Couple lose £120k in email scam
Discussion
I run the IT team for a firm of solicitors and the things we put in place to try and prevent this type of fraud is quite impressive, however the weakest link is always the person using the systems.
We see examples of phising emails on a daily basis, and they are becoming more and more convincing. Get the right person in the accounts department to click on a malicious link and potentially open up your systems to anyone. There's your email "hack", the rest is easy.
We send our account details out with the terms of business, and make sure the client knows that the account details will not change during the course of their transaction. We also remind them of this on the footer of every email that gets sent to them.
We've registered all permutations of our domain name that we can think of, but we still see emails with similar domain names (GOOGLE/G00GLE) attempting to arrange a cash transfer in a hurry.
In the case of this fraud, I would be concerned that they spoke to someone from the law firm on the phone, and then an email was generated - this does suggest that there may have been some inside collaboration.
We see examples of phising emails on a daily basis, and they are becoming more and more convincing. Get the right person in the accounts department to click on a malicious link and potentially open up your systems to anyone. There's your email "hack", the rest is easy.
We send our account details out with the terms of business, and make sure the client knows that the account details will not change during the course of their transaction. We also remind them of this on the footer of every email that gets sent to them.
We've registered all permutations of our domain name that we can think of, but we still see emails with similar domain names (GOOGLE/G00GLE) attempting to arrange a cash transfer in a hurry.
In the case of this fraud, I would be concerned that they spoke to someone from the law firm on the phone, and then an email was generated - this does suggest that there may have been some inside collaboration.
Riley Blue said:
I'm probably being incredibly dense here but if he needs to pay HMRC £120,000 inheritance tax and went into his own bank with his debit card to do it, couldn't he have paid it direct without invoving his solicitor's account?
Yes.The account number and sort code for paying IHT are freely published on HMRC’s web site. Simply do a BACS or CHAPS transfer direct to HMRC, putting your IHT reference number as the reference on the transfer. Job done - no need to involve the solicitor’s bank account at all.
Red Devil said:
That's exactly what can happen as a result of a MITM attack. No external fraudster in their right mind is going to target just one firm.
Much better to have multiple targets over a short time frame and see what develops. You just need one juicy mark from each source.
By the time each victim cottons on it's too late. I'm pretty sure this one made the front page due to the sum involved.
All I'm saying is it is not necessarily an inside job. The debacle happened in August, so if it was I reckon that the press would have found out by now.
The firm must have looked into that possibility because it's reputation is on the line. The regulator ought to be interested in why its IT security is so poor.
Interesting stuff, I didn't even know this was a thing!Much better to have multiple targets over a short time frame and see what develops. You just need one juicy mark from each source.
By the time each victim cottons on it's too late. I'm pretty sure this one made the front page due to the sum involved.
All I'm saying is it is not necessarily an inside job. The debacle happened in August, so if it was I reckon that the press would have found out by now.
The firm must have looked into that possibility because it's reputation is on the line. The regulator ought to be interested in why its IT security is so poor.
How does this work, would the fraudster misdirect all outgoing e-mails, or could they select specific ones?
SlimRick said:
I run the IT team for a firm of solicitors and the things we put in place to try and prevent this type of fraud is quite impressive, however the weakest link is always the person using the systems.
We see examples of phising emails on a daily basis, and they are becoming more and more convincing. Get the right person in the accounts department to click on a malicious link and potentially open up your systems to anyone. There's your email "hack", the rest is easy.
We send our account details out with the terms of business, and make sure the client knows that the account details will not change during the course of their transaction. We also remind them of this on the footer of every email that gets sent to them.
We've registered all permutations of our domain name that we can think of, but we still see emails with similar domain names (GOOGLE/G00GLE) attempting to arrange a cash transfer in a hurry.
In the case of this fraud, I would be concerned that they spoke to someone from the law firm on the phone, and then an email was generated - this does suggest that there may have been some inside collaboration.
I'm assuming there is more detail to this story than has been mentioned in the article, otherwise - as you say - it's an inside job and an obviously much bigger deal. I can't imagine The Guardian not reporting on that aspect of it were that the case. What I suspect happened is that there was a phone call, and a followup "Further to our telephone conversation, please send bank details for XYZ to this address" email from the victims, and it was this followup email that was intercepted and replied to.We see examples of phising emails on a daily basis, and they are becoming more and more convincing. Get the right person in the accounts department to click on a malicious link and potentially open up your systems to anyone. There's your email "hack", the rest is easy.
We send our account details out with the terms of business, and make sure the client knows that the account details will not change during the course of their transaction. We also remind them of this on the footer of every email that gets sent to them.
We've registered all permutations of our domain name that we can think of, but we still see emails with similar domain names (GOOGLE/G00GLE) attempting to arrange a cash transfer in a hurry.
In the case of this fraud, I would be concerned that they spoke to someone from the law firm on the phone, and then an email was generated - this does suggest that there may have been some inside collaboration.
The people doing these scams are not your regular "your PayPal account has been suspended!" indiscriminate phishing email fraudsters. I've heard from friends in IT of instances where scammers have had a dialog weeks prior with the MD to get his email address and a sense of how he writes emails, followed his public social media to work out when he was out of the office, telephoned the office and been told that he is on holiday (another weak point in social engineering) and then when finding out he's not in they spoof emails purporting to be from him, in similar language to him, asking for urgent payments to be made. Because the MD isn't in, an IT illiterate financial controller can't verify a transaction face-to-face, and just process it blindly.
Humans are always the weakest part of any IT security system, and very few companies put their staff through any kind of social engineering training.
This is worth a watch as well: https://www.youtube.com/watch?v=lc7scxvKQOo
Efbe said:
Interesting stuff, I didn't even know this was a thing!
How does this work, would the fraudster misdirect all outgoing e-mails, or could they select specific ones?
Several different ways really. How does this work, would the fraudster misdirect all outgoing e-mails, or could they select specific ones?
If, like most companies, people never change their damn passwords / have the same password for everyone "in case they're off" (as was said earlier) then they can simply log into a corporate web mail, which are also often available on the internet because of the nature of people accessing it remotely on mobile networks, etc - then the fraudsters can just sit there and read emails that are coming in, with the compromised company usually being oblivious.
They could also set up a rule to forward all received emails to another address, and then spoof replies back. This has greater risks ironically because it involves making a change to the legitimate user's email configuration, etc.
Or - the scammers could've got malware previously installed onto a solicitors computer somehow which silently forwarded emails, or even keystrokes, to the fraudsters.
It really depends on the extent to which an email system was compromised really. I'd wager that the vast majority of attacks are simply down to weak passwords... people are really bad when it comes to password security. More often than not IT systems get set up the right way but are slowly eroded by either lack of maintenance, or people actively undermining it because it's too difficult to remember a complex password, etc.
There is also the aspect that when something works there is often a massive resistance to do updates to it, either because no one in the company understands the importance of it, or that they're too scared to do anything in case it stops working, or even because their little server sat in a cupboard that has everything on it with untested backups (or no backups), with no contingency whatsoever, is basically a black box that no one in the company understands until "the internet isn't working".
I know the couple that lost this money very well. It was actually the client that had his email hacked, not the solicitor. He is usually very diligent regarding financial matters so I was very surprised that this has happened.
Regardless of blame etc, he’s a bloody decent lad and this is having a huge impact on his life.
I will update here as and when there’s more info.
Cheers
Regardless of blame etc, he’s a bloody decent lad and this is having a huge impact on his life.
I will update here as and when there’s more info.
Cheers
PIGINAWIG said:
I know the couple that lost this money very well. It was actually the client that had his email hacked, not the solicitor. He is usually very diligent regarding financial matters so I was very surprised that this has happened.
Regardless of blame etc, he’s a bloody decent lad and this is having a huge impact on his life.
I will update here as and when there’s more info.
Cheers
Thank you for that - any other info you can update us with will certainly be appreciated by me - every day is a school day.Regardless of blame etc, he’s a bloody decent lad and this is having a huge impact on his life.
I will update here as and when there’s more info.
Cheers
PIGINAWIG said:
I know the couple that lost this money very well. It was actually the client that had his email hacked, not the solicitor. He is usually very diligent regarding financial matters so I was very surprised that this has happened.
Regardless of blame etc, he’s a bloody decent lad and this is having a huge impact on his life.
I will update here as and when there’s more info.
Cheers
To others thinking "st this could happen to me" there is a quick step you can do that will foil this type of "hack".Regardless of blame etc, he’s a bloody decent lad and this is having a huge impact on his life.
I will update here as and when there’s more info.
Cheers
Enable Two factor authentication on your e-mail. If your e-mail provider doesn't support 2fa then they are not worth using.
This will prompt you for a one-time-password or a popup approval box on your phone when logging into your email. You can also usually trust specific devices (e.g phone, home computer) so as not to be prompted for this info every single time, But if George Agdgdgwengo in Nigeria has your e-mail address and password he is not going to be able to log in, and if he tries you will get the SMS notification on your phone and know that someone other than you is trying to access your e-mail.
https://www.turnon2fa.com/
If it all sounds like gobbledygook to you, take some time to understand it and how it can protect you. I bet the guy who lost £120k wished he'd spent some time getting 2FA to work.
Dromedary66 said:
To others thinking "st this could happen to me" there is a quick step you can do that will foil this type of "hack".
Enable Two factor authentication on your e-mail. If your e-mail provider doesn't support 2fa then they are not worth using.
This will prompt you for a one-time-password or a popup approval box on your phone when logging into your email. You can also usually trust specific devices (e.g phone, home computer) so as not to be prompted for this info, But if George Agdgdgwengo in Nigeria has your e-mail address and password he is not going to be able to log in, and if he tries you will get the SMS notification on your phone and know that someone other than you is trying to access your e-mail.
https://www.turnon2fa.com/
If it all sounds like gobbledygook to you, take some time to understand it and how it can protect you. I bet the guy who lost £120k wished he'd spent some time getting 2FA to work.
^^Enable Two factor authentication on your e-mail. If your e-mail provider doesn't support 2fa then they are not worth using.
This will prompt you for a one-time-password or a popup approval box on your phone when logging into your email. You can also usually trust specific devices (e.g phone, home computer) so as not to be prompted for this info, But if George Agdgdgwengo in Nigeria has your e-mail address and password he is not going to be able to log in, and if he tries you will get the SMS notification on your phone and know that someone other than you is trying to access your e-mail.
https://www.turnon2fa.com/
If it all sounds like gobbledygook to you, take some time to understand it and how it can protect you. I bet the guy who lost £120k wished he'd spent some time getting 2FA to work.
This basically.
We do sessions on this at work and I just tell people go get a Gmail account and turn on 2FA.
PIGINAWIG said:
I know the couple that lost this money very well. It was actually the client that had his email hacked, not the solicitor. He is usually very diligent regarding financial matters so I was very surprised that this has happened.
Regardless of blame etc, he’s a bloody decent lad and this is having a huge impact on his life.
I will update here as and when there’s more info.
Cheers
Interesting,Regardless of blame etc, he’s a bloody decent lad and this is having a huge impact on his life.
I will update here as and when there’s more info.
Cheers
obviously you won't be able to divulge anything, but from the article it seemed he had phoned in to the solicitor who then sent the details back by e-mail. Was the email then intercepted on his machine, so after the solicitor sent it over, or was it a different scenario altogether?
As to why they were transferring the money to the Solicitor...... I got divorced a few years back and had to pay my ex-wife £125000 to buy her out of the house. The Solicitor involved in the divorce asked for the £125,000 to be paid to their account, whereupon they would sit on it for a while, then transfer it to her Solicitors, who would then pay my ex-wife.
Now the £125000 was sitting in my bank account. Due to the amount, I went to my bank where I met the ex-wife, and transferred the money direct from my account to her account, got receipts for the whole thing and the job was done....
I can only imagine there are benefits to the Solicitors to have the money go through their account's. Tranaction charges, interest etc etc. None of which is nescessary but I was made to think it was the safest process.... obviously not! I always think the more people involved the more chance of it screwing up!
Now the £125000 was sitting in my bank account. Due to the amount, I went to my bank where I met the ex-wife, and transferred the money direct from my account to her account, got receipts for the whole thing and the job was done....
I can only imagine there are benefits to the Solicitors to have the money go through their account's. Tranaction charges, interest etc etc. None of which is nescessary but I was made to think it was the safest process.... obviously not! I always think the more people involved the more chance of it screwing up!
Apple doesn't have DNSSEC.
Google has softfail SPF settings.
Neither has DMARC.
..etc..etc
SPF, DKIM, DMARC etc are not some kind of anti-fraud magic bullet. They overlap in some areas, and they don't work at all where a given recipient mail server isn't also set up to verify this data. What good is this solicitor having SPF et al set up if their clients email systems don't?
It doesn't help that end users are completely oblivious to what these things are. At least two-factor authentication is standardised, explained well to laymen and is something they can choose to use if they want more security. Email needs something akin to that if it's ever going to have any value as a secure messaging platform, and the only practicable way that's going to happen is if the likes of Apple, Google and/or Microsoft impose it on people.
Google has softfail SPF settings.
Neither has DMARC.
..etc..etc
SPF, DKIM, DMARC etc are not some kind of anti-fraud magic bullet. They overlap in some areas, and they don't work at all where a given recipient mail server isn't also set up to verify this data. What good is this solicitor having SPF et al set up if their clients email systems don't?
It doesn't help that end users are completely oblivious to what these things are. At least two-factor authentication is standardised, explained well to laymen and is something they can choose to use if they want more security. Email needs something akin to that if it's ever going to have any value as a secure messaging platform, and the only practicable way that's going to happen is if the likes of Apple, Google and/or Microsoft impose it on people.
Edited by Durzel on Monday 23 October 12:55
Personally, I've avoided any use of IT in these situations, recently having transferred sums to and from various companies including solicitors.
All the Bank details were supplied face-to-face [1], no phone, no emails. The payments were made in person at a Branch which were also sanity checked by the branch staff so any incorrect keying of numbers wouldn't occur, unless all three of us suffered the same inability to read!
If you're not happy to lose the amount of money involved, reduce the amount of IT in the process.
[1] the solicitor dealing with the transaction did comment they wished more people did it this way instead of relying on emails.
All the Bank details were supplied face-to-face [1], no phone, no emails. The payments were made in person at a Branch which were also sanity checked by the branch staff so any incorrect keying of numbers wouldn't occur, unless all three of us suffered the same inability to read!
If you're not happy to lose the amount of money involved, reduce the amount of IT in the process.
[1] the solicitor dealing with the transaction did comment they wished more people did it this way instead of relying on emails.
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff