Scammed by a Hacked email account
Discussion
Jonno02 said:
RogerDodger said:
It's a tough one isn't it? I hear what you are saying. And if I failed to secure my email then I'd feel pretty responsible, but then how do you define "being secure". Is there a minumum complexity & length of password? what are the rules?
2-factor authentication, so that unless the "hacker" has also stolen your phone, they cannot get access.Durzel said:
The accounts more than likely won't be fraudulent though, not in the sense that someone called Ronnie Biggs has tried to open one and the bank has let them.
There's only so much practical due diligence a bank can do before they end up profiling people and refusing to open accounts because they "look a bit shifty". Currently if you have proof of ID and proof of a current UK address then you can open an account. What more would you suggest is needed, or that your average person could provide?
Identity theft can facilitate opening bank accounts or taking out credit cards in other peoples names, and even where that hasn't happened other documents thrown out or weak passwords, etc can provide access to someone's bank account online.
The banks are victims themselves in this as well, and ultimately have acted upon an instruction by their customer to transfer money to another account. There is only so much automated fraud checks can do to intercept payments where the source is a bonafide customer and the destination is a valid bank account that exists (at which point it can be assumed identity checks to open it have passed).
I think banks should possibly have more profiling of their customers accounts.There's only so much practical due diligence a bank can do before they end up profiling people and refusing to open accounts because they "look a bit shifty". Currently if you have proof of ID and proof of a current UK address then you can open an account. What more would you suggest is needed, or that your average person could provide?
Identity theft can facilitate opening bank accounts or taking out credit cards in other peoples names, and even where that hasn't happened other documents thrown out or weak passwords, etc can provide access to someone's bank account online.
The banks are victims themselves in this as well, and ultimately have acted upon an instruction by their customer to transfer money to another account. There is only so much automated fraud checks can do to intercept payments where the source is a bonafide customer and the destination is a valid bank account that exists (at which point it can be assumed identity checks to open it have passed).
EG if someones account only usually gets £250.00 / week paid in and then they suddenly receive a payment of £5K, that money should be held for a period of time, possibly 7 days before the customer is able to access it.
Limits for withdrawals / immediate availability of receipts could be based on the customers over draft limit, so if you have a £1K overdraft but receive more than that value as a payment then the money is held and not cleared.
I was subject to Sim Swap fraud 18 months ago that was clever enough to convince a relative to pay £5K to someone on my behalf, luckily they got the money back
D1ckie said:
Jonno02 said:
RogerDodger said:
It's a tough one isn't it? I hear what you are saying. And if I failed to secure my email then I'd feel pretty responsible, but then how do you define "being secure". Is there a minumum complexity & length of password? what are the rules?
2-factor authentication, so that unless the "hacker" has also stolen your phone, they cannot get access.The other method of 2FA is with apps (such as Google Authenticator etc) which aren't tied to the number but ARE secured by the phone's encryption and lock. This is the better method of doing 2FA rather than SMS.
Jonno02 said:
RogerDodger said:
It's a tough one isn't it? I hear what you are saying. And if I failed to secure my email then I'd feel pretty responsible, but then how do you define "being secure". Is there a minumum complexity & length of password? what are the rules?
2-factor authentication, so that unless the "hacker" has also stolen your phone, they cannot get access.Funk said:
That's not quite accurate... That would only apply for an account which relies on SMS-based 2FA and would also rely on someone being able to get your network provider to give them a new SIM with the correct phone number. It has happened, but in light of the recent noise around it I would expect mobile providers to be doing what they should've been doing all along and ensuring that proof of ID is absolute before handing out a new SIM and porting the number.
The other method of 2FA is with apps (such as Google Authenticator etc) which aren't tied to the number but ARE secured by the phone's encryption and lock. This is the better method of doing 2FA rather than SMS.
Thats not quite accurate......... my sim swap involved someone calling my provider, providing some very basic security and then asking my number to be transferred to another sim. It was that simple that each time I changed it back they called and changed it again. I was amazed how much of my personal accounts they could access just by having my phone number. It may have been that someone who worked for my phone provider was in on the scam which made it easier, but a month later I found out someone had opened an account with one of the credit checking companies to get my information.The other method of 2FA is with apps (such as Google Authenticator etc) which aren't tied to the number but ARE secured by the phone's encryption and lock. This is the better method of doing 2FA rather than SMS.
It was one of those companies that asks really stupid questions when you apply, such as who do you bank with;
Barclays
Bank of India
Bank of China
D1ckie said:
I think banks should possibly have more profiling of their customers accounts.
EG if someones account only usually gets £250.00 / week paid in and then they suddenly receive a payment of £5K, that money should be held for a period of time, possibly 7 days before the customer is able to access it.
Limits for withdrawals / immediate availability of receipts could be based on the customers over draft limit, so if you have a £1K overdraft but receive more than that value as a payment then the money is held and not cleared.
I was subject to Sim Swap fraud 18 months ago that was clever enough to convince a relative to pay £5K to someone on my behalf, luckily they got the money back
A good idea in theory. EG if someones account only usually gets £250.00 / week paid in and then they suddenly receive a payment of £5K, that money should be held for a period of time, possibly 7 days before the customer is able to access it.
Limits for withdrawals / immediate availability of receipts could be based on the customers over draft limit, so if you have a £1K overdraft but receive more than that value as a payment then the money is held and not cleared.
I was subject to Sim Swap fraud 18 months ago that was clever enough to convince a relative to pay £5K to someone on my behalf, luckily they got the money back
Fine when it captures a fraud, but a ball ache when you forget to the the bank you are on holiday in a high risk country and everything is blocked.
For example, one of the repeated complaints that banks get already, is where they block cards for just such a reason, when it turns out to be valid and customer has lost out on a purchase, or cannot pay for something in India when on holiday.
Terminator X said:
No help to the OP but my company bank details are written on my headed paper and used for invoicing surely a simple failsafe vs a random email saying pay another account?!
TX.
1. Paper invoice deliveredTX.
2. Email sent spoofing your identity as a follow up requesting that the account details are changed as you're moving banks, but you've not had time to update the paperwork yet (sorry!)
3. Recipient recognises your name, your email address, they've had the goods or service and they wish to maintain a decent relationship, so they change the bank details
4. The recipient may even call the number in the email, and speak with "you" to confirm
5. They pay the money to a money mules account who transfers the bulk of it to a member of the Nigerian Confraternity who originally breached you
Or, a variation, if your letterhead is saved anywhere in your company network then they can alter that and send it as a PDF attached to the "account details change" email.
Sheepshanks said:
We use Office 365 and were advised against ramping up the various protections too much as it would block a lot of customer email.
It's a bit terrifying to look at the logs and see the volume of stuff - mostly containing malware - that it blocks and never passes on, much of it has an internal address spoofed.
Fake Office 365 phishing emails get through quite a lot - everyone gets a couple per day.
O365 is woeful, you need to put a decent, Secure Email Gateway, between it and the Internet.It's a bit terrifying to look at the logs and see the volume of stuff - mostly containing malware - that it blocks and never passes on, much of it has an internal address spoofed.
Fake Office 365 phishing emails get through quite a lot - everyone gets a couple per day.
Configured correctly customer mail will not be blocked by a decent SEG.
Terminator X said:
No help to the OP but my company bank details are written on my headed paper and used for invoicing surely a simple failsafe vs a random email saying pay another account?!
TX.
Nope, I have seen email containing PDFs of official looking headed paper, some very very convincing, and PDF invoices on the correct headed paper. Remember, these people are potentially going to net thousands and can be watching your email without your knowledge for some time, plenty of opportunity to knock up a convincing letterhead.TX.
Teddy Lop said:
Q for the IT minded - am I fully protected from such monitoring (at least at my end) by not using an "online" based account that logs sent mails? Email goes from windows mail on pc via an SMTP account.
No.SMTP can be plain text over the internet.
There's a really simple set of suggestions I give anyone when I'm talking about this stuff:
- Drop your old ISP provided email account.
- Get a Gmail account
- Choose a strong unique password for your Gmail account
- Enable 2 factor authentication
- Get a Password Manager
- Change all your other passwords to strong unique passwords
b
hstewie said:
hstewie said: No.
SMTP can be plain text over the internet.
There's a really simple set of suggestions I give anyone when I'm talking about this stuff:
And any business that emails me from a gmail account gets automatically sent to the spam folder, and while the above reduces the likelihood of YOU being compromised it does little to stop your customers being sent bogus emails in your name SMTP can be plain text over the internet.
There's a really simple set of suggestions I give anyone when I'm talking about this stuff:
- Drop your old ISP provided email account.
- Get a Gmail account
- Choose a strong unique password for your Gmail account
- Enable 2 factor authentication
- Get a Password Manager
- Change all your other passwords to strong unique passwords
Heres Johnny said:
And any business that emails me from a gmail account gets automatically sent to the spam folder, and while the above reduces the likelihood of YOU being compromised it does little to stop your customers being sent bogus emails in your name
I agree I wouldn't using an @gmail for business, but that's not what I thought Teddy Lop asked.If I was a business I'd be using G Suite or Office 365 with my own domain name, using 2 factor authentication, and ensuring it was configured correctly.
If I was a consumer I'd be using Gmail because they have the best protections for the average consumer to stop them getting a fraudulent email.
Judging from the number of vans I pass that have plumbingguy@btinternet.com plastered across the side I'm not sure many businesses have quite cottoned on yet.
Email isn't foolproof but there are things you can do to help protect yourself on both sides of such frauds.
bhstewie said:
hstewie said: No.
SMTP can be plain text over the internet.
There's a really simple set of suggestions I give anyone when I'm talking about this stuff:
It's actually my own domain and handled by fasthost. It's on my perennial to do list to update it all as my business website was done by yours truly in 2004 with dialup modems in mind SMTP can be plain text over the internet.
There's a really simple set of suggestions I give anyone when I'm talking about this stuff:
- Drop your old ISP provided email account.
- Get a Gmail account
- Choose a strong unique password for your Gmail account
- Enable 2 factor authentication
- Get a Password Manager
- Change all your other passwords to strong unique passwords
Teddy Lop said:
It's actually my own domain and handled by fasthost. It's on my perennial to do list to update it all as my business website was done by yours truly in 2004 with dialup modems in mind
I honestly wouldn't look much further than G Suite or Office 365.Both have tools that will make it simpler for you to configure your email securely and put the necessary records in place.
bhstewie said:
hstewie said: No.
SMTP can be plain text over the internet.
There's a really simple set of suggestions I give anyone when I'm talking about this stuff:
I'd agree with all of this, and would add:SMTP can be plain text over the internet.
There's a really simple set of suggestions I give anyone when I'm talking about this stuff:
- Drop your old ISP provided email account.
- Get a Gmail account
- Choose a strong unique password for your Gmail account
- Enable 2 factor authentication
- Get a Password Manager
- Change all your other passwords to strong unique passwords
- Deploy SPF, DKIM and DMARC to prevent impersonation of your emails
For small/sole traders this should be pretty straightforward, and there are tools available for very little money to help.
julian64 said:
It didn't come from his email account. It would be difficult to do that without knowing his passwords. It is much more likely it is a targeted phishing email but from an alternative site.
The difference between the tw is probably where I'd draw the line at who's fault it was.
Op needs to look in the email properties and actually confirm it came from the builders account. I think its unlikely though
Not difficult and very easy to do.The difference between the tw is probably where I'd draw the line at who's fault it was.
Op needs to look in the email properties and actually confirm it came from the builders account. I think its unlikely though
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff