steps to prevent rust in the future. This Miata was a good subject for such a restoration as the water was low enough not to reach the seats. If the water level is high then there is a chance that electronic modules that may be working at the time of the restoration may fail in the future due to rusting solder joints or circuit boards.


However, the absolute most important factor in considering a flood repaired car? The airbags. We’re all familiar with the Takata airbag scandal, where airbags that are exposed to high temperature or moisture could break down the propellant inside, causing it to shoot shrapnel when deployed that could be potentially deadly for the driver or passengers. These airbags were recalled because there was a chance that they could create this shrapnel just from the humidity in the air, so you can imagine that it is almost inevitable that affected airbags will become faulty if they are submerged. If flooded cars with faulty airbags are put back on the road with the original, recalled, units still in place, they could be potentially deadly to the buyer.


There is no way to inspect an airbag without deploying it. If you insist on buying a flood-repaired car the only option you really have is to ask for a receipt showing that the airbags were replaced, otherwise you could be putting yourself in front of a bag full of shrapnel waiting to deploy.


I’ve bought and repaired more than a handful of flooded vehicles, but they have always been carefully inspected in order to ensure that the water level was low. That was followed by a thorough repair of all cosmetic and safety items. These vehicles have usually been for personal use and not intended for resale. I would personally never buy a flood-repaired vehicle unless I was the one that had repaired it. There are just too many variables to consider.

If you are looking to purchase a vehicle and see any of the signs of an improper repair or notice something that just doesn’t feel right, move on to the next car.


Henry Sapiecha

Woman posed as police officers in elaborate two-year ‘catfish’ scam

LAUREN Adderley took on a number of different identities to make her catfishing victim believe exactly what she wanted him to believe.


A JEALOUS woman who posed as fake police officers to control her ex-boyfriend and stop him from seeing other women has been jailed.

Lauren Adderley, 21, used “sophisticated catfish style behaviour” to convince her former partner Mitchell Lloyd, 22, he was part of a police investigation.

She even made the young man believe he was subject to police curfews, creating email accounts to pose as cops and threaten him with fines if he did not obey the orders.

Using fake names including Darren Clarke, Elaine Thomas and Robert Hay, the young woman jealously told him to end relationships he had started, and even that he was not allowed to speak to specific people — particularly other women.

In the elaborate scheme, she also pretended to be her own friends on Facebook to send messages to Lloyd, criticising him for going out with other girls.

In sentencing, Peter Rouch QC, said: “I do not know what was going through your mind in December 2014 but at that time you decided to deliberately adopt the persona of a police officer to contact Mitchell Lloyd.

“At that time, he did not want a relationship with you.

“For two years you controlled Mitchell Lloyd’s life, to the extent that you told him where he could go and who he could go out with.”

The threats even included fines of about $4900 if he did not obey.

The couple had met through mutual friends during a night out, with their brief sexual relationship ending after two months in 2014.

But in a victim impact statement, the young man said that he had felt pressurised and blackmailed for two years after the relationship.

At one point, Shrewsbury Crown Court heard the young woman had even threatened to kill herself with a pair of scissors, later telling him “No one can ever love you like I love you x.”

Recorder Rouch told her: “These are serious crimes, as he could not live his life properly during the two years that you committed these offences.

“You did that for your own benefit, whatever that may have been.”

It wasn’t until the young man told colleagues at work about the curfews — including one that told he was no longer able to go to a public house he had taken his mother and sister to — that he alerted police.

Genuine officers were immediately able to deduce that the emails were fake, and traced them back to Adderley.

Paul Smith, defending, added: “Perhaps the key point in mitigation other than the early plea is her age. She was 18 when the offences began back in 2014.

“She has no previous convictions and has taken full responsibility for what she did.”

Jason Corden-Bowen, District Crown Prosecutor and Domestic Abuse Lead with West Midlands Crown Prosecution Service, said: “Lauren Adderley created a complicated fiction of multiple fake profiles interacting with each other to her own satisfaction and reason.

“She used this sophisticated catfish-style behaviour to completely manipulate the victim’s life, dictating when he could go out, where he could go and controlled his social interaction with other people for over two years.

“The impact her actions had on the victim’s life cannot be understated and I would like to pay tribute to him for helping bring Adderley to justice.”


Henry Sapiecha

Phishing? How to protect yourself from scam emails and much more

Don’t click on that email! Find everything you need to know in this phishing guide including how to protect yourself from one of the most common forms of cyber attack.


What is phishing?

Phishing is one of the easiest forms of cyber attack for a criminal to carry out, but one which can provide these crooks with everything they need to infiltrate every aspect of their targets’ personal and working lives.

Usually carried out over email – although the scam has now spread to social media, messaging services and apps – a basic phishing attack attempts to trick the target into doing what the scammer wants. That might be handing over passwords to make it easier to hack a company, or altering bank details so that payments go to fraudsters instead of the correct account.

The aim and the precise mechanics of the scams vary: victims might be tricked into a clicking a link through to a fake webpage with the aim of persuading them user to enter personal information. Other campaigns involve tricking users into downloading and installing malware – for stealthy approach to theft – or inadvertently installing ransomware, providing the attacker with much more immediate profit.

More complex phishing schemes can involve a long game, with hackers using fake social media profiles, emails and more to build up a rapport with the victim over months or even years in cases where specific individuals are targeted for specific data which they would only ever hand over to people they trusted.


That data can be as simple as an email address and password, to financial data such as credit card details or online banking credentials or even personal data such as date of birth, address and a social security number.

In the hands of hackers, all of that can be used to carry out fraud, be it identity theft or using stolen data to buy things or even selling people’s private information on the dark web. In some cases, it’s done for blackmail or to embarrass the victim.

In other cases, phishing is one of the tools used for espionage or by state-backed hacking groups to spy on opponents and organisations of interest.

And anyone can be a victim, ranging from the Democratic National Committee, to critical infrastructure, to commercial businesses and even individuals


Whatever the ultimate goal of the attack, phishing revolves around scammers tricking users into giving up data or access to systems in the mistaken belief they are dealing with someone they know or trust.

How does a phishing attack work?

A basic phishing attack attempts to trick a user into entering personal details or other confidential information, and email is the most common method of performing these attacks.

The sheer number of emails sent every single day means that it’s an obvious attack vector for cyber criminals. It’s estimated that 3.7 billion people send around 269 billion emails every single day.

Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day.

Most people simply don’t have the time to carefully analyse every message which lands in their inbox – and it’s this which phishers look to exploit in a number of ways.

Scams vary in their targets – some are aiming at unwary consumers. Here, their email subject line will be designed to catch the victim’s eye – common phishing campaign techniques include offers of prizes won in fake competitions such as lotteries or contests by retailers offering a ‘winning voucher’.

In this example, in order to ‘win’ the prize, the victims are asked to enter their details such as name, date of birth, address and bank details in order to claim. Obviously, there’s no prize and all they’ve done is put their personal details into the hands of hackers.

A young woman is overjoyed by message on her tablet computer stating she has won a prize, not realizing it is a scam.

A young woman is overjoyed by message on her tablet computer stating she has won a prize, not realizing it is a scam.

Similar techniques are used in other scams in which attackers claim to be from banks looking to verify details, online shops attempting to verify non-existent purchases or sometimes — even more cheekily — attackers will claim to be from tech security companies and that they need access to information in order to keep their customers safe.

Other scams, usually more sophisticated, aim at business users. Here attackers might also pose as someone from within the same organisation or one of its suppliers and will ask you to download an attachment which they claim contains information about a contract or deal.

In many cases the file will unleash malicious software onto the system – in many cases it will harvest personal data, but it in many cases it’s also used to deploy ransomware or rope systems into a botnet.

Attackers will often use high-profile events as a lure in order to reach their end goals. For example, a major campaign used the lure of the 2016 Olympic Games to help distribute malware in the run up to the event.

In many cases the malicious payload will be hidden inside a Microsoft Office document which requires the user to enable macros to run. The payload will trick the victim into enabling them by claiming that an update needs to be installed or permissions need to be given to allow the document to be viewed properly. But if users allows the payload to run they and their company are likely to be in big trouble.

Why is phishing called phishing?

The overall term for these scams — phishing — is a modified version of ‘fishing’ except in this instance the fisherman is the cyber attacker and they’re trying to catch you and reel you in with their sneaky email lure.

It’s also likely a reference to hacker history: some of the earliest hackers were known as ‘phreaks’ or ‘phreakers’ and it’s likely a reference back to that.

When did phishing begin?

The consensus is the first example of the word phishing occurred in the mid-1990s with the use of software tools like AOHell which attempted to steal AOL user names and passwords.

These early attacks were successful because it was a new type of attack, something users hadn’t seen before. AOL provided warnings to users about the risks, but phishing remained successful and it’s still here over 20 years on. In many ways, it has remained very much the same for one simple reason – because it works.

How did phishing evolve?

While the fundamental concept of phishing hasn’t changed much, there have been tweaks and experimentations across two decades as technology and how we access the internet has changed. Following the initial AOL attacks, email became the most appealing attack vector for phishing scams as home internet use took off and a personal email address started to become more common.

Many early phishing scams came with tell-tale signs that they were not legitimate – including strange spelling, weird formatting, low-res images and messages which often didn’t make complete sense. Nonetheless, in the early days of the internet, people knew even less about potential threats which meant that these attacks still found success – many of these are still effective.

Some phishing campaigns remain really, really obvious to spot – like the prince who wants to leave his fortune to you, his one long lost relative, but others have become to be so advanced that it’s virtually impossible to tell them apart from authentic messages. Some might even look like they come from your friends, family, colleagues or even your boss.

What’s the cost of phishing attacks?

It’s hard to put a total cost on the fraud that flows from phishing scams, but earlier this year the FBI suggested that the impact of such scams could be costing US business somewhere around $5bn a year, with thousands of companies hit by scams every year.

One example of a high profile incident: in July 2017 MacEwan University in Edmonton, Alberta, Canada fell victim to a phishing attack.

“A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. The fraud resulted in the transfer of $11.8 million to a bank account that staff believed belonged to the vendor,” the university said in a statement.

What types of phishing scams are there?

The ‘spray and pray’ is the least sophisticated type of phishing attack, whereby basic, generic messages are mass-mailed to millions of users. These are the ‘URGENT message from your bank’ and ‘You’ve won the lottery’ messages which look to panic victims into making an error — or blind them with greed.

Schemes of this sort are so basic that there’s often not even a fake webpage involved – victims are often just told to respond to the attacker via email. Sometimes emails might play on the pure curiosity of the victim, simply appearing as blank message with a malicious attachment to download. This is the way Locky ransomware is spread and it’s one of the most effective forms of the file-encrypting malware around.

A simple Locky distribution phishing email – it looks basic, but if it didn’t work, attackers wouldn’t be using it.These attacks are mostly ineffective, but the sheer number of messages being sent out means that there will be people who fall for the scam and inadvertently send details to cyber attackers who’ll exploit the information in any way they can.

What is spear phishing?

Spear phishing is more advanced than a regular phishing message and aims at specific groups or even particular individuals. Instead of vague messages being sent, criminals design them to target anything from a specific organisation, to a department within that organisation or even an individual in order to ensure the greatest chance that the email is read and the scam is fallen for.

It’s these sorts of specially crafted messages which have often been the entry point for a number of high profile cyber attacks and hacking incidents.

At a consumer level, it can be designed to look like an update from your bank, it could say you’ve ordered something online, it could relate to any one of your online accounts. Hackers have even been known to seek out victims of data breaches and pose as security professionals warning victims of compromise – and that targets should ensure their account is still secure by entering their account details into this handy link.

While spear phishing does target consumers and individual internet users, it’s much more effective for cyber criminals to use it as a means of infiltrating the network of a target organisation.


Lure document used in a ransomware attack against a hospital – attackers used official logos and names to make the email and the attachment look legitimate.
This particular type of phishing message can come in a number of forms including a false customer query, a false invoice from a contractor or partner company, a false request to look at a document from a colleague, or even in some cases, a message which looks as if it comes directly from the CEO or another executive.
Rather than being a random message, the idea is to make it look as if it has come from a trusted source, and coax the target into either installing malware or handing over confidential credentials or information. These scams take more effort but there’s a bigger potential payback for crooks too.What is CEO fraud?

CEO fraud is a very specific type of phishing campaign which usually targets staff in the financial or human resources department of a business.

The target receives an email from the attacker which is disguised to look as if it comes from the CEO of the company or some other high level executive and – sometimes after a period of small talk to build up trust – it requests and urgent transfer of money to a particular account.


CEO fraud sees attackers posing as executives and sending multiple messages back and forth with victims. Image: Trend Micro

Usually some sort of business reason is given such as the funds being required for a new contract or something similar. Of course, this message isn’t from the CEO at all and the account doesn’t belong to anyone within the company, but rather the attacker, who before the victim knows understands what is going on, has made off with a significant sum.

It’s thought that at least $5 billion has been lost as a result of this particular form of phishing scam and law enforcement has warned that it continues to rise.

Other types of phishing attacks

While email still remains a large focus of attackers carrying out phishing campaigns, the world is very different to how it was when phishing first started. No longer is email the only means of targeting a victim as the rise of mobile devices, social media and more have provided attackers with a wider variety of vectors to use for attacking victims.

Social media phishing

With billions of people around the world using social media services such as Facebook, LinkedIn and Twitter, attackers are no longer restricted to use one means of sending messages to potential victims.

Some attacks are simple and easy to spot: a Twitter bot might send you a private message containing a shortened URL which leads to something bad such as malware or maybe even a fake request for payment details.

But there are other attacks which play a longer game. A common tactic used by phishers is to pose as a person – often an attractive women – using photos ripped from the internet, be it stock imagery or someone’s public profile. Often these are just harvesting Facebook ‘friends’ for some future nefarious means and don’t actually interact with the target.

However, sometimes plain old catfishing comes into play, with the attacker establishing a dialogue with the (often male) target – all while posing as a fake persona.


The ‘Mia Ash’ social media phishing campaign saw attackers operate a fake social media presence as if the fake persona was real. Image: SecureWorks

After a certain amount of time – it could be hours, it could be months – the attacker might concoct a false story and ask the victim for details of some kind such as bank details, information, even login credentials, before disappearing into the ether with their gains.

These campaigns can be completely random, but some are specifically targeted with hackers running an entire online persona of a fake person across multiple social media sites in order to look like an authentic, real living person.

One campaign of this nature targeted individuals in organisations in the financial, oil and technology sectors with advanced social engineering based around a single, prolific social media persona that was absolutely fake.

Those behind ‘Mia Ash’ are thought to have been working on behalf of the Iranian government and tricked victims into handing over login credentials and private documents.

SMS and mobile phishing

The rise of mobile messaging services – Facebook Messenger and WhatsApp in particular – has provided phishers with a new method of attack, with the fact that smartphones are now in the pocket of the victims making them almost immediately accessible.

Attackers don’t even need to use emails or instant messaging apps in order to meet the end goal of distributing malware or stealing credentials – the internet connected nature of the modern way phone means text messages are also an effective attack vector.

A SMS phishing – or Smishing – attack works in much the same way as an email attack, presenting the victim with a fraudulent offer or fake warning as a malicious incentive to click through to a malicious URL.


Text messages offer another attack vector to criminals. Image: Action Fraud

The nature of text messaging means the smishing message is short and designed to grab the attention of the victim, often with the aim of panicking them into clicking on the phishing URL within. A common attack by smishers is to pose as a bank and fraudulently warn that the victim’s account has been closed, had finances from it withdrawn or is otherwise compromised.

The truncated nature of the message often doesn’t provide the victim with enough information to realise the message is fraudulent, especially when text messages don’t contain tell-tale signs such as a sender address.

Once the victim has clicked on the link, the attack works in the same way as a regular phishing attack, with the victim duped into handing over their information and credentials to the perpetrator.

How to spot a phishing attack

The whole point of attackers carrying out phishing attacks is to use deception in order to trick victims into compromising themselves, be it by installing malware onto the network, handing over login credentials or parting with financial data.

While at its heart phishing remains one of the most basic forms of cyber attack, the simple fact of the matter is that it works – and it’s been working for over two decades.

While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it’s easy to forget that there are billions of internet users – and everyday there are people who are only accessing the internet for the first time.

Large swathes of internet users therefore won’t even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it – why would they even suspect that the message in their inbox isn’t actually from the organisation or even friend it says it’s from?

But while some phishing campaigns are so sophisticated and specially crafted that the message looks totally authentic, there are some key give-aways in less advanced campaigns which can make it obvious to spot an attempted attack.

Signs of phishing: Poor spelling and grammar

Many of the less professional phishing operators still make basic errors in their messages – notably when it comes to spelling and grammar.

Official messages from any major organisation are unlikely to contain bad spelling or grammar, let alone repeated instances throughout the body – so poorly written messages should act as an immediate warning that the message might not be legitimate.

It’s common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these service they still struggles to make messages sound natural.

Shortened or odd URLs in phishing emails

It’s very common for email phishing messages to coerce the victim into clicking through a link to a malicious of fake website designed for malicious purposes.

Many examples of phishing attacks will invite the victim to click through to an official-looking URL. However, if the user takes a second to examine the link more closely, they can hover the pointer over it and often find that while the text seems like the legitimate link, the actual web address is different.

In some instances, it can simply be a shortened URL, whereby the attackers hope the victim won’t check the link at all and just click through. In other instances, attackers will take a minor variation on a legitimate web address and hope the user doesn’t notice.

"Minsk, Belarus - October 27, 2011: Official website Blizzard. Photo taken from the monitor."

“Minsk, Belarus – October 27, 2011: Official website Blizzard. Photo taken from the monitor.”

Attackers tried to take advantage of the Blizzard data breach by sending phishing emails claiming to be from Blizzard about account security

For example, a campaign once targeted online gamers after game developer Blizzard was hacked. Attackers spammed messages claiming that the victim had their World of Warcraft account compromised in the breach and asked them to click on a link and enter their details in order to secure it. The malicious link had only one minor difference to the real URL – the L in ‘World’ had been switched to a 1.

Ultimately, if you are suspicious of a URL in an email, hover over it to examine the landing page address and if it looks fake, don’t click on it. And check that it is the correct URL and not one that looks very similar but slightly different to that which you’d usually expect.

shady-hacker-on-keyboard image

A strange or mismatched sender address

You receive a message that looks to be from an official company account. The message warns you that there’s been some strange activity using your account and urges you to click the link provided to verify your login details and the actions which have taken place.

The message looks legitimate, with good spelling and grammar, the correct formatting and the right company logo, address and even contact email address in the body of the message. But what about the sender address?

In many instances, the phisher can’t fake a real address and just hope that readers don’t check. Often the sender address will just be listed as a string of characters rather than as sent from an official source.

Another trick is to make the sender address almost look exactly like the company – for example, one campaign claiming to be from ‘Microsoft’s Security Team’ urged customers to reply with personal details to ensure they weren’t hacked. However, there isn’t a division of Microsoft with that name – and it probably would it be based in Uzbekistan, where the email was sent from.

Keep an eye on the sender address to ensure that the message is legitimately from who it says it is.

The message looks strange and too good to be true

Congratulations! You’ve just won the lottery/free airline tickets/a voucher to spend in our store – now just provide us with all of your personal information including your bank details to claim the prize. As is the case with many things in life, if it seems too good to be true, it probably is.

In many cases, phishing emails with the aim of distributing malware will be sent in a blank message containing an attachment – never clicking on mysterious, unsolicited attachment is a very good tactic when it comes to not falling victim.

Even if the message is more fleshed out and looks as if it came from someone within your organisation, if you think the message might not be legitimate, contact someone else in the company – over the phone or in person rather than over email if necessary – to ensure that they really did send it.

How to protect against phishing attacks

Training, training and more training. It might seem like a simple idea, but training is effective. Teaching staff what to look out for when it comes to a phishing email can go a long way to protecting your organisation from malicious attacks.

Exercises such as enabling staff to make errors – and crucially learn from them – in a protected sandbox environment or carrying out authorised penetration testing against employees can both be used to help alert users to potential threats and how to spot them.

At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren’t designed to be malicious – they’re designed to help users perform repetitive tasks with keyboard shortcuts.


Documents dropped by phishing attacks often ask the victim to enable Macros so as to enable the malicious payload to work. Image: Digital Guardian

However, the same processes can be exploited by attackers in order to help them execute malicious code and drop malware payloads.

Most newer versions of Office automatically disable macros, but it’s worth checking to ensure that this is the case for all the computers on your network – it can act as a major barrier to phishing emails attempting to deliver a malicious payload.

The future of phishing

It might have been around for almost twenty years, but phishing remains a threat for two reasons – it’s simple to carry out – even by one-person operations – and it works, because there’s still plenty of people on the internet who aren’t aware of the threats they face. And even the most sophisticated users can be caught out from time to time.

For seasoned security personnel or technologically savvy people, it might seem strange that there are people out there who can easily fall for a ‘You’ve won the lottery’ or ‘We’re your bank, please enter your details here’.

But there are billions of people in the world who don’t regularly use the internet or are just unaware that the internet is something which criminals might use to target them. Unfortunately, criminals are there looking to scam and deceive people and it’s easiest to do it to people who are naive or overly trusting. And the low cost of phishing campaigns and the extremely low chances of scammers getting caught means it remains a very attractive option for fraudsters.

Because of this, phishing will continue as cyber criminals look to profit from stealing data and dropping malware in the laziest way possible. But it can be stopped and by knowing what to look for and by employing training when necessary, you can try to ensure that your organisation doesn’t become a victim.



Henry Sapiecha

Man in Qld Australia scammed of $400,000 for worthless scrap paper


A WEALTHY Queensland man has lost $400,000 buying blackened “US bank notes” that turned out to be worthless pieces of scrap paper.

The notorious “black money” sting has hit Queensland before, but never on the scale inflicted on one hapless investor in Brisbane.

In a separate scam, two pensioner brothers from Longreach have been fleeced of $350,000 after being conned into believing they’d won a $23 million lottery.

And a Brisbane woman was talked into buying $89,000 worth of iTunes cards after being convinced she was helping Telstra catch computer hackers.

Police say these are some of the latest victims of a barrage of scams hitting the state, with 90 Queenslanders a day reporting they have been conned.

In the “black money” sting, scammers convinced the victim they had genuine US bank notes that had been coated in black paint.

A liquid solution was meant to clean the notes, but after buying them at a reduced rate the victim was scrap paper rather than the millions of dollars in profit that had been promised.

The scheme is also known as the Nigerian “wash wash” scam due to it reportedly originating in the African country about 17 years ago.


The Longreach brothers were in partial care when they were told they had won 15.5 million euros ($23.2 million).

They had been targeted by what is known as an “advance fee fraud”, in which victims hand over money on the promise they will receive a lottery win or inheritance.

Detective Superintendent Terry Lawrence, head of the police Financial and Cyber Crimes Group, warned that vulnerable people were still falling for the scam despite it operating for years.

“They pushed $350,000 out in the belief they would be getting all these millions back,” Supt Lawrence said.

“It was their life savings for their care and everything like that. It’s just gone.”

The iTunes card scam involved a fake Telstra worker convincing the Brisbane woman her computer had been hacked.

The scammer then convinced the woman Telstra was transferring money to her account to help catch the hacker.

Over three days in July, she bought $89,000 worth of iTunes cards and handed them over, her money gone with little chance of a recovery.

The names of major brands such as energy retailers, phone companies and supermarkets are frequently used in the scams.

Bargain hunters, gamblers, online dating users and business owners are among those targeted, with some schemes tailored to match the time of the year.

“At tax time they do the Australian Taxation Office. Come Christmas it will be online sales or hotel accommodation,” Supt Lawrence said.

But it is believed only a fraction of those scammed report their losses to authorities.

In a recent investigation into a Gold Coast boiler room operation, police established there were about 1000 victims but only 200 came forward.

“A lot of people don’t report because they’re embarrassed – or it’s an amount they don’t think is worth reporting,” Supt Lawrence said.

Detective Senior Constable Andrew Browne, also from the financial crimes squad, said scam messages purporting to be from firms such as Telstra or Origin Energy were sent to 100,000 people or more at a time.

“They know they’re the biggest providers of power or phone bills so therefore they’ve got their biggest chance of success. They’re all trusted brands people use,” Constable Browne said.

In another scam busted by police this year, a Gold Coast man who paid for a brand-name BBQ was one of hundreds of people who ordered goods from a sham online trader that never delivered.

Two Latvian fake traders were advertising discounted Weber barbecues and other goods online but customers never received them. The pair was arrested in Brisbane and charged with multiple counts of fraud.

A new Queensland police campaign, R U in Control, is publicising scams as they occur.

Supt Lawrence said: “If people just take that second to have a bit of a think before falling for it, we could prevent much of this fraud together. You decide, not the scammers.”



Henry Sapiecha

Dr Con Man the rise and fall of a celebrity scientist who fooled almost everyone.Macchiarini

Surgeon Paolo Macchiarini was hailed for turning the dream of regenerative medicine into a reality – until he was exposed as a con artist and false prophet


Scientific pioneer, superstar surgeon, miracle worker – that’s how Paolo Macchiarini was known for several years. Dressed in a white lab coat or in surgical scrubs, with his broad, handsome face and easy charm, he certainly looked the part. And fooled almost everyone.

Macchiarini shot to prominence back in 2008, when he created a new airway for Claudia Castillo, a young woman from Barcelona. He did this by chemically stripping away the cells of a windpipe taken from a deceased donor; he then seeded the bare scaffold with stem cells taken from Castillo’s own bone marrow. Castillo was soon back home, chasing after her kids. According to Macchiarini and his colleagues, her artificial organ was well on the way to looking and functioning liked a natural one. And because it was built from Castillo’s own cells, she didn’t need to be on any risky immunosuppressant drugs.

This was Macchiarini’s first big success. Countless news stories declared it a medical breakthrough. A life-saver and a game-changer. We now know that wasn’t true. However, the serious complications that Castillo suffered were, for a long time, kept very quiet.

Meanwhile, Macchiarini’s career soared. By 2011, he was working in Sweden at one of the world’s most prestigious medical universities, the Karolinska Institute, whose professors annually select the winner of the Nobel prize in physiology or medicine. There he reinvented his technique. Instead of stripping the cells from donor windpipes, Macchiarini had plastic scaffolds made to order. The first person to receive one of these was Andemariam Beyene, an Eritrean doctoral student in geology at the University of Iceland. His recovery put Macchiarini on the front page of the New York Times.

Macchiarini was turning the dream of regenerative medicine into a reality. This is how NBC’s Meredith Vieira put it in her documentary about Macchiarini, appropriately called A Leap of Faith: “Just imagine a world where any injured or diseased organ or body part you have is simply replaced by a new artificial one, literally manmade in the lab, just for you.” This marvelous world was now within reach, thanks to Macchiarini.

Last year, however, the dream soured, exposing an ugly reality.

Macchiarini gave his “regenerating” windpipes to 17 or more patients worldwide. Most, including Andemariam Beyene, are now dead. Those few patients who are still alive – including Castillo – have survived in spite of the artificial windpipes they received.

In January 2016, Macchiarini received an extraordinary double dose of bad press. The first was a Vanity Fair article about his affair with Benita Alexander, an award-winning producer for NBC News. She met Macchiarini while producing A Leap of Faith and was soon breaking one of the cardinal rules of journalism: don’t fall in love with the subject of your story.

By the time the program aired, in mid-2014, the couple were planning their marriage. It would be a star-studded event. Macchiarini had often boasted to Alexander of his famous friends. Now they were on the wedding guest list: the Obamas, the Clintons, Vladimir Putin, Nicolas Sarkozy and other world leaders. Andrea Bocelli was to sing at the ceremony. None other than Pope Francis would officiate, and his papal palace in Castel Gandolfo would serve as the venue. That’s what Macchiarini told his fiancee.


Macchiarini at work. Photograph: TT News Agency/Press Association Images

But as the big day approached, Alexander saw these plans unravel, and finally realised that her lover had lied about almost everything. The pope, the palace, the world leaders, the famous tenor – they were all fantasies.

Likewise the whole idea of a wedding: Macchiarini was still married to his wife of 30 years.

Macchiarini’s deceit was so outlandish, Vanity Fair sought the opinion of the Harvard professor Ronald Schouten, an expert on psychopaths, who gave this diagnosis-at-a-distance: “Macchiarini is the extreme form of a con man. He’s clearly bright and has accomplishments, but he can’t contain himself. There’s a void in his personality that he seems to want to fill by conning more and more people.”

Which left a big, burning question in the air: if Macchiarini was a pathological liar in matters of love, what about his medical research? Was he conning his patients, his colleagues and the scientific community?

The answer came only a couple of weeks later, when Swedish television began broadcasting a three-part exposé of Macchiarini and his work.


Called Experimenten (The Experiments), it argued convincingly that Macchiarini’s artificial windpipes were not the life-saving wonders we’d all been led to believe. On the contrary, they seemed to do more harm than good – something that Macchiarini had for years concealed or downplayed in his scientific articles, press releases and interviews.

Faced with this public relations disaster, the Karolinska Institute immediately promised to investigate the allegations but then, within days, suddenly announced that Macchiarini’s contract would not be extended.

Macchiarini’s fall was swift, but troubling questions remain about why he was allowed to continue his experiments for so long. Some answers have emerged from the official inquiries into the Karolinska Institute and the Karolinska University hospital. They identified many problems with the way the twin organisations handled him.

Macchiarini’s fame had won him well-placed backers. These included Harriet Wallberg, who was the vice-chancellor of the Karolinska Institute in 2010, when Macchiarini was recruited. She pushed through his appointment despite the fact that he had some very negative references and dubious claims on his résumé.

This set a dangerous example. It showed department heads and colleagues that they should give Macchiarini special treatment.

He could do pretty much as he pleased. In the first couple of years at Karolinska, he put plastic airways into three patients. Since this was radically new, Macchiarini and his colleagues should have tested it on animals first. They didn’t.

Likewise, they didn’t undertake a proper risk assessment of the procedure, nor did Macchiarini’s team seek government permits for the plastic windpipes, stem cells, and chemical “growth factors” they used. They didn’t even seek the approval of Stockholm’s ethical review board, which is based at Karolinska.

Though Macchiarini was in the public eye, he was able to sidestep the usual rules and regulations. Or rather, his celebrity status helped him do so. Karolinska’s leadership expected big things from their superstar, things that would bring prestige and funding to the institute.

They also cited a loophole known as “compassionate use”. Macchiarini, they claimed, wasn’t really doing clinical research. No, he was just caring for his patients who were, one and all, facing certain death with no other treatment options available and no time to waste. In such dire circumstances, new treatments can be tried as a last resort.

This argument didn’t wash with those who later investigated the case. In their view, Macchiarini was certainly engaged in clinical research. Besides which, compassionate concerns don’t override the basic principles of patient safety and informed consent. Macchiarini, meanwhile, said he “did not accept” the findings of the disciplinary board.

As it turned out, Macchiarini’s patients weren’t all at death’s door at the time he treated them. Andemariam Beyene, for instance, had recurrent cancer of the windpipe but, aside from a cough, was still in good health. But even if his days had been numbered, this didn’t necessarily justify what Macchiarini put him through.

Beyene’s death two and a half years after the operation, caused by the failure of his artificial airway, was a grueling ordeal. According to Pierre Delaere, a professor of respiratory surgery at KU Leuven, Belgium, Macchiarini’s experiments were bound to end badly. As he said in Experimenten: “If I had the option of a synthetic trachea or a firing squad, I’d choose the last option because it would be the least painful form of execution.”


Claudia Castillo with Dr Paolo Macchiarini.

Delaere was one of the earliest and harshest critics of Macchiarini’s engineered airways. Reports of their success always seemed like “hot air” to him. He could see no real evidence that the windpipe scaffolds were becoming living, functioning airways – in which case, they were destined to fail. The only question was how long it would take – weeks, months or a few years.

Delaere’s damning criticisms appeared in major medical journals, including the Lancet, but weren’t taken seriously by Karolinska’s leadership. Nor did they impress the institute’s ethics council when Delaere lodged a formal complaint.

Support for Macchiarini remained strong, even as his patients began to die. In part, this is because the field of windpipe repair is a niche area. Few people at Karolinska, especially among those in power, knew enough about it to appreciate Delaere’s claims. Also, in such a highly competitive environment, people are keen to show allegiance to their superiors and wary of criticising them. The official report into the matter dubbed this the “bandwagon effect”.

With Macchiarini’s exploits endorsed by management and breathlessly reported in the media, it was all too easy to jump on that bandwagon.


And difficult to jump off. In early 2014, four Karolinska doctors defied the reigning culture of silence by complaining about Macchiarini. In their view, he was grossly misrepresenting his results and the health of his patients. An independent investigator agreed. But the vice-chancellor of Karolinska Institute, Anders Hamsten, wasn’t bound by this judgement. He officially cleared Macchiarini of scientific misconduct, allowing merely that he’d sometimes acted “without due care”.

For their efforts, the whistleblowers were punished. When Macchiarini accused one of them, Karl-Henrik Grinnemo, of stealing his work in a grant application, Hamsten found him guilty. As Grinnemo recalls, it nearly destroyed his career: “I didn’t receive any new grants. No one wanted to collaborate with me. We were doing good research, but it didn’t matter … I thought I was going to lose my lab, my staff – everything.”

This went on for three years until, just recently, Grinnemo was cleared of all wrongdoing.

The Macchiarini scandal claimed many of his powerful friends. The vice-chancellor, Anders Hamsten, resigned. So did Karolinska’s dean of research. Likewise the secretary-general of the Nobel Committee. The university board was dismissed and even Harriet Wallberg, who’d moved on to become the chancellor for all Swedish universities, lost her job.

Unfortunately, the scandal is much bigger than Karolinska, which accounts for only three of the patients who have received Macchiarini’s “regenerating” windpipes.

The other patients were treated at hospitals in Barcelona, Florence, London, Moscow, Krasnodar, Chicago and Peoria. None of these institutions have faced the same kind of public scrutiny. None have been forced to hold full and independent inquiries. They should be.


Paolo Macchiarini at a press conference in 2008.

If the sins of Karolinska have been committed elsewhere, it is partly because medical research facilities share a common milieu, which harbours common dangers. One of these is the hype surrounding stem cells.

Stem cell research is a hot field of science and, according to statistics, also a rather scandal-prone one. Articles in this area are retracted 2.4 times more often than the average for biomedicine, and over half of these retractions are due to fraud.

Does the “heat” of stem cell research – the high levels of funding, prestige and media coverage it enjoys – somehow encourage fraud? That’s what our experience of medical research leads us to suspect. While there isn’t enough data to actually prove this, we do have some key indicators.

We have, for example, a growing list of scientific celebrities who have committed major stem cell fraud. There is South Korea’s Hwang Woo-suk who, in 2004, falsely claimed to have created the first human embryonic stem cells by means of cloning. A few years ago, Japan’s Haruko Obokata pulled a similar con when she announced to the world a new and simple – and fake – method of turning ordinary body cells into stem cells.

Hwang, Obokata and Macchiarini were all attracted to the hottest regions of stem cell research, where hope for a medical breakthrough was greatest. In Macchiarini’s case, the hope was that patients could be treated with stem cells taken from their own bone marrow.

Over the years, this possibility has generated great excitement and a huge amount of research. Yet, for the vast majority of such treatments, there is little solid evidence that they work. (The big exception is blood stem cell transplantation, which has been saving the lives of people with leukemia and other cancers of the blood for decades.)

It’s enough to worry officials from the US Food and Drug Administration (FDA). They recently published an article in the New England Journal of Medicine admitting that stem cell research has mostly failed to live up to its therapeutic promise.

An alarmingly wide gap has grown between what we expect from stem cells and what they deliver. Each new scientific discovery brings a flood of stories about how it will revolutionise medicine one day soon. But that day is always postponed.

An unhappy result of this is the rise of pseudo-scientific therapies. Stem cell clinics have sprung up like weeds, offering to treat just about any ailment you can name. In place of clinical data, there are gushing testimonials. There are also plenty of desperate patients who believe – because they’ve been told countless times – that stem cells are the cure, and who cannot wait any longer for mainstream medicine. They and their loved ones fall victim to false hope.

Scientists can also suffer from false hope. To some extent, they believed Macchiarini because he told them what they wanted to hear. You can see this in the speed with which his “breakthroughs” were accepted. Only four months after Macchiarini operated on Claudia Castillo, his results – provisional but very positive – were published online by the Lancet. Thereafter it was all over the news.

The popular press also has a lot to answer for. Its love of human interest stories makes it sympathetic to unproven therapies. As studies have shown, the media often casts a positive light on stem cell tourism, suggesting that the treatments are effective and the risks low. It did much the same for Macchiarini’s windpipe replacements. A good example is the NBC documentary A Leap of Faith. It’s fascinating to rewatch – as a lesson on how not to report on medical science.

It is fitting that Macchiarini’s career unravelled at the Karolinska Institute. As the home of the Nobel prize in physiology or medicine, one of its ambitions is to create scientific celebrities. Every year, it gives science a show-business makeover, picking out from the mass of medical researchers those individuals deserving of superstardom. The idea is that scientific progress is driven by the genius of a few.

It’s a problematic idea with unfortunate side effects. A genius is a revolutionary by definition, a risk-taker and a law-breaker. Wasn’t something of this idea behind the special treatment Karolinska gave Macchiarini? Surely, he got away with so much because he was considered an exception to the rules with more than a whiff of the Nobel about him. At any rate, some of his most powerful friends were themselves Nobel judges until, with his fall from grace, they fell too.

If there is a moral to this tale, it’s that we need to be wary of medical messiahs with their promises of salvation.


Henry Sapiecha