Couple lose £120k in email scam
Discussion
Even for the Guardian the comments are truly insane.
I just don't get why anyone would send sums like this without checking the details, this type of fraud has been massively publicised.
The name thing is a total red herring, many companies trade as one name but are really called something else.
I just don't get why anyone would send sums like this without checking the details, this type of fraud has been massively publicised.
The name thing is a total red herring, many companies trade as one name but are really called something else.
Mojooo said:
Making fraudsters set up bank accounts in the right name would slow things down and make it much harder though
You are right of course that many will fudge it up when inputting data - perhaps there could be a database so that when you put in the AC and SC it shows you the recipients name.
When I do a transfer online through Lloyds, it tells me the name of the recipient and the account holding branch from the sort code and account number. For any bank I’ve tried - not just Lloyds.You are right of course that many will fudge it up when inputting data - perhaps there could be a database so that when you put in the AC and SC it shows you the recipients name.
I sent money for a car I bought privately to an RBS account and it showed me the recipient’s name before I confirmed the transfer
Mojooo said:
As the article suggests, surely the easiest remedy to assist is to ensure that when you paid £1000 to account 12345678 and you intend it to go to J SMITH - then there should be a check on the other side that the recipient account matches that name.
When making large payments I tend to send £10 through first and check with the recipient - although this is more out of concern from typing their account number wrong on my online banking.
That's exactly what I do. I transfer as much as I'm happy to lose, then get the recipient to confirm its arrived. Only then will I send the rest.When making large payments I tend to send £10 through first and check with the recipient - although this is more out of concern from typing their account number wrong on my online banking.
I also agree that a name check is sensible. It's easy to screw up a number even if it's not a scam. A check in the name would catch that.
Edited by 98elise on Sunday 22 October 09:42
Jimmy Recard said:
When I do a transfer online through Lloyds, it tells me the name of the recipient and the account holding branch from the sort code and account number. For any bank I’ve tried - not just Lloyds.
I sent money for a car I bought privately to an RBS account and it showed me the recipient’s name before I confirmed the transfer
I have Lloyd's online banking and mine doesn't do that. Not sure how yours can and mine can't... I sent money for a car I bought privately to an RBS account and it showed me the recipient’s name before I confirmed the transfer
I’ve got a lot of sympathy for the people who’ve lost so much money from what was an understandable and simple mistake, but I can’t understand the calls for the bank to pay them back for it. The bank seems to have done exactly what they were asked to do, so are blameless here.
The story as I heard it was a bit strange, they phoned the solicitor and then received an email from a hacked source. It’s an unusual coincidence, or someone in the solicitor’s Office was part of the scam.
The story as I heard it was a bit strange, they phoned the solicitor and then received an email from a hacked source. It’s an unusual coincidence, or someone in the solicitor’s Office was part of the scam.
Dixy said:
The bit I don't understand is why Nat West as the receiving end are not guilty of allowing a fraudulent transaction, they have clearly allowed an account to be opened with out due diligence.
That’s just not the case at all. People use existing accounts, convincing, cajoling, or threatening the account owners to let the money go through them.It’ll normally be an existing account with no history of fraud on it until it becomes compromised by the fraudsters.
James_B said:
I’ve got a lot of sympathy for the people who’ve lost so much money from what was an understandable and simple mistake, but I can’t understand the calls for the bank to pay them back for it. The bank seems to have done exactly what they were asked to do, so are blameless here.
The story as I heard it was a bit strange, they phoned the solicitor and then received an email from a hacked source. It’s an unusual coincidence, or someone in the solicitor’s Office was part of the scam.
Yeah, it's a bit peculiar if that is the case. I'm imagining that they followed up with an "As per our telephone conversation please can you provide bank details for XYZ" and this is what was intercepted. As you say otherwise the solicitor would've had to have had someone complicit on the inside, or a compromised phone system (unlikely).The story as I heard it was a bit strange, they phoned the solicitor and then received an email from a hacked source. It’s an unusual coincidence, or someone in the solicitor’s Office was part of the scam.
The story as is seems to have gaps in it, I don't really understand how this apparently "long-used firm of solicitors" had never previously communicated any bank details for previous work?
It's a growing scam, and the people involved in it are not your common or garden eBay scammers - they're pros. In many cases these things will have been set up with a target in mind, and could easily be weeks or months in the making.
I too have sympathy for the couple since if the solicitor's email system was compromised the email they would have received would on the face of it have come from them, so it wouldn't even have been a forged email - it would've been the real deal, and would've looked exactly like any previous correspondance they might have received, down to signatures, etc.
The only practical solution to this sort of thing is to verify the bank details you receive either in person, or on the phone (although phone systems are not unhackable), and/or to send a nominal payment to the account and verify its receipt.
As said previously the banks aren't to blame for this - they received instructions from an account holder to send money to a nominated bank account. They can't be expected to second guess every transaction that they are asked to process (outwith automated fraud checking).
I too have sympathy for the couple since if the solicitor's email system was compromised the email they would have received would on the face of it have come from them, so it wouldn't even have been a forged email - it would've been the real deal, and would've looked exactly like any previous correspondance they might have received, down to signatures, etc.
The only practical solution to this sort of thing is to verify the bank details you receive either in person, or on the phone (although phone systems are not unhackable), and/or to send a nominal payment to the account and verify its receipt.
As said previously the banks aren't to blame for this - they received instructions from an account holder to send money to a nominated bank account. They can't be expected to second guess every transaction that they are asked to process (outwith automated fraud checking).
DELETED: Comment made by a member who's account has been deleted.
Please do, it'll take someone getting royally fined before anything changes.For instance in this case having the solicitor pay back the 120K with compensation, would start to make people pay attention to their email and other related systems.
James_B said:
The story as I heard it was a bit strange, they phoned the solicitor and then received an email from a hacked source. It’s an unusual coincidence, or someone in the solicitor’s Office was part of the scam.
My assumption is that:- The email account of an accountant/clerk/solicitor at the firm was hacked.
- The secretary/receptionist who took the call and emailed that person to say "please send our bank details to Mr X at blah@blah.blah".
- The email was intercepted and clerk never even got it, I imagine they set up filters or something so even if the victim replied the person would never see it.
In an ideal world the person would have called back to double check, but thousands of these types of transactions go on every day and most people trust an email from a person they are expecting to deal with. Having seen screenshots of similar scams (the "our bank account details have changed" or "Janice, please send £100,000 to this account ASAP"), the scammer ensures they are very convincing. This is NOT a Nigerian confidence scam
I think everyone should get into the habit of transferring £1 as a first step and either verify with a known party or wait for them to kick up a fuss.
The whole system is geared up for making large payments as quick and anonymously as possible.
Probably helps with all the shady cash from abroad we hoover up on a daily basis for our soaraway property market.
US seems to monitor everything so as to track terrorist funding but obviously not interested in fraud.
The whole system is geared up for making large payments as quick and anonymously as possible.
Probably helps with all the shady cash from abroad we hoover up on a daily basis for our soaraway property market.
US seems to monitor everything so as to track terrorist funding but obviously not interested in fraud.
turbobloke said:
Not being an IT folk even I know that Factor 30 is recommended.
In simple terms it's a public record saying which email servers are allowed to send email from anything@whatever.domain.Without it if your email is joe@whatever.domain anyone on the internet can send an email saying they're you.
With it it reduces the risk but email is still hideously insecure because it was never specified with criminals in mind so pretty much everything done to try and make it more trustworthy is an add-on and is optional.
Personally the best thing that could happen for the good of the entire Internet is that Google state that as of next Monday if you don't have SPF, DKIM and DMARC (some of these records) in place you can't send or receive email to or from them.
bhstewie said:
For the IT folks here I took a look at the solicitors DNS records as I was curious and they don't appear to even have SPF in place.
In 2017 that's fking scary.
Procedures and technology are continually reviewed and improved where necessary. Maybe you should tell them that they are not living up to their own spiel. In 2017 that's fking scary.
They are a typical small country firm with offices in two towns in Essex. If my knowledge of a similar type of practice in another county is typical they won't have anyone in-house with IT security knowledge/expertise.
If there is also a lack of even the most basic stuff...
DELETED: Comment made by a member who's account has been deleted.
The problem is that SPF records only really work if the sysadmin has specified that the receiving server should "hard fail" the message if it doesn't comply, and that the receiving mail server is configured to even use SPF in the first place. Many are set up to soft fail (which basically means it's just advisory) - either because of being set that way during a transition period and forgotten about, uncertainty about the settings, etc.
SPF, DKIM, DMARC, etc are great ideas but because they aren't universally adopted. The whole email architecture needs the likes of Google, Microsoft and Apple to collaborate on and enforce a standard that everyone else has to adhere to (lest their emails not be delivered).
SPF, DKIM, DMARC, etc are great ideas but because they aren't universally adopted. The whole email architecture needs the likes of Google, Microsoft and Apple to collaborate on and enforce a standard that everyone else has to adhere to (lest their emails not be delivered).
Edited by Durzel on Sunday 22 October 10:06
DELETED: Comment made by a member who's account has been deleted.
It's not just solicitors with poor security when it comes to sensitive customer details...I approached a PHer (mortgage broker) who was well recommended by other PHers here. He sent me through a Word document to fill in - personal details such as home address, contact number, date of birth, financial info, salary, mortgage, who it was with, balance and term outstanding, loan commitments, any car leasing info, details of dependents, work address details, any partner's salary, their work address and their details...
The 'blank' document he sent to me had someone else's full details, including the guy's wife's info. Everything. It would've been a fraudster's wet dream.
I suspect what happened was that someone at the broker company filled in the details on the blank document over the phone with a customer and rather than saving the original blank (now completed) document with a new name, they overwrote the default blank one which got sent out to new clients such as me.
I have no doubt it was not intentional, however when I told him what had happened he seemed alarmingly unconcerned!
Suffice to say that there was no way I was sending my details to him after that.
I still see recommendations to use him on a regular basis here and thanks to PH's 'no name-and-shame' policy I can't alert others to the potential risk they're taking by using him, although I would hope action was taken off the back of my emails telling him what he'd done.
I also work in IT and the horror stories are rife. You can see how easy it is to commit such fraud and how little many companies seem to care about it.
Edited by Funk on Sunday 22 October 10:48
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff