/ Money

How I lost £66,000 to scammers

Cally was the victim of a devastating bank transfer scam. Here she explains what happened, and how you can avoid falling into the same trap.

This is a guest post by Cally Ellison. All views expressed are Cally’s own and not necessarily shared by Which?.

My business partner and I built up a photographic agency in the east end of London over the past twenty years. As we were planning to wind up the agency, we decided to do one last project: building an extension on the roof of our office before selling the property.

In the midst of the building work, I received a genuine email from our builders attaching an invoice for the next payment of £125,000 I made a first payment of £50,000 into their usual account.

Which? News: Has your bank signed up to protect you?

But then I received a subsequent email requesting I pay the remaining funds into a subsidiary bank account with what seemed to be a plausible explanation. The email looked genuine – it had the same logo and the same people coped in – so I duly transferred £75,000 into the subsidiary account.

We first became aware that something was wrong when we were contacted by our builders four days later to say the funds had not landed in their account. It was then we realised we’d become the victims of a sophisticated fraud.


 

Email infiltration

The police explained what had probably happened. The fraudsters had infiltrated our builders’ email accounts and then monitored their emails to clients. They also set up a fake new account and copied all the details from the genuine one – including the email address, names, logos etc.

They then used this to email the companies’ clients to request money. So it looked as though the email I was receiving was from the builders. Nothing appeared untoward. I only realised this afterwards that it was a fake.

“The police said fraudsters like this tend to target smaller and medium sized builders and solicitors, who deal in large sums of money daily, but don’t have the security in place on their emails to prevent them from getting in”

The police also said that it was more than likely that the fraudster’s bank account was opened online and didn’t involve anyone actually going into a bank. They found the bank’s due diligence to be sub-standard.

Help for scam victims?

It took Action Fraud approximately three months before it told me it was closing my case – had it been faster we may well have caught the criminal on CCTV, as the fraudster spent £3,000+ in the Apple store in Aberdeen. Unfortunately Apple only keeps its CCTV footage for 30 days.

“The banks should absolutely be doing more to check and monitor large transactions like this from their customers to unknown payees”

It was only because I was so persistent and tenacious that the police got involved at all. I tried going down to my own police station 3 times, but they kept referring me back to Action Fraud, which I didn’t find helpful.

Should fraud be a police priority?

Had the account name been confirmed when I was trying to send the money, none of this would have happened. We’re so exposed to scams like this online and banks need to do a lot more. Fraudsters are so clever. And I get terrified now when I have to pay anybody online.

This was a guest post by Cally Ellison. All views expressed were Cally’s own and not necessarily shared by Which?.

With £434 per minute lost to authorised push payment scams, we don’t think banks can delay tackling fraud any longer. Do you back our calls?

Comments
Kevin says:
28 May 2019

A cursory inspection of the inappropriately name “Action” Fraud website reveals the following statement:
“Action Fraud does not investigate the cases and cannot advise you on the progress of a case.”

https://www.actionfraud.police.uk/what-is-action-fraud

I would raise a complaint about the local police as it seems to me they have sidestepped their responsibility here by trying to pass the buck to this ineffective and timewasting organisation.

Having said that, people should learn the basics of any technology they use, particularly in business. Email is not, never has been, and never will be secure.
Advice 30 years ago was to treat email as you would a postcard, it’s open to view and tampering by anyone on it’s delivery route, with the Internet this is effectively anyone on the planet with an Internet connection.

There has been extensive publicity of this sort of scam, centering around a change of account details. Were Cally and her partner totally unaware of this? Simply checking with the builder rather than just relying on an email would have exposed the deception before it had progressed. Similarly, transferring a test amount – £1 – to any new account and checking it had been successfully received would have verified that no mistake had been made in typing in the account details.

Easy to be wise after the event but I would suggest it very sensible to look very hard at any transfer and double check the authenticitiy before moving such large sums of money.

To be fair, Malcolm, we don’t know when this happened. It may well have taken place some years ago and before the scam was well known.

But I find I’m increasingly thinking along the same lines as Alfa when she queried the surprisingly high number of builders to whom this seems to happen. And the dereliction of duty on the part of the Police.

No, that thought had occurred to me Ian. However, I then wondered why Which? continue to publicise it in this way when action is in hand?

I’d like Which? to get input from Action Fraud and the police to explain if they have difficulty in dealing with these crimes and why they are not more helpful.

The Metropolitan Police says it is “doing all it can” to bring thieves to justice after figures suggested less than five per cent of burglaries and robberies across the country are being solved.“. That’s not reassuring either.

Looks like it, thanks alfa. Why publicise a three year old scam now, in a “new” convo, and without dating it?

There have been quite a few commenters who don’t agree with the stance Which? is taking, so they are probably trying to prove all victims should be reimbursed.

In this case, I think it should have been down to the builders to retrieve the money that was paid to them in good faith.

What is strange in the report, is the builder saying he hadn’t received the payment. If the email requesting payment came from a hacker, how did the builder know about it?

I wonder if the Police have ever investigated the ‘hacked’ builders?

Janie M says:
31 May 2019

I would hope that in a case like this, the police should thoroughly investigate every single aspect of it, and from every angle. This would be the *propper* approach.

I did exactly this when I had some building work undertaken. I transferred £1 to confirm I had the correct bank details. I had a good laugh with the builders about this but a few weeks later another customer fell fowl of this type of scam. I do not accept that the banks are at fault. It’s about time people took more responsibility for their own actions.

Cally, sorry to hear that you were scanned but thanks indeed for sharing this.

Given that a distinct set of these push payment scams seem to be initiated by hacking a trademan’s email account, it seems to me that the prevention of such hacks would be useful here.

That said, I cannot see how either the banks or the government can help there.

It seems I’m expected to subsidise people who allow themselves to be scammed. I do sympathise with victims, but I’m super-careful even when transferring tens of pounds, never mind thousands. I always transfer £1 first and check it went to the right place, even if I’ve sent money to the organisation before. There’s been so much publicity now about scams that compensation should be provided only when the bank is at fault. I’ll avoid banks that offer compensation guarantees and certainly won’t support Which? campaigns.

I have similar reservations Dave. Not only subsidising, but it may make some less careful, less responsible, not check what they are doing as thoroughly as there is significantly less risk they will ever lose money.

I hope that when the banks have to pay up this will persuade them to be more vigilant themselves about who sets up accounts and how they are used, and to pursue the fraudsters and their banks to recover the money they have to refund.

Given that the builders’ negligently allowed their e-mail account to be hacked, and the fraudsters used this compromised account to instruct a change of destination bank account, shouldn’t the liability or loss fall upon the builders? I see it as similar to a rogue employee using the builders’ systems to redirect incoming funds. Did Cally receive expert legal advice about the civil liability (separate from criminal liability which is a police matter)?

How do you allow your email account to be hacked? Inadequate security software?

There are quite a few of these stories on the internet.

I quite agree with you NFH, if builders accounts have been hacked then it is has to be due to their negligence. But in nearly all cases, builders still demand full payment for the work they have carried out. Customers are getting the blame for not checking who they were paying and end up paying twice.

I would also like to know how they supposedly get hacked.

I too am wondering how easy it might be to hack some builders’ email accounts.

One possible line of attack (or “attack vector” as some of the techno babble might say) would be to set up some website for the interests of builders. For example, one could set up some sort of forum for sharing experience and advice. Perhaps it would be caller “Builders’ Conversation” or something like that. To access the site, users would be asked to login with an email address and password. Then, if any users also used their email password for the site, the site owners would now have both their email and their email password.

Another way of getting such personal data might be via the dark web, where stolen data, e.g. from hacked retailers, may be traded between hackers and other criminals.

A third possibly might be “insider threats”. In general, I doubt that small or medium building firms will have any inherent immunity from such threats.

There are plenty of ways to hack someone’s e-mail account or any other type of account with password-only authentication. One of the most common is to trick the victim into installing malicious software, comprising a keystroke logger, on to their PC, for example by sending them a link by e-mail. Once the software is installed, this gives the hacker a log of every keystroke, including passwords.

I’m guessing that builders are particularly targetted as victims, given that they receive a lot of large incoming bank transfers and are often not good with technology.

Janie M says:
31 May 2019

I would think that just implimenting a little *common sense* could avoid most of these scam situations. For example, I would *never* do anything someone tells me to do within an Email or phone-call, etc. I have had so far hundreds of phonecalls from God only knows who, posing off as a company or whatever, saying this/that and instructing me to do this/that, but I just give them the usual UFO and hang up. Just because someone contacts you and tells you to do something it does not mean you should do it (just basic common sense.) Though it seems there are so many people who spent X-amount of time in college/uni getting so much education – but when it comes down to a little savvy or basic life-skills – it’s just not there (very sad.) But hopefully, maybe they might learn through being stung a few times.

Kenneth Bolland says:
1 June 2019

I
My business was victim to a similar scam. Mine was a VAT return for £24k. They had accessed my BT cloud accountdays before my return was due and stayed logged in ready to intercept my accountant’s email showing what I had to submit. They new when it was due,they accessed the account first time so knew password. They had bought a domain exactly like my accountant’s, except it finished .outlook which didnt show on screen due to length of it. On this was message not to forget HMRC new bank details for 2018. I set up bacs for this account and duly made payment 2hr later. I had never been on BT cloud, didnt know it existed as we use office for emails.
The account was a NatWest, branch in Nottingham. To skip to the reporting I had same advice tofrom Police to contact Action Fraud. Who are what there name states, a fraud. A call centre who pass all logged incidents to the City of London Police. It took me over 6 months of stalking my MP and Mayor Andy Burham on Twitter that the Police started an enquiry. I passed all my information I had gathered to Nottinghamshire Police, which even told them which street the IP address scammer used ( less than a mile from bank branch where money went) They took statements etc, but have been waiting 5 months for NatWest to pass the requested information they requested. The reason they won’t pass it on is that they have not followed the money laundering regulations set by the Government. Also if they are found to have breached them, I can take to court for my money to be reimbursed. It’s now over 16 month from this awful scenario happened, and still no sign of when / if it will be resolved.

It’s sad to hear about the loss but surely everyone is aware of this sort of scam by now? I’m very much against the Which? campaign to force banks to refund scam victims. In the end, the banks won’t pay – all the costs will be borne by customers who avoid being scammed.

R Gradeless says:
1 June 2019

Dave, I agree fully with what you say.. Of course banks should make every attempt to improve their security and to trace funds taken fraudulently. They cannot ultimately take full responsibility for people’s misfortunes. If someone is scammed out of cash (notes) should the Bank of England, who issue the notes, be responsible for re-funding the loss? Banks might introduce a policy which removes or limits online banking services for those they consider vulnerable to scams or those who have been a victim of banking fraud.

Scottie says:
25 June 2019

“Which” keep banging on that the banks should do more. This flys in the face of technology trying to make things easier and quicker as the banks are now double checking that payments are real and thereby slowing up transactions.

Maybe we ought to go back to cheques being sent to builders, solicitors (house payments), etc.

If “Which” payed for a public information film to be made then broadcast on ITV (FOC), BBC (FOC) then people might not fall for these scams.
Just a thought!

Mr Keith Saunders says:
21 October 2019

Iwas mis sold 123account by financial advisor employee of Santander Bank. First time in 42years of banking allowed financial advisor to advise where best to invest part of my inheritance funds from my dearly loved mothers estate and financial advisor fully aware of my health issues after surgeons ruptured my appendix spreading gangrene through out my stomach ten operations weeks in hospital appointments and procedures still ongoing after ten years so at time Financial advisor aware I was living of my life savings at time which were in savings account with Santander Bank and access going into branch with passport to access account which contained £25,000/£55,000 over passed severn years.
So when financial advisor recommended a 123account with visa debit card access to savings 24/7 from any atm it was her assurance investment funds completely safe and explained about santanders multi million pound monitoring system which scans my account 24/7 and highlights any slightly unusual transaction and alerts security personnel who contact myself to check I was one making transaction on my account and gave me printed brochure regarding visa debit card transactions which are covered by same monitoring system even if abroad security personnel will contact customer to check on a slightly unusual visa debit card transactions so being sold as a security benefit.
So when account was completely emptied out to an online bingo site based in Malta and account opened with just card details and card remained in my wallet whole time and I was using as normal till Account completely empty of over £21,950.
Which I was sat in branch manager office on the 22nd March and he explained that I had been a victim of identity fraud. Now I don’t online bank shop or open accounts and never been on a bingo site in my life and never would . But branch manager couldn’t answer why security personnel hadn’t contacted me once to check I was one making slightly unusual transaction on my account and he opened my account on his pc which clearly shows abuse and transactions to online bingo site and it also shows security personnel were fully aware of transactions occurring and chose to approve each transaction until account completely emptied instead of contacting myself to check I was one making transaction . Last transaction was at 6.04 am morning of 22nd March only eight hours earlier and branch manager gave me printed copies of internal statements showing abuse and transactions to nearest second £500 every ten mins with words approved besides each transaction by security personnel then refused any further transaction at 6.04 am as no funds available £21,950 in just 3hrs18mins and £6000 taking just 12mins which were clearly visible on monitoring system and security personnel were approving each transaction instead of contacting me . And I had also just been told by my partner onroute to branch she had taken my card details when I was asleep and opened an account with an offshore account in Malta a a bingo site which I told branch manager what I had just found out myself and I was very clear I had know idea what my partner had done but I was in shock not only account completely empty but my partner had committed fraudulent transactions to online bingo site wasting my inheritance funds so I hadn’t had any time to speak with my partner not that I could see any possible reason for her actions so now my twelve year relationship at risk as well which I explained to branch manager but very clear she had committed fraudulent transactions on my account. And so he sent emails to security personnel cancelling visa debit card and reporting fraudulent transactions on account and identity fraud so account should have been completely safe from any further abuse or payments being made . As fca rulings stated once fraudulent transactions had been reported by branch manager to security personnel any further payments made must be immediately refunded which never happened as on the 24/25th over ten thousand payed out to online bingo site. Now I followed the correct procedures when santanders head of investigations totally ignores facts statements dates meeting with financial advisor who stated it was her assurance that account was opened.
But he avoided any reference to financial advisor was reason account opened and her assurance about multi million pound monitoring system and printed brochure about visa debit card transactions same assurance funds safe.
And he also ignores that security personnel were fully aware of each transaction and they chose to approve each transaction instead of contacting customer once to check he was one making transaction.
He said santanders multi million pound monitoring system doesn’t garrentee to pick up on all slightly unusual transactions or when it might alert security personnel to check with customer and monitoring system couldn’t block further payments being made after fraudulent transactions reported by branch manager unless customer could tell security personnel who was bingo site to be blocked and for how much and date payment due.
And he cannot explain how monitoring system works and what it looks for as it could cause a breach in security procedures.
As internal statements clearly showing all transactions occurring and security personnel approving each transaction.head of investigations was fabricating his own findings on case and he’s very sorry but he cannot find santander at fault for losses .
But he again avoids branch manager reporting fraudulent transactions on account and complaints asking how security personnel hadn’t contacted customer once totally ignored emails sent by branch manager who has never denied sending emails reporting fraudulent transactions to security and complaints.
So I waited for answers from head of complaints who took eight weeks to get back to branch manager with a verbal answer it’s nothing to do with Santander Bank it’s a civil matter then head of investigations totally ignores all evidence statements internal statements dates meeting. Can only be purposely ignored to knowingly change outcome of case. So FOS contacted and first contact with an adjudicator who first email stating what to expect from the FOS system government approved and totally independent. And she explained that she would gather all available evidence statements internal statements dates meeting on my case from both parties and she would speak to both sides and then put a report together based on evidence facts statements dates as to her findings on my case which I was quite expecting from the FOS system and also she would make sure that santander were following rulings of the fca governing body of banks and rulings banks must follow but three months later I received a report without a single reference to the evidence facts statements dates meeting on my case she also totally ignores any reference to financial advisor assurance and printed brochure I sent her then she stated mr Saunders went into branch in March when he found out his expartner had used his account to online bingo site based in Malta but refused to report her to police so santander couldn’t do a full investigation into losses and inessence by not reporting to police he was approving each transaction that took place .
Which is clearly incorrect as police and action fraud stated I did more than enough by reporting who had committed fraudulent transactions on my account to branch manager and he reported fraudulent transactions on account to security personnel and complaints and cancelling visa debit card.
Police stated as I had reported who had committed fraudulent transactions to branch manager it wouldn’t have made any difference to santander completing a full investigation on case . And as internal statements clearly showing abuse and security personnel actions of approving each transaction Santanders security personnel had committed professional negligence in not checking with customer as to why £21,950 in 3hrs18mins wasn’t considered as slightly unusual transaction on customers account. But adjudicator was clearly avoiding factual evidence statements internal statements dates meeting and making up her own findings and even fabrication of findings as in should see abuse to online bingo site started in first month and so would have expected customer to have picked up on transactions. Which I contacted adjudicator and asked her for her hard evidence. And I also sent her copies of the first statement I received clearly showing her finding as totally fabrication as I never received her evidence but she never retracted her statement. But she also ignores the internal statements given to me by branch manager when he reported fraudulent transactions on my account on the 22nd March at 3.08pm only eight hours after last transaction too place and he reported identity fraud and account opened with just card details. Adjudicator in her reports stated mr Saunders went into branch in March when she had evidence that abuse and transactions showing 75 transactions apart from three small transactions on the 7/8/9th March and £21,650 in account on the 18th March then completely emptied in under 3hrs18mins and security personnel approving each transaction she totally avoids this evidence. And her avoidance of evidence can only be described as knowingly withholding evidence to change outcome of case. So I asked for independent review by ombudsman. But it’s down to adjudicator to forward evidence facts statements dates meeting times available on case which she feels he will need to produce a independent report based on evidence facts statements he reviewed. But when I received his report it didn’t contain any factual evidence statements internal statements dates meeting on how he arrived at his findings which his report stated he doesn’t have to write any evidence statements facts in his report mr Saunders must except he has reviewed evidence and his report is totally independent. Even if adjudicator stated it’s very unlikely that ombudsmans report will go against adjudicator final report. But after waiting two years to receive five reports which clearly avoided evidence that prove santanders security personnel were at fault in not contacting customer.so I took all reports to cab legal personnel who took just an hour to state clearly reports incorrect but all three parties need investigating as they clearly ignore factual evidence statements internal statements dates meeting knowingly withholding evidence that will change outcome of case which would be considered as fraudulent act in a courtroom investigation to withholding evidence knowing it will hold customer at fault for losses but also all reports ignore the rulings of the fca governing body of banks.
And I was told by cab legal personnel to go back to FOS as adjudicator and ombudsmans reports need investigating as avoided evidence can only be described as purposely avoided. So I did and my complaints were given to adjudicator to answer her actions and ombudsmans disgraceful actions and avoidance of fca rulings and she just stated ombudsmans independent report is final and cannot be questioned and any further evidence I sent would be ignored. Even when I sent emails stating reports of the adjudicator Clearly incorrect and knowingly withholding evidence facts on case to change outcome of case which would be considered as a fraudulent act and ombudsmans independent review and report can be proven he had not reviewed evidence statements internal statements dates meeting on case I was told my case is out of time to be reviewed even if actions of FOS employees were fraudulent and ombudsmans independent review can be proven to be incorrect and a disgrace to the government approval system he represents and should be investigated.