SINGAPORE: Over more than three years, a finance manager siphoned about S$1.3 million from company accounts using Internet-banking tokens meant for his CEO and general manager.
For multiple counts of unauthorised access to computer material between January 2015 and March 2017, Cheng Jun was sentenced on Monday (Mar 30) to three years and nine months' jail.
The court heard that Cheng, 33, worked as a financial manager at Sinopay Singapore, a subsidiary of the Sinopay Group which provides bankcard and financial services.
He was tasked to manage the company's business accounting and human resources, including billing accounts, payments to customers and employee salaries.
Cheng's CEO, Mr Christopher Chuang Tze Chung, applied for Internet-banking facilities for Sinopay Singapore's three UOB accounts.
Cheng helped his boss fill out the application forms for three ibanking tokens - for use by Mr Chuang, Sinopay's general manager and Cheng himself. Mr Chuang was supposed to approve transactions before they were made.
However, as Mr Chuang lived in Hong Kong, Cheng was tasked with receiving the UOB ibanking tokens that were delivered to Sinopay's Kallang address.
Instead of sending the CEO his Internet account information along with Mr Chuang's token, Cheng sent only the confirmation letter, without the accompanying ibanking token.
Mr Chuang was not aware of the existence of the physical ibanking tokens and signed the confirmation letter, before dispatching it back to Cheng.
Cheng did the same with the general manager, sending only the letter and not the ibanking token.
He kept all three ibanking tokens and logged into the accounts using the initial passwords UOB had provided.
Cheng began logging into the ibanking services to transfer funds from Sinopay's accounts to his own, without Mr Chuang's knowledge or authorisation.
He spent the money on his personal expenses and gambling at casinos, transferring a total of S$1,293,496.17 to himself.
He evaded detection at first by claiming that the transfers were for work-related purposes such as payments of claims and allowances, said Deputy Public Prosecutor Jordon Li.
CEO FLIES TO SINGAPORE, DISCOVERS CRIMES
The crimes went unnoticed until February 2017, when the CEO travelled to Singapore to apply for Sinopay to be listed.
He checked the company's bank account summary and found numerous unknown ibanking transfers. He checked with the bank, before confronting Cheng in the office on Mar 6, 2017.
The CEO then called 999 that day, reporting that one of his employees had stolen a million dollars from his company.
Cheng transferred S$20,000 back to Sinopay's bank account that day when caught, and the police later froze his OCBC bank account, which had a balance of S$135,400.
They also froze his wife's UOB account, which held about S$11,000 from Cheng's account.
The police also seized a Nissan Qashqai car which Cheng had bought using the criminal proceeds. The car has since been returned to Sinopay and sold.
Cheng pleaded guilty to 14 charges under the Computer Misuse and Cybersecurity Act, with another 22 charges taken into consideration for sentencing.
The prosecutor asked for five years' jail, noting that Cheng had committed the offences over a significant period of time, with substantial premeditation as he had surreptitiously gained control of the ibanking accounts.
He added that Cheng had abused the trust placed in him and was motivated by financial gain.
Defence lawyer Amarjit Singh asked instead for three years and four months' jail, saying that his client is remorseful and that the five years sought by the prosecution was "too crushing".
He said his client suffered from a gambling addiction and "is firmly resolved to seek help" for this.
For each charge, Cheng could have been jailed for up to two years, fined a maximum S$5,000, or both.