Couple lose £120k in email scam
Discussion
Just reading this and I find myself not knowing exactly where I stand.
https://www.theguardian.com/money/2017/oct/21/coup...
I don't think I'd send £120k to anyone based off what an email said.
The solicitors don't seem to be taking even basic technical steps to protect themselves and their clients from email spoofing.
The bank presumable did what it was asked to i.e. sent money to the account number it was asked to.
Seems to be very little mention of the Police when it seems to be a clear case of fraud?
https://www.theguardian.com/money/2017/oct/21/coup...
I don't think I'd send £120k to anyone based off what an email said.
The solicitors don't seem to be taking even basic technical steps to protect themselves and their clients from email spoofing.
The bank presumable did what it was asked to i.e. sent money to the account number it was asked to.
Seems to be very little mention of the Police when it seems to be a clear case of fraud?
While its the punters that were compromised you'd have thought the solicitors would be on top of this kind of scam - its been going on for years.
The banks too could improve how they handle transfers - how hard, technically, would it be for them to hold amounts in a kind of escrow, for example:
Fred transfers money to jane.
Money show in janes account, but as ring-fencec and not accessable, and jane confirms to fred that details are correct.
Fred can now release funds or reverse the transaction.
Even apart from the fraud aspect many of us double,triple,quadruple check the details and still worry when transfering.
The banks too could improve how they handle transfers - how hard, technically, would it be for them to hold amounts in a kind of escrow, for example:
Fred transfers money to jane.
Money show in janes account, but as ring-fencec and not accessable, and jane confirms to fred that details are correct.
Fred can now release funds or reverse the transaction.
Even apart from the fraud aspect many of us double,triple,quadruple check the details and still worry when transfering.
Not sure why the victims in the story are blaming the bank? The bank were just following instructions sent by the customer. It's the customer who was fooled into sending money to the wrong account. the banks use the sort code and account number as the identifier. It worked for decades, why should they check the physical location of the payee?
I guess they're blaming the bank because the bank could have been a bit more diligent in checking things out before transfering the money, especially given the sum involved. I recently bought a new laptop from PC World - paid for it online and collected it from the store a few days later. The first time I attempted to pay the "verified by visa" thing declined the payment. Then I received a text from my bank asking me to confirm that the transaction was genuine, and then to wait ten minutes before trying again. You'd think the bank would be at least that careful when £120k is at stake. That said, I'd have phoned the solicitor to verify the email before acting on it
Because for many decades, this type of fraud simply wasn't as straightforward to execute as it would presumably require someone to be intercepting the post. It's all well and good blaming the account holders for supplying the wrong details but it's not within their power to verify the destination details at the holding bank. It's much more likely that it is within the gift of their bank to do so, so I can't see why the banking system can't look into measures to combat this type of fraud amongst themselves.
For years, banks would happily bounce cheques if the payee name did not match the destination account holder. Why can't they implement something similar for transfers of this value?
For years, banks would happily bounce cheques if the payee name did not match the destination account holder. Why can't they implement something similar for transfers of this value?
The technology exists for banks to validate payee details on the payment instruction with that of the destination account. Banks already have this capability but choose (from a cost point of view) not to use it.
Banks should offer a ''payee validation' service for an extra fee for payments made online or by BACS / CHAPS. Bit like HPI on a car....
Banks should offer a ''payee validation' service for an extra fee for payments made online or by BACS / CHAPS. Bit like HPI on a car....
b
hstewie said:
hstewie said: The bank presumable did what it was asked to i.e. sent money to the account number it was asked to.
The real question here is why the regulator is sitting on its hands. There is a very simple check which would go along way to eliminating the problem.Linked article said:
In each case the fraudsters exploited a little-known but significant flaw in the banking system – the name on a bank account does not have to match an online or Chaps payment request.
A person can put Mickey Mouse in a transfer mandate and the money will be paid to the account with that sort code and account number, irrespective of whether the name matches or not. Campaigners have described this flaw as a “fraudster’s dream”. Despite the fact that bank fraud is out of control, the Financial Conduct Authority, which oversees banks, has shown little interest in forcing them to match payment requests to account names. Experts say such a move would halt most of these frauds overnight.
Over a year ago, the consumer body Which? lodged a “supercomplaint” with financial regulators demanding banks do more to protect customers tricked into transferring money. So far no concrete measurers have emerged and consumers’ losses grow every week.In each case the fraudsters exploited a little-known but significant flaw in the banking system – the name on a bank account does not have to match an online or Chaps payment request.
The FCA is about as much use as its predecessor the FSA. Chocolate fireguard springs to mind.A person can put Mickey Mouse in a transfer mandate and the money will be paid to the account with that sort code and account number, irrespective of whether the name matches or not. Campaigners have described this flaw as a “fraudster’s dream”. Despite the fact that bank fraud is out of control, the Financial Conduct Authority, which oversees banks, has shown little interest in forcing them to match payment requests to account names. Experts say such a move would halt most of these frauds overnight.
Over a year ago, the consumer body Which? lodged a “supercomplaint” with financial regulators demanding banks do more to protect customers tricked into transferring money. So far no concrete measurers have emerged and consumers’ losses grow every week.In each case the fraudsters exploited a little-known but significant flaw in the banking system – the name on a bank account does not have to match an online or Chaps payment request.
Nevertheless, a couple of things about the story seem a bit odd to me
Linked article said:
The extraordinary story started in late August when Peter telephoned his family’s long-used firm of solicitors, Steed & Steed, based in Braintree, Essex. He rang because he was due to pay his grandmother’s inheritance tax bill to HM Revenue & Customs and needed the law firm’s bank details. Later that morning, an email duly arrived with the firm’s account and sort code detailed in a Word file attachment. This was the first contact he had had with anyone at the law firm, he says.
They are his family's long-used solictitors yet it was his first contact with them. Hmmm. But more to the point, if the purpose of his telephone call was to obtain the bank details did he not get them during the conversation? If not, why not? If I was given some b/s reason I would sure as hell have rung them back to confirm when the e-mail arrived.That said, no way would I use a third party however reputable they might seem to be to settle the liability. When my aunt died I paid the IHT due on her estate direct to HMRC. It was only 5 figures not 6 but why take any risk?
Dixy said:
The bit I don't understand is why Nat West as the receiving end are not guilty of allowing a fraudulent transaction, they have clearly allowed an account to be opened with out due diligence.
It's only fraudulent after they've been notified as such. The fraudsters set up a bonafide company, then dissolved it afterwards. Whatever diligence was required to set up the account to begin with was obviously passed, and presumably the director(s) names weren't "Mr Scam Lots".This sort of fraud occurs because people place too much faith in email correspondence being secure or even authentic. You can pretend to be anyone with any visible email address if you choose, with trivial effort, and people with only a passing understanding of what to look for won't even realise it's fake. That's how these scams are so successful.
From reading the article it sounds as if the solicitor's email systems were comprimised, and the fraudsters intercepted the request for bank details. This isn't quite the same as the common "CEO fraud", since the email would've come from a genuine address but with dodgy information in.
I'm amazed that they managed to draw such large amounts of cash out without some careful verification.
I come to the UK to buy secondhand agricultural machinery, mostly from auction sales. Until a few years back it was easiest to bring cash, then we could just load machines onto lorries immediately after the sale. Then the auctions stopped taking cash as it was too great a security risk. We then had to go to their bank and deposit it ourselves, and we had to show proof of ID to deposit cash (I used to use my passport).
I guess this system could be beaten by fake ID.
I come to the UK to buy secondhand agricultural machinery, mostly from auction sales. Until a few years back it was easiest to bring cash, then we could just load machines onto lorries immediately after the sale. Then the auctions stopped taking cash as it was too great a security risk. We then had to go to their bank and deposit it ourselves, and we had to show proof of ID to deposit cash (I used to use my passport).
I guess this system could be beaten by fake ID.
Dixy said:
The bit I don't understand is why Nat West as the receiving end are not guilty of allowing a fraudulent transaction, they have clearly allowed an account to be opened with out due diligence.
Ditto. When we moved we had to have all sorts of verification to deny we were committing money-laundering. Pica-Pica said:
I would triple check account and sort code details. I imagine banks have a daily update of dodgy sort codes and account numbers.?
They do. Theres a huge volume of updates that banks have a responsibility to prevent fraud and money laundering including politically exposed persons accounts, accounts linked with fraud etc etc but, if an account is not linked with fraud historically, it won't appear on anyone's lists.For a sum.like that, although hindsight is a wonderful thing, I'd be calling the solicitor and asking for it over the phone (assuming they haven't hacked the phone system- which is a lot harder to do, you'd have to intercept calls locally at the premises or at the exchange)
Hopefully the time interval between detection/notification/something basic being done hasn't allowed any cctv at the time of the six withdrawals to be recorded over, certainly the last of the six - even if the fraudsters were aware of some cameras they may have missed one and not managed to disguise every aspect of their appearance.
I'm glad I'm not the only one wondering why the IHT bill wasn't paid to HMRC directly.
As we type replies on this thread it must be likely that another solicitor's email account somewhere has been compromised with hackers waiting for the 'right' message to arrive.
I'm glad I'm not the only one wondering why the IHT bill wasn't paid to HMRC directly.
As we type replies on this thread it must be likely that another solicitor's email account somewhere has been compromised with hackers waiting for the 'right' message to arrive.
As the article suggests, surely the easiest remedy to assist is to ensure that when you paid £1000 to account 12345678 and you intend it to go to J SMITH - then there should be a check on the other side that the recipient account matches that name.
When making large payments I tend to send £10 through first and check with the recipient - although this is more out of concern from typing their account number wrong on my online banking.
When making large payments I tend to send £10 through first and check with the recipient - although this is more out of concern from typing their account number wrong on my online banking.
Mojooo said:
As the article suggests, surely the easiest remedy to assist is to ensure that when you paid £1000 to account 12345678 and you intend it to go to J SMITH - then there should be a check on the other side that the recipient account matches that name.
Won't happen. You'd think it would be a simple solution but then you get several million idiots who can't get their surname typed correct, mistype Mc for Mac, realise their account has a middle initial after trying fourteen times, piss people off because ' why isn't this simpler?' when it's actually them blessed with fat fingers and having to double a call center volume because every single day there are thousands of people who are unable to get three pieces of information correctly typed and doesn't put spurious characters in instead.....and that doesn't even start on the possibilities of how companies spell their names and you have to get that exactly right, without autocorrect fking it up for you.Also, how many accounts called Smith do you think there are? It's not massively hard to set up an account in someone else's name with a bit of starting information and some social networking and phishing.
At least an account number and sort code is only has 10 characters.
TimmyMallett said:
Won't happen. You'd think it would be a simple solution but then you get several million idiots who can't get their surname typed correct, mistype Mc for Mac, realise their account has a middle initial after trying fourteen times, piss people off because ' why isn't this simpler?' when it's actually them blessed with fat fingers and having to double a call center volume because every single day there are thousands of people who are unable to get three pieces of information correctly typed and doesn't put spurious characters in instead.....and that doesn't even start on the possibilities of how companies spell their names and you have to get that exactly right, without autocorrect fking it up for you.
Also, how many accounts called Smith do you think there are? It's not massively hard to set up an account in someone else's name with a bit of starting information and some social networking and phishing.
At least an account number and sort code is only has 10 characters.
Making fraudsters set up bank accounts in the right name would slow things down and make it much harder thoughking it up for you.Also, how many accounts called Smith do you think there are? It's not massively hard to set up an account in someone else's name with a bit of starting information and some social networking and phishing.
At least an account number and sort code is only has 10 characters.
You are right of course that many will fudge it up when inputting data - perhaps there could be a database so that when you put in the AC and SC it shows you the recipients name.
Seems like this whole thing revolves around the email with the word doc in it.
If it was sent from the solicitors email system, then it's (mostly) their problem as they have been hacked.
If the email came from another address that 'looked' right, it's the customers problem as they didn't check.
Either way, the reality is that the all the solicitors emails will have a disclaimer saying check it, and the customers had a duty to check it - especially I'd they had never had any contact with the solicitors before.
The bank did what their customers asked them to do.
Also am I right in thinking that a chaps payment is quicker than standard back, but has less fraud protection due to the speed?
If it was sent from the solicitors email system, then it's (mostly) their problem as they have been hacked.
If the email came from another address that 'looked' right, it's the customers problem as they didn't check.
Either way, the reality is that the all the solicitors emails will have a disclaimer saying check it, and the customers had a duty to check it - especially I'd they had never had any contact with the solicitors before.
The bank did what their customers asked them to do.
Also am I right in thinking that a chaps payment is quicker than standard back, but has less fraud protection due to the speed?
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff