Couple lose £120k in email scam
Discussion
The amount of times this happens and I still cant believe Joe Public still cant do the simplest of things.
1) Receive email from solicitors to state an account and sort code to deliver money (still smells of inside job).
2) Ring said f
king company and ask them to confirm.
3) No issues as 2) covers you from scammers.
Quite why they are bhing and whining about the bank when it's their own due diligence that failed.
I dont understand why people cant pick up a phone and confirm details with companies before sending huge sums of money, let alone blaming another company for following their instructions, stating that the bank should have checked when the couple couldnt be bothered to.
1) Receive email from solicitors to state an account and sort code to deliver money (still smells of inside job).
2) Ring said f
king company and ask them to confirm.3) No issues as 2) covers you from scammers.
Quite why they are b
hing and whining about the bank when it's their own due diligence that failed.I dont understand why people cant pick up a phone and confirm details with companies before sending huge sums of money, let alone blaming another company for following their instructions, stating that the bank should have checked when the couple couldnt be bothered to.
plasticpig said:
As a small IT company we install Sophos UTM appliances on client sites. Quite happy with it's performance So were not all clueless when it comes to security.
Out of curiosity (cautious this doesn't turn into an IT thread 
) how do you find your clients react to the "shock" that security costs money?I don't consult but I read enough sites to know that lots of IT companies struggle with clients who think they can spend £100 on a firewall and don't want to pay any sort of subscription for the services needed to do a decent job.
For some reason my online banking "fell over" recently and I had to re-register on line. All the information it asked for was all the information they (the Banks) stress not to post online! i.e personal details, bank card number, security code etc. A visit to my local branch confirmed it was legit but I did wonder !!
bhstewie said:
hstewie said: Out of curiosity (cautious this doesn't turn into an IT thread ) how do you find your clients react to the "shock" that security costs money?
I don't consult but I read enough sites to know that lots of IT companies struggle with clients who think they can spend £100 on a firewall and don't want to pay any sort of subscription for the services needed to do a decent job.
That's not been a major issue for us to be honest. The company is a bit of a strange setup though as we do software development as well as infrastructure so many of our clients are used to paying ongoing licencing, maintenance and support costs.) how do you find your clients react to the "shock" that security costs money?I don't consult but I read enough sites to know that lots of IT companies struggle with clients who think they can spend £100 on a firewall and don't want to pay any sort of subscription for the services needed to do a decent job.
bhstewie said:
hstewie said:plasticpig said:
As a small IT company we install Sophos UTM appliances on client sites. Quite happy with it's performance So were not all clueless when it comes to security.
Out of curiosity (cautious this doesn't turn into an IT thread ) how do you find your clients react to the "shock" that security costs money?I don't consult but I read enough sites to know that lots of IT companies struggle with clients who think they can spend £100 on a firewall and don't want to pay any sort of subscription for the services needed to do a decent job.
More often than not it's not the IT guys who're to blame, the finance people just often won't give enough cash to them to do 'security' properly.
Edit: TinRobot posted this at the same time as me:
DELETED: Comment made by a member who's account has been deleted.
Edited by Funk on Sunday 22 October 13:44
Red Devil said:
They are a typical small country firm with offices in two towns in Essex. If my knowledge of a similar type of practice in another county is typical they won't have anyone in-house with IT security knowledge/expertise.
DELETED: Comment made by a member who's account has been deleted.Not having a firewall is unbelievably irresponsible. An IT company that can only suggest using the built-in controls of a Draytek should never have been hired in the first place and needs to be got rid of at the earliest opportunity. Whether it is CMS - idiot's guide here: https://www.nibusinessinfo.co.uk/content/content-m... - or other IT based systems it comes back to having someone within the practice back office who has at least some basic knowledge and knows what questions to ask. Looks like I have better protection on my personal computer than the muppets you speak of.
DELETED: Comment made by a member who's account has been deleted.
Agreed.DELETED: Comment made by a member who's account has been deleted.
IT is just one part of it though. If a company was truly paranoid about data security then they would need to install preventative measures against keyboard loggers, bugs, Van Eck phreaking and and even simple things like making sure that no monitors are visible through any windows.Then there is the social engineering side. If I rang up a small solicitors practice and offered to do a free security audit I wonder how far I could get into their systems if they accepted?
Funk said:
It's not just solicitors with poor security when it comes to sensitive customer details...
I approached a PHer (mortgage broker) who was well recommended by other PHers here. He sent me through a Word document to fill in - personal details such as home address, contact number, date of birth, financial info, salary, mortgage, who it was with, balance and term outstanding, loan commitments, any car leasing info, details of dependents, work address details, any partner's salary, their work address and their details...
The 'blank' document he sent to me had someone else's full details, including the guy's wife's info. Everything. It would've been a fraudster's wet dream.
I suspect what happened was that someone at the broker company filled in the details on the blank document over the phone with a customer and rather than saving the original blank (now completed) document with a new name, they overwrote the default blank one which got sent out to new clients such as me.
I have no doubt it was not intentional, however when I told him what had happened he seemed alarmingly unconcerned!
Suffice to say that there was no way I was sending my details to him after that.
I still see recommendations to use him on a regular basis here and thanks to PH's 'no name-and-shame' policy I can't alert others to the potential risk they're taking by using him, although I would hope action was taken off the back of my emails telling him what he'd done.
I also work in IT and the horror stories are rife. You can see how easy it is to commit such fraud and how little many companies seem to care about it.
An unintentional error is one thing but to show unconcern is not merely unprofessional but highly irresponsible.I approached a PHer (mortgage broker) who was well recommended by other PHers here. He sent me through a Word document to fill in - personal details such as home address, contact number, date of birth, financial info, salary, mortgage, who it was with, balance and term outstanding, loan commitments, any car leasing info, details of dependents, work address details, any partner's salary, their work address and their details...
The 'blank' document he sent to me had someone else's full details, including the guy's wife's info. Everything. It would've been a fraudster's wet dream.
I suspect what happened was that someone at the broker company filled in the details on the blank document over the phone with a customer and rather than saving the original blank (now completed) document with a new name, they overwrote the default blank one which got sent out to new clients such as me.
I have no doubt it was not intentional, however when I told him what had happened he seemed alarmingly unconcerned!
Suffice to say that there was no way I was sending my details to him after that.
I still see recommendations to use him on a regular basis here and thanks to PH's 'no name-and-shame' policy I can't alert others to the potential risk they're taking by using him, although I would hope action was taken off the back of my emails telling him what he'd done.
I also work in IT and the horror stories are rife. You can see how easy it is to commit such fraud and how little many companies seem to care about it.
a) There should be protection on a blank master to prevent it being overwritten.
b) Even if a) has been done, not checking what was actually attached to an e-mail is pretty lax.
b) Using Word to capture personal information beggars belief.
Given that he works in financial services would he have been concerned if you had reported it the FCA and the ICO*?
* tI was a clear breach of the DPA 1988. The data controller registration details can be found here - https://ico.org.uk/esdwebpages/search
Jimmy Recard said:
OddCat said:
I have Lloyd's online banking and mine doesn't do that. Not sure how yours can and mine can't...
That is strange. I have no idea why that would be the case.It definitely does it though, I use it all the time
Are you sure it isn't just repeating the beneficiary name you have keyed in ?
If what you are suggesting happens then that would be a fraudsters dream. You could just key in random sort code / account number combinations and find out account names ! Seems unlikely........
A bit of a side point but if they had posted a cheque to the Solicitors and the cheque had been intercepted and altered then bank would be liable. With that sort of money involved I would probably arrange to hand deliver a bankers draft to the Solicitors in person and get a receipt on the spot.
Why go to all that faff?
In the case being discussed it was for IHT which could simply have been paid direct to HMRC.
The deadline is strict: by the end of the sixth month after the date of death.*
Failing that you get charged interest on the oustanding amount.
https://www.gov.uk/paying-inheritance-tax
* I wouldn't rely on a third party to do so and have to argue the toss if they failed.
Not even for £12k never mind ten times that amount.
There aren't many people who have £120k lying around spare.
I wonder if the couple in question raised it via bridging loan.
In the case being discussed it was for IHT which could simply have been paid direct to HMRC.
The deadline is strict: by the end of the sixth month after the date of death.*
Failing that you get charged interest on the oustanding amount.
https://www.gov.uk/paying-inheritance-tax
* I wouldn't rely on a third party to do so and have to argue the toss if they failed.
Not even for £12k never mind ten times that amount.
There aren't many people who have £120k lying around spare.
I wonder if the couple in question raised it via bridging loan.
OddCat said:
So, what you are saying is that you enter the sort code and account number of the recipient and your screen displays the name of the recipient account before you press 'send' ?
Are you sure it isn't just repeating the beneficiary name you have keyed in ?
If what you are suggesting happens then that would be a fraudsters dream. You could just key in random sort code / account number combinations and find out account names ! Seems unlikely........
If you live anywhere near me you're welcome to drop by and I'll transfer you a nominal amount to demonstrate itAre you sure it isn't just repeating the beneficiary name you have keyed in ?
If what you are suggesting happens then that would be a fraudsters dream. You could just key in random sort code / account number combinations and find out account names ! Seems unlikely........
You've got me doubting myself now though, I was amazed when I first saw it but I haven't paid attention to it since then. Maybe I imagined it
Edited by Jimmy Recard on Sunday 22 October 17:26
Jimmy Recard said:
If you live anywhere near me you're welcome to drop by and I'll transfer you a nominal amount to demonstrate it
You've got me doubting myself now though, I was amazed when I first saw it but I haven't paid attention to it since then. Maybe I imagined it
Maybe double check next time you do it. Or I can give you my details and you could send me £120,000. Seems to be all the rage You've got me doubting myself now though, I was amazed when I first saw it but I haven't paid attention to it since then. Maybe I imagined it
Edited by Jimmy Recard on Sunday 22 October 17:26
Edited by OddCat on Sunday 22 October 17:35
OddCat said:
Maybe double check next time you do it. Or I can give you my details and you could send me £120,000. Seems to be all the rage
The first time I did it I was with a friend who was the recipient and we were both taken aback by it. I suppose it's possible I had typed his name at some stage and forgotten and he hadn't noticed it.Edited by OddCat on Sunday 22 October 17:35
I've just been on to check it by doing a transfer to myself and the confirmation screen (where I expected to see my name) isn't the same as the one I remember and no name. Now I think I'm going mad
Section 36 for you, CHAP. 
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff