Scammed by a Hacked email account

Scammed by a Hacked email account

Author
Discussion

Sheepshanks

32,530 posts

118 months

Thursday 17th January 2019
quotequote all
Durzel said:
The problem with email in general really is that efforts like DMARC, SPF, DKIM, etc really only work to imbue messages with more technical credibility, they don't actually protect anyone against what is actually in them, and even then you can't really set them to be aggressive because chances are almost everyone who emails you isn't going to be adhering to the same standards, implementing them properly or at all.

So what happens is that all of this stuff is set to "soft fail" so that stuff doesn't get blocked at the mail server and people still get their emails.

And then there is also the issue that in some cases these systems would actually validate phishing emails, because they check that they have been sent by the correct servers etc. So if someone hacks your email account, logs into your webmail and sends emails DMARC, SPF, DKIM et al would happily report that the email is safe because it came from the server that was authorised to send it, etc.

Email fundamentally should not be considered trustworthy.
We use Office 365 and were advised against ramping up the various protections too much as it would block a lot of customer email.

It's a bit terrifying to look at the logs and see the volume of stuff - mostly containing malware - that it blocks and never passes on, much of it has an internal address spoofed.

Fake Office 365 phishing emails get through quite a lot - everyone gets a couple per day.

Dixy

2,913 posts

204 months

Thursday 17th January 2019
quotequote all
Graveworm said:
It may well be an "Innocent" third party. Or at least with plausible deniability, They will often target the vulnerable, desperate or willing victims. Hi you have a UK bank account?? I/my friend needs one to get some money paid into as they don't have/are overdrawn or it can't accept payments. No risk it gets paid in and you draw it out and give them the cash and they will give you a few quid for your trouble.
I find it berry hard to believe this happens very often but if so you have an identifiable party to the fraud.

Dixy

2,913 posts

204 months

Thursday 17th January 2019
quotequote all
Durzel said:
Banks aren't liable for the same reason airports can't be expected to stop every bit of contraband going through.

It is impossible to check every transaction being made because the whole system would grind to a halt. And, you can be sure that the people being protected would not be thrilled that every payment they make or receive arbitrarily takes much longer because every single transaction is questioned. People want security but not at the cost of actually inconveniencing them.

From the bank's perspective they see a transaction that doesn't look particularly unusual, going from one account to another. If both bank accounts have been vetted at point of inception, and later hacked because the customers are useless with security, then how are they supposed to know that a given transaction is fraudulent?
This is not about each transaction it is about each account, to open an account you have to prove you are who you say you are. When I turn up at that bank and prove a fraudulent transaction has gone through that account they should have to prove they opened the account correctly and here is John Smith of 32 acacia avenue in which case he gets nicked or they failed to establish John Smith was bonafide in which case they pay up

anonymous-user

53 months

Thursday 17th January 2019
quotequote all
You are definitely liable . As you've read by now.

Think of it this way. Flip it round.

I run a business (or two).

If one day I receive an email from a customer saying "I've paid money into a fraudsters account by mistake by someone pretending to be you. Regardless, I feel I've paid "you". Please send the goods now". I'm not sending anything.

Sheepshanks

32,530 posts

118 months

Thursday 17th January 2019
quotequote all
RogerDodger said:
You are definitely liable . As you've read by now.

Think of it this way. Flip it round.

I run a business (or two).

If one day I receive an email from a customer saying "I've paid money into a fraudsters account by mistake by someone pretending to be you. Regardless, I feel I've paid "you". Please send the goods now". I'm not sending anything.
But what if that someone was able to pretend to be you because you'd been careless with your email security?

Durzel

12,232 posts

167 months

Thursday 17th January 2019
quotequote all
Dixy said:
This is not about each transaction it is about each account, to open an account you have to prove you are who you say you are. When I turn up at that bank and prove a fraudulent transaction has gone through that account they should have to prove they opened the account correctly and here is John Smith of 32 acacia avenue in which case he gets nicked or they failed to establish John Smith was bonafide in which case they pay up
The accounts more than likely won't be fraudulent though, not in the sense that someone called Ronnie Biggs has tried to open one and the bank has let them.

There's only so much practical due diligence a bank can do before they end up profiling people and refusing to open accounts because they "look a bit shifty". Currently if you have proof of ID and proof of a current UK address then you can open an account. What more would you suggest is needed, or that your average person could provide?

Identity theft can facilitate opening bank accounts or taking out credit cards in other peoples names, and even where that hasn't happened other documents thrown out or weak passwords, etc can provide access to someone's bank account online.

The banks are victims themselves in this as well, and ultimately have acted upon an instruction by their customer to transfer money to another account. There is only so much automated fraud checks can do to intercept payments where the source is a bonafide customer and the destination is a valid bank account that exists (at which point it can be assumed identity checks to open it have passed).

Lopey

258 posts

97 months

Thursday 17th January 2019
quotequote all
Hol said:
Why?

Who's to say that you aren't the scammer, or Lord Lucan?
rolleyes

Dixy

2,913 posts

204 months

Thursday 17th January 2019
quotequote all
Durzel said:
There's only so much practical due diligence a bank can do before they end up profiling people and refusing to open accounts because they "look a bit shifty". Currently if you have proof of ID and proof of a current UK address then you can open an account. What more would you suggest is needed, or that your average person could provide?
But this is happening day in day out with hundreds of accounts.
A few years ago I wanted a John Lewis credit card, I tried to do it in store and took what I thought were good pieces of ID, my shotgun certificate was rejected in favour of a gas bill.

https://www.youtube.com/watch?v=AJQ3TM-p2QI

Teddy Lop

8,294 posts

66 months

Thursday 17th January 2019
quotequote all
Dixy said:
But this is happening day in day out with hundreds of accounts.
A few years ago I wanted a John Lewis credit card, I tried to do it in store and took what I thought were good pieces of ID, my shotgun certificate was rejected in favour of a gas bill.

https://www.youtube.com/watch?v=AJQ3TM-p2QI
I remember about oh 15 years ago having my passport handed back to me in ... whatever that DVD rental chain store was I forget, and being asked for a utility invoice, y'know the thing anyone with a bubblejet printer can fake. We walked out the door with the BiL going "don't worry mate we'll just download it", they bust now go figure.

Eddieslofart

1,328 posts

82 months

Thursday 17th January 2019
quotequote all
A large London Council had an e mail from my old firm advising of a change in bank details.

We invoiced Council circa 450 k. Never seen again.

They had to pay us again, because they never checked.

Graveworm

8,476 posts

70 months

Thursday 17th January 2019
quotequote all
Sheepshanks said:
But what if that someone was able to pretend to be you because you'd been careless with your email security?
As far as I know, with the exception of bribery, you don’t become liable for the criminal actions of others because you didn't do enough to stop them.

Sheepshanks

32,530 posts

118 months

Thursday 17th January 2019
quotequote all
Graveworm said:
As far as I know, with the exception of bribery, you don’t become liable for the criminal actions of others because you didn't do enough to stop them.
Well, there's negligence if, as is likely, account access was gained because the builder responded to a phishing email. But that's stretching things.

Anyway, the matter of the genuine payment between builder and customer is a civil matter.

julian64

14,317 posts

253 months

Friday 18th January 2019
quotequote all
Graveworm said:
Sheepshanks said:
But what if that someone was able to pretend to be you because you'd been careless with your email security?
As far as I know, with the exception of bribery, you don’t become liable for the criminal actions of others because you didn't do enough to stop them.
Well that's not actually true. Try leaving your keys In your car tonight and when it is stolen try claiming on your insurance.

Your insurance company will hold you liable in part for the criminal actions of others and will refuse to pay out.

TriumphStag3.0V8

3,794 posts

80 months

Friday 18th January 2019
quotequote all
Sheepshanks said:
Well, there's negligence if, as is likely, account access was gained because the builder responded to a phishing email. But that's stretching things.

Anyway, the matter of the genuine payment between builder and customer is a civil matter.
Thats the thing though, builder may well not have been negligent. He may have been conned in he same way that the OP was, or the service he uses may have been hacked - if you were a user of a large service (such as office 365 or facebook) and they were hacked revealing their customer's passwords, would you be negligent for using that service?

The builder could have been tricked into revealing his password, again not negligent.

Of course he may have posted his account details to facebook and asked people to read his email, we don't know.

It sucks for the OP and these scammers deserve a special place in hell, but you should never EVER make payments to an account based on information in an email, regardless of how convincing the email sounds. Better to make a phone call and feel a little embarassed than lose several hundred/thousand pounds.

As for the bank accounts, as an example of how this works, someone i know was in the jury for a trial of these types of scammer and the bank accounts they used were of oversees students who had left the country. In this case Indian students over here on student visas who had opened bank accounts, finished their studies and before leaving been offered £50-£100 by the scammers to hand over their bank account details and access, which the scammers then use (these were the accounts the scammers tricked people into sending money to, and when the money arrived into these accounts, it was quickly moved on through an number of other accounts and off to overseas banks where it would be withdrawn. By the time the web of transactions had been traced, the money was long gone. The amount of investigation that had gone into tracing all this was phenominal, tgere were literally piles of A4 binders showing the transactions.
Its very sophisticated, scarily so. In some of the cases the time spent surveying and researching the "mark" once access had been gained stretched into months. In some of these cases, tens of thousands of pounds had vanished, very little of the money was recovered.

juice

8,509 posts

281 months

Friday 18th January 2019
quotequote all
Get some awareness training. It's the single most important tool companies can use to stop their staff doing silly things.
We implemented this a couple of years ago - using knowbe4 (other vendors are available)

We've gone from an env where people would literally click on anything to one where according to the metrics, we're less than 5% phish prone now.
Any users that click on simulated phish emails are automatically enrolled into more training.

I caught 5 of our users with a simulated phish straight after the Marriott breach. Those 5 users were then given extra training and I was happy that they clicked in a controlled environment rather than 'in the wild' so to speak, where those actions could have had much more serious implications.

It's also very cheap comparatively....About $15 a user per year !

Graveworm

8,476 posts

70 months

Friday 18th January 2019
quotequote all
julian64 said:
Well that's not actually true. Try leaving your keys In your car tonight and when it is stolen try claiming on your insurance.

Your insurance company will hold you liable in part for the criminal actions of others and will refuse to pay out.
No the criminal is still liable for the theft. I am the victim of that theft. In this case the OP is the victim of a crime which (If we assume that the account was hacked) arose from a previous criminal act.
If I can find the car thief they would be held liable for my loss, I am responsible for honouring my explicit agreement with the insurance company if that doesn't work out. wink

Similarly the "Hacker" could be held liable if he could be found.

If - as they drive off in my stolen car they run someone over or they use it in a getaway for a bank robbery those victims could not claim I was responsible as I left my keys in my car.



Edited by Graveworm on Friday 18th January 09:51

anonymous-user

53 months

Friday 18th January 2019
quotequote all
Sheepshanks said:
RogerDodger said:
You are definitely liable . As you've read by now.

Think of it this way. Flip it round.

I run a business (or two).

If one day I receive an email from a customer saying "I've paid money into a fraudsters account by mistake by someone pretending to be you. Regardless, I feel I've paid "you". Please send the goods now". I'm not sending anything.
But what if that someone was able to pretend to be you because you'd been careless with your email security?
It's a tough one isn't it? I hear what you are saying. And if I failed to secure my email then I'd feel pretty responsible, but then how do you define "being secure". Is there a minumum complexity & length of password? what are the rules?

Jonno02

2,246 posts

108 months

Friday 18th January 2019
quotequote all
RogerDodger said:
It's a tough one isn't it? I hear what you are saying. And if I failed to secure my email then I'd feel pretty responsible, but then how do you define "being secure". Is there a minumum complexity & length of password? what are the rules?
2-factor authentication, so that unless the "hacker" has also stolen your phone, they cannot get access.

Heres Johnny

7,175 posts

123 months

Friday 18th January 2019
quotequote all
Jonno02 said:
RogerDodger said:
It's a tough one isn't it? I hear what you are saying. And if I failed to secure my email then I'd feel pretty responsible, but then how do you define "being secure". Is there a minumum complexity & length of password? what are the rules?
2-factor authentication, so that unless the "hacker" has also stolen your phone, they cannot get access.
Easy to say, less easy to do unless your provider offers the service. And please don't just glibbly say "change your provider"

markjmd

549 posts

67 months

Friday 18th January 2019
quotequote all
Graveworm said:
No the criminal is still liable for the theft. I am the victim of that theft. In this case the OP is the victim of a crime which (If we assume that the account was hacked) arose from a previous criminal act.
If I can find the car thief they would be held liable for my loss, I am responsible for honouring my explicit agreement with the insurance company if that doesn't work out. wink

Similarly the "Hacker" could be held liable if he could be found.

If - as they drive off in my stolen car they run someone over or they use it in a getaway for a bank robbery those victims could not claim I was responsible as I left my keys in my car.



Edited by Graveworm on Friday 18th January 09:51
Exactly this. It sounds like the bank/police are investigating, and if they can trace the scammer they're certainly not going to just let them keep the money. That's pretty big if though, obviously.