Couple lose £120k in email scam
Discussion
Efbe said:
apols if a reading file, but was the e-mail actually hacked, or was the e-mail actually sent from the solicitors?
I very much doubt there was any hacking(which is a term that gets banded around a lot and never used correctly!), in my experience it is almost always internal fraud.
Probably a weak password, plenty of people use fred@company.com with a password of fred I very much doubt there was any hacking(which is a term that gets banded around a lot and never used correctly!), in my experience it is almost always internal fraud.
WinstonWolf said:
Efbe said:
apols if a reading file, but was the e-mail actually hacked, or was the e-mail actually sent from the solicitors?
I very much doubt there was any hacking(which is a term that gets banded around a lot and never used correctly!), in my experience it is almost always internal fraud.
Probably a weak password, plenty of people use fred@company.com with a password of fred I very much doubt there was any hacking(which is a term that gets banded around a lot and never used correctly!), in my experience it is almost always internal fraud.
even so, they needed to be able to send the e-mail from that e-mail address (which I am aware is possible) but also create a word file with logo etc, have replied very quickly to the e-mail, whilst the actual solicitor did not reply at all. Their actual reply would have sparked questions, which did not happen. So why didn't they reply?
From what I have seen with fishing etc, this just doesn't happen.
So unless I have missed something, this was an inside job at the solicitors.
WinstonWolf said:
Not really, it’s basic social engineering. If you know a name you might get lucky and guess your way in in minutes.
Once you’re in just monitor emails and pick your moment.
Websites often list staff names, solicitors are definitely worth a crack.
nah, not how it works.Once you’re in just monitor emails and pick your moment.
Websites often list staff names, solicitors are definitely worth a crack.
instead take a long list of e-mail accounts (readily available from many sites)
then apply the same password to all of them.
rinse and repeat with a different password each time.
This is how passwords are guessed.
However, this really doesn't sound like that situation. The timing, the e-mail address, the word document, the legit bank account, the account being in the UK. None of this fits to a hacker. All of it fits to an inside job.
edit: re-reading it, the guy had phoned into the solicitors, not e-mailed in. so it HAD to be an inside job.
Edited by Efbe on Sunday 22 October 19:41
Quite a complicated scam. It looks like the bank details were changed somehow. I wonder if there was a clone website that had telephone numbers to the fraudsters. Some parts of the story do seem off, like the family solicitors but it was the first time he was phoning them and again why would you involve solicitors for IHT? Would anyone know what the estate is worth if the amount of tax is £120k?
Efbe said:
WinstonWolf said:
Not really, it’s basic social engineering. If you know a name you might get lucky and guess your way in in minutes.
Once you’re in just monitor emails and pick your moment.
Websites often list staff names, solicitors are definitely worth a crack.
nah, not how it works.Once you’re in just monitor emails and pick your moment.
Websites often list staff names, solicitors are definitely worth a crack.
instead take a long list of e-mail accounts (readily available from many sites)
then apply the same password to all of them.
rinse and repeat with a different password each time.
This is how passwords are guessed.
However, this really doesn't sound like that situation. The timing, the e-mail address, the word document, the legit bank account, the account being in the UK. None of this fits to a hacker. All of it fits to an inside job.
edit: re-reading it, the guy had phoned into the solicitors, not e-mailed in. so it HAD to be an inside job.
Edited by Efbe on Sunday 22 October 19:41
For my sins I’ve watched them in action, it’s thrilling stuff. Not!
WinstonWolf said:
Efbe said:
WinstonWolf said:
Not really, it’s basic social engineering. If you know a name you might get lucky and guess your way in in minutes.
Once you’re in just monitor emails and pick your moment.
Websites often list staff names, solicitors are definitely worth a crack.
nah, not how it works.Once you’re in just monitor emails and pick your moment.
Websites often list staff names, solicitors are definitely worth a crack.
instead take a long list of e-mail accounts (readily available from many sites)
then apply the same password to all of them.
rinse and repeat with a different password each time.
This is how passwords are guessed.
However, this really doesn't sound like that situation. The timing, the e-mail address, the word document, the legit bank account, the account being in the UK. None of this fits to a hacker. All of it fits to an inside job.
edit: re-reading it, the guy had phoned into the solicitors, not e-mailed in. so it HAD to be an inside job.
Edited by Efbe on Sunday 22 October 19:41
For my sins I’ve watched them in action, it’s thrilling stuff. Not!
