/ Money

How I lost £66,000 to scammers

Cally was the victim of a devastating bank transfer scam. Here she explains what happened, and how you can avoid falling into the same trap.

This is a guest post by Cally Ellison. All views expressed are Cally’s own and not necessarily shared by Which?.

My business partner and I built up a photographic agency in the east end of London over the past twenty years. As we were planning to wind up the agency, we decided to do one last project: building an extension on the roof of our office before selling the property.

In the midst of the building work, I received a genuine email from our builders attaching an invoice for the next payment of £125,000 I made a first payment of £50,000 into their usual account.

Which? News: Has your bank signed up to protect you?

But then I received a subsequent email requesting I pay the remaining funds into a subsidiary bank account with what seemed to be a plausible explanation. The email looked genuine – it had the same logo and the same people coped in – so I duly transferred £75,000 into the subsidiary account.

We first became aware that something was wrong when we were contacted by our builders four days later to say the funds had not landed in their account. It was then we realised we’d become the victims of a sophisticated fraud.


 

Email infiltration

The police explained what had probably happened. The fraudsters had infiltrated our builders’ email accounts and then monitored their emails to clients. They also set up a fake new account and copied all the details from the genuine one – including the email address, names, logos etc.

They then used this to email the companies’ clients to request money. So it looked as though the email I was receiving was from the builders. Nothing appeared untoward. I only realised this afterwards that it was a fake.

“The police said fraudsters like this tend to target smaller and medium sized builders and solicitors, who deal in large sums of money daily, but don’t have the security in place on their emails to prevent them from getting in”

The police also said that it was more than likely that the fraudster’s bank account was opened online and didn’t involve anyone actually going into a bank. They found the bank’s due diligence to be sub-standard.

Help for scam victims?

It took Action Fraud approximately three months before it told me it was closing my case – had it been faster we may well have caught the criminal on CCTV, as the fraudster spent £3,000+ in the Apple store in Aberdeen. Unfortunately Apple only keeps its CCTV footage for 30 days.

“The banks should absolutely be doing more to check and monitor large transactions like this from their customers to unknown payees”

It was only because I was so persistent and tenacious that the police got involved at all. I tried going down to my own police station 3 times, but they kept referring me back to Action Fraud, which I didn’t find helpful.

Should fraud be a police priority?

Had the account name been confirmed when I was trying to send the money, none of this would have happened. We’re so exposed to scams like this online and banks need to do a lot more. Fraudsters are so clever. And I get terrified now when I have to pay anybody online.

This was a guest post by Cally Ellison. All views expressed were Cally’s own and not necessarily shared by Which?.

With £434 per minute lost to authorised push payment scams, we don’t think banks can delay tackling fraud any longer. Do you back our calls?

Comments
Kevin says:
28 May 2019

A cursory inspection of the inappropriately name “Action” Fraud website reveals the following statement:
“Action Fraud does not investigate the cases and cannot advise you on the progress of a case.”

https://www.actionfraud.police.uk/what-is-action-fraud

I would raise a complaint about the local police as it seems to me they have sidestepped their responsibility here by trying to pass the buck to this ineffective and timewasting organisation.

Having said that, people should learn the basics of any technology they use, particularly in business. Email is not, never has been, and never will be secure.
Advice 30 years ago was to treat email as you would a postcard, it’s open to view and tampering by anyone on it’s delivery route, with the Internet this is effectively anyone on the planet with an Internet connection.

There has been extensive publicity of this sort of scam, centering around a change of account details. Were Cally and her partner totally unaware of this? Simply checking with the builder rather than just relying on an email would have exposed the deception before it had progressed. Similarly, transferring a test amount – £1 – to any new account and checking it had been successfully received would have verified that no mistake had been made in typing in the account details.

Easy to be wise after the event but I would suggest it very sensible to look very hard at any transfer and double check the authenticitiy before moving such large sums of money.

To be fair, Malcolm, we don’t know when this happened. It may well have taken place some years ago and before the scam was well known.

But I find I’m increasingly thinking along the same lines as Alfa when she queried the surprisingly high number of builders to whom this seems to happen. And the dereliction of duty on the part of the Police.

No, that thought had occurred to me Ian. However, I then wondered why Which? continue to publicise it in this way when action is in hand?

I’d like Which? to get input from Action Fraud and the police to explain if they have difficulty in dealing with these crimes and why they are not more helpful.

The Metropolitan Police says it is “doing all it can” to bring thieves to justice after figures suggested less than five per cent of burglaries and robberies across the country are being solved.“. That’s not reassuring either.

Looks like it, thanks alfa. Why publicise a three year old scam now, in a “new” convo, and without dating it?

There have been quite a few commenters who don’t agree with the stance Which? is taking, so they are probably trying to prove all victims should be reimbursed.

In this case, I think it should have been down to the builders to retrieve the money that was paid to them in good faith.

What is strange in the report, is the builder saying he hadn’t received the payment. If the email requesting payment came from a hacker, how did the builder know about it?

I wonder if the Police have ever investigated the ‘hacked’ builders?

Janie M says:
31 May 2019

I would hope that in a case like this, the police should thoroughly investigate every single aspect of it, and from every angle. This would be the *propper* approach.

I did exactly this when I had some building work undertaken. I transferred £1 to confirm I had the correct bank details. I had a good laugh with the builders about this but a few weeks later another customer fell fowl of this type of scam. I do not accept that the banks are at fault. It’s about time people took more responsibility for their own actions.

Cally, sorry to hear that you were scanned but thanks indeed for sharing this.

Given that a distinct set of these push payment scams seem to be initiated by hacking a trademan’s email account, it seems to me that the prevention of such hacks would be useful here.

That said, I cannot see how either the banks or the government can help there.

It seems I’m expected to subsidise people who allow themselves to be scammed. I do sympathise with victims, but I’m super-careful even when transferring tens of pounds, never mind thousands. I always transfer £1 first and check it went to the right place, even if I’ve sent money to the organisation before. There’s been so much publicity now about scams that compensation should be provided only when the bank is at fault. I’ll avoid banks that offer compensation guarantees and certainly won’t support Which? campaigns.

I have similar reservations Dave. Not only subsidising, but it may make some less careful, less responsible, not check what they are doing as thoroughly as there is significantly less risk they will ever lose money.

I hope that when the banks have to pay up this will persuade them to be more vigilant themselves about who sets up accounts and how they are used, and to pursue the fraudsters and their banks to recover the money they have to refund.

Given that the builders’ negligently allowed their e-mail account to be hacked, and the fraudsters used this compromised account to instruct a change of destination bank account, shouldn’t the liability or loss fall upon the builders? I see it as similar to a rogue employee using the builders’ systems to redirect incoming funds. Did Cally receive expert legal advice about the civil liability (separate from criminal liability which is a police matter)?

How do you allow your email account to be hacked? Inadequate security software?

There are quite a few of these stories on the internet.

I quite agree with you NFH, if builders accounts have been hacked then it is has to be due to their negligence. But in nearly all cases, builders still demand full payment for the work they have carried out. Customers are getting the blame for not checking who they were paying and end up paying twice.

I would also like to know how they supposedly get hacked.

I too am wondering how easy it might be to hack some builders’ email accounts.

One possible line of attack (or “attack vector” as some of the techno babble might say) would be to set up some website for the interests of builders. For example, one could set up some sort of forum for sharing experience and advice. Perhaps it would be caller “Builders’ Conversation” or something like that. To access the site, users would be asked to login with an email address and password. Then, if any users also used their email password for the site, the site owners would now have both their email and their email password.

Another way of getting such personal data might be via the dark web, where stolen data, e.g. from hacked retailers, may be traded between hackers and other criminals.

A third possibly might be “insider threats”. In general, I doubt that small or medium building firms will have any inherent immunity from such threats.

There are plenty of ways to hack someone’s e-mail account or any other type of account with password-only authentication. One of the most common is to trick the victim into installing malicious software, comprising a keystroke logger, on to their PC, for example by sending them a link by e-mail. Once the software is installed, this gives the hacker a log of every keystroke, including passwords.

I’m guessing that builders are particularly targetted as victims, given that they receive a lot of large incoming bank transfers and are often not good with technology.

Janie M says:
31 May 2019

I would think that just implimenting a little *common sense* could avoid most of these scam situations. For example, I would *never* do anything someone tells me to do within an Email or phone-call, etc. I have had so far hundreds of phonecalls from God only knows who, posing off as a company or whatever, saying this/that and instructing me to do this/that, but I just give them the usual UFO and hang up. Just because someone contacts you and tells you to do something it does not mean you should do it (just basic common sense.) Though it seems there are so many people who spent X-amount of time in college/uni getting so much education – but when it comes down to a little savvy or basic life-skills – it’s just not there (very sad.) But hopefully, maybe they might learn through being stung a few times.

Kenneth Bolland says:
1 June 2019

I
My business was victim to a similar scam. Mine was a VAT return for £24k. They had accessed my BT cloud accountdays before my return was due and stayed logged in ready to intercept my accountant’s email showing what I had to submit. They new when it was due,they accessed the account first time so knew password. They had bought a domain exactly like my accountant’s, except it finished .outlook which didnt show on screen due to length of it. On this was message not to forget HMRC new bank details for 2018. I set up bacs for this account and duly made payment 2hr later. I had never been on BT cloud, didnt know it existed as we use office for emails.
The account was a NatWest, branch in Nottingham. To skip to the reporting I had same advice tofrom Police to contact Action Fraud. Who are what there name states, a fraud. A call centre who pass all logged incidents to the City of London Police. It took me over 6 months of stalking my MP and Mayor Andy Burham on Twitter that the Police started an enquiry. I passed all my information I had gathered to Nottinghamshire Police, which even told them which street the IP address scammer used ( less than a mile from bank branch where money went) They took statements etc, but have been waiting 5 months for NatWest to pass the requested information they requested. The reason they won’t pass it on is that they have not followed the money laundering regulations set by the Government. Also if they are found to have breached them, I can take to court for my money to be reimbursed. It’s now over 16 month from this awful scenario happened, and still no sign of when / if it will be resolved.

It’s sad to hear about the loss but surely everyone is aware of this sort of scam by now? I’m very much against the Which? campaign to force banks to refund scam victims. In the end, the banks won’t pay – all the costs will be borne by customers who avoid being scammed.

R Gradeless says:
1 June 2019

Dave, I agree fully with what you say.. Of course banks should make every attempt to improve their security and to trace funds taken fraudulently. They cannot ultimately take full responsibility for people’s misfortunes. If someone is scammed out of cash (notes) should the Bank of England, who issue the notes, be responsible for re-funding the loss? Banks might introduce a policy which removes or limits online banking services for those they consider vulnerable to scams or those who have been a victim of banking fraud.

Scottie says:
25 June 2019

“Which” keep banging on that the banks should do more. This flys in the face of technology trying to make things easier and quicker as the banks are now double checking that payments are real and thereby slowing up transactions.

Maybe we ought to go back to cheques being sent to builders, solicitors (house payments), etc.

If “Which” payed for a public information film to be made then broadcast on ITV (FOC), BBC (FOC) then people might not fall for these scams.
Just a thought!