However this case really does not seem right.
The bloke phoned in to the solicitors, then an e-mail was sent from their account to his with the word document with the account details.
What exactly was hacked to get into this? It was a phone call, then an e-mail was sent back as expected answering the question of which account to pay.
IMO this will have been a cleaner or admin staff, temp secretary etc who will unsurprisingly be missing now.
Efbe said:
However this case really does not seem right.
The bloke phoned in to the solicitors, then an e-mail was sent from their account to his with the word document with the account details.
What exactly was hacked to get into this? It was a phone call, then an e-mail was sent back as expected answering the question of which account to pay.
IMO this will have been a cleaner or admin staff, temp secretary etc who will unsurprisingly be missing now.
An inside job is certainly possible.The bloke phoned in to the solicitors, then an e-mail was sent from their account to his with the word document with the account details.
What exactly was hacked to get into this? It was a phone call, then an e-mail was sent back as expected answering the question of which account to pay.
IMO this will have been a cleaner or admin staff, temp secretary etc who will unsurprisingly be missing now.
However how can you be sure that the solicitor's office hasn't been subject to a TLS downgrade or DNS MX hijack.
It's not that difficult for a MITM to get into a vulnerable system.
Solicitors are a tempting target given that many of them handle estate/probate work.
It's just a matter of waiting for the right victims to swim into the shark's pool.
Then bam! collect and skedaddle.
Even if the perpetrator is caught that's of no real help to the victims who are down £xxxxxx.
They still have to deal with the predicament they are placed in.
TinRobot's posts should worry everyone who has dealings with legal firms.
Red Devil said:
Efbe said:
However this case really does not seem right.
The bloke phoned in to the solicitors, then an e-mail was sent from their account to his with the word document with the account details.
What exactly was hacked to get into this? It was a phone call, then an e-mail was sent back as expected answering the question of which account to pay.
IMO this will have been a cleaner or admin staff, temp secretary etc who will unsurprisingly be missing now.
An inside job is certainly possible.The bloke phoned in to the solicitors, then an e-mail was sent from their account to his with the word document with the account details.
What exactly was hacked to get into this? It was a phone call, then an e-mail was sent back as expected answering the question of which account to pay.
IMO this will have been a cleaner or admin staff, temp secretary etc who will unsurprisingly be missing now.
However how can you be sure that the solicitor's office hasn't been subject to a TLS downgrade or DNS MX hijack.
It's not that difficult for a MITM to get into a vulnerable system.
Solicitors are a tempting target given that many of them handle estate/probate work.
It's just a matter of waiting for the right victims to swim into the shark's pool.
Then bam! collect and skedaddle.
Even if the perpetrator is caught that's of no real help to the victims who are down £xxxxxx.
They still have to deal with the predicament they are placed in.
TinRobot's posts should worry everyone who has dealings with legal firms.
The guy phoned in, so unless the person on the other end of the phone (who is the most likely person to be the scammer) added notes to a system that was then hacked, there isn't a point that can have been compromised. Unless the outbound e-mails from the solicitors were impacted, redirected etc. But that would have caused far bigger issues, and this sounded like a one off.
Certainly I don't see how it could have been the fault of the person scammed, from the story it is surely the solicitors fault, which makes me think there is a part of this story missing.
AndStilliRise said:
Quite a complicated scam. It looks like the bank details were changed somehow. I wonder if there was a clone website that had telephone numbers to the fraudsters. Some parts of the story do seem off, like the family solicitors but it was the first time he was phoning them and again why would you involve solicitors for IHT? Would anyone know what the estate is worth if the amount of tax is £120k?
Assuming a single £325k nil rate band then approaching £600k. If double no rate band plus residence addition allowance then circa £1 million....Efbe said:
Red Devil said:
Efbe said:
However this case really does not seem right.
The bloke phoned in to the solicitors, then an e-mail was sent from their account to his with the word document with the account details.
What exactly was hacked to get into this? It was a phone call, then an e-mail was sent back as expected answering the question of which account to pay.
IMO this will have been a cleaner or admin staff, temp secretary etc who will unsurprisingly be missing now.
An inside job is certainly possible.The bloke phoned in to the solicitors, then an e-mail was sent from their account to his with the word document with the account details.
What exactly was hacked to get into this? It was a phone call, then an e-mail was sent back as expected answering the question of which account to pay.
IMO this will have been a cleaner or admin staff, temp secretary etc who will unsurprisingly be missing now.
However how can you be sure that the solicitor's office hasn't been subject to a TLS downgrade or DNS MX hijack.
It's not that difficult for a MITM to get into a vulnerable system.
Solicitors are a tempting target given that many of them handle estate/probate work.
It's just a matter of waiting for the right victims to swim into the shark's pool.
Then bam! collect and skedaddle.
Even if the perpetrator is caught that's of no real help to the victims who are down £xxxxxx.
They still have to deal with the predicament they are placed in.
TinRobot's posts should worry everyone who has dealings with legal firms.
The guy phoned in, so unless the person on the other end of the phone (who is the most likely person to be the scammer) added notes to a system that was then hacked, there isn't a point that can have been compromised. Unless the outbound e-mails from the solicitors were impacted, redirected etc. But that would have caused far bigger issues, and this sounded like a one off.
Much better to have multiple targets over a short time frame and see what develops. You just need one juicy mark from each source.
By the time each victim cottons on it's too late. I'm pretty sure this one made the front page due to the sum involved.
All I'm saying is it is not necessarily an inside job. The debacle happened in August, so if it was I reckon that the press would have found out by now.
The firm must have looked into that possibility because it's reputation is on the line. The regulator ought to be interested in why its IT security is so poor.
Efbe said:
Certainly I don't see how it could have been the fault of the person scammed, from the story it is surely the solicitors fault, which makes me think there is a part of this story missing.
Where large sums of money are concerned I am always very wary and would have called back to double check if I hadn't been given the information I sought during the initial callHowever ime that prudent approach doesn't fly with the average Joe/(wo)man on the Clapham omnibus. Most are pretty clueless about the risks that go with e-mails and the web.
The real question in this case is whether they ought to be able to rely on a business being more clued up and have implemented proper security in respect of its comms systems.
That said the number of people who have little security on their own private PCs/laptops/etc, open dodgy attachments and pop-ups, and/or fall for fake phishing web sites is mind boggling.
As for something missing, any story in the press is only as good as the investigative inclination/ability of the journalist writing it.
Pica-Pica said:
Dixy said:
The bit I don't understand is why Nat West as the receiving end are not guilty of allowing a fraudulent transaction, they have clearly allowed an account to be opened with out due diligence.
Ditto. When we moved we had to have all sorts of verification to deny we were committing money-laundering. Couldn't set up the PO box over the phone. They also won't let you send in somebody else to do it. I went in on a recent trip to U.K. armed with passport, photo Indonesian driving licences and other official docs. Not a problem.
That's just for a PO Box not setting up a bank account.
carinaman said:
Agreed.
The losers of the £120K should have done a low value test payment first and then checked the solicitors had received it in their account?
The losers of the £120K should have done a low value test payment first and then checked the solicitors had received it in their account?
I do exactly this when sending money to the company that manages my investments.
£10 each time. Wait a day or two until it's verified on the phone by my chap there (not anyone else), then send the remaining £9990 etc.
In fact anything over a grand I've often done this, mainly as I don't trust myself to type in the right info on my banking app!
Edited by jdw100 on Monday 23 October 01:25
The thing I find staggering is this, “We feel let down by everyone involved. We have heard nothing from the police or Action Fraud even though we have the name and address of the woman who ran the company account to which my money was paid. Action Fraud told me there was no guarantee that the police would even look at my case, and if they did it may take up to eight weeks to start their investigation. I could not believe my ears.”
Why, if the above information is true, have the police not arrested the woman who owns the account? It's theft. No different to breaking in to your local supermarket and stealing £120k from the tills.
Why, if the above information is true, have the police not arrested the woman who owns the account? It's theft. No different to breaking in to your local supermarket and stealing £120k from the tills.
We've had one of our customers fall victim to this recently.
Difference being that we sent the invoice with bank details as a PDF but between us and them it had been edited.
They sent us back what they'd received and the bank details were changed, very hard to tell tbh.
As it stands, customer still hasn't got their money and this happened 4-5 months ago...
Difference being that we sent the invoice with bank details as a PDF but between us and them it had been edited.
They sent us back what they'd received and the bank details were changed, very hard to tell tbh.
As it stands, customer still hasn't got their money and this happened 4-5 months ago...
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff