A couple of years ago I remember reading a thread from someone looking for advice regarding a scam but can I find it now.

Father in law is having an extension built and he has been communicating with the builder (a decent local guy) via email. Long story cut short results in him transferring 5 grand to the builder as a deposit. The problem is all the emails were genuine apart from the last few in which a hacker has accessed the builders email and emailed his bank account details.

FILs bank seem uninterested and said they can’t help. Police have given a crime number but also uninterested.

Can any STWers find the old thread? Or alternatively, any advice for how to proceed.  He will be on the phone to his insurance company to see if he had any protection there.

Thanks for reading.

I’d be down the station with transcripts of the emails, asking nicely about obtaining money by deception and why they seem uninterested

IANAL

IANAP

Police have given a crime number

That’s about all they can do.

What he should do is get on to his bank and ask them to request a return of the funds.

“Uninterested” isn’t a response I would accept when 5K is at stake. They have the sort code where they sent the funds, so they know what bank it’s gone to and there are procedures for dealing with it.

https://www.moneysavingexpert.com/banking/send-money-wrong-account

Thanks for the replies.

Reading around it seems like it has been happening a fair amount with victims having little success in getting the money back.

https://www.telegraph.co.uk/personal-banking/current-accounts/email-hacking-fraud-hits-home-renovators-paid-10800-fraudsters/

https://www.theguardian.com/money/2016/mar/04/fraud-scam-email-barclays-lloyds

Shit, surely it’s the builders fault for not having secured the email.

I always transfer a pound first as a test. No help I know.

Scam is the wrong word here. It infers that someone has spoofed the email address. If the email was actually from the builders account then it changes things considerably and I would imagine that some, if not all liability is with them.

If it came to it you could well go down the route that their security is insufficient to protect their customers details.

Look at the headers in the emails – not just the sender and recipient, the ones that are usually hidden – how to see them depends which email client or webmail interface is used. It’s easy to forge the ‘from’ address, but the headers will show you the client and server that the emails were sent from, so you can see whether they were sent from the builder’s computer/phone or somewhere else with a forged address. If from the builder’s real account, it could be an inside job; if from elsewhere, it’s a clue to the scammer’s identity (but only a clue).

Edit – also report it to Action Fraud (Google for them)

https://singletrackworld.com/forum/topic/follow-up-to-internet-fraud-any-law-guys-here/

was this part of the thread? the op is a few posts down the page because of forum upgrade but there is also a link to the original thread in his post

Thanks all. Emails all from builder whos account had clearly been compromised.

Really clever, genuine email exchange between the builder (who my FIL knows) and FIL discussing quote and aspects of the build which the scammer must have been following. Once near completion of discussion the scammer takes over confirming that t<span style=”text-decoration: underline;”>h</span>ey can start next week and with details as to how to pay the deposit.

Builder clearly has not kept his email secure but really awkward as he is local and a friend.

Crap situation but it is also difficult to see what further action could be taken. This sort of financial and computer crime is a nightmare to investigate and usually quickly leads to offshore sources where UK police have no jurisdiction and little prospect of cooperation. If it were all linked to a single attacker it might add up but even that might take a fair bit of investigation if different bank accounts were used.

Difficult to see how the builder is liable to (in terms of getting compensation via civil proceedings) but IANAL so might be an option if trying to retrieve £5k was worth more than what was previously a good relationship with the guy

Not saying it’s right but it’s reality. Bit of an eye opener to as I would have probably been caught out by this myself in a similar situation (I’d have just checked the SMTP headers which wouldn’t have helped), I’ll make sure in future I verbally confirm account numbers with tradespeople before transferring money…

Emails all from builder whos account had clearly been compromised.

Then I’d be saying the builder’s the one to take the hit. Awkward conversation.

Advice I saw last time was transfer a few pounds initially, phone the intended recipient and confirm receipt before sending the large sum. We’ve done this a few times on large purchases and it’s given peace of mind.

Emails all from builder whos account had clearly been compromised.

Then I’d be saying the builder’s the one to take the hit. Awkward conversation.

As far as I know, it can be just as likely that the it’s the recipient’s email that’s been hacked, and he’s been sent emails from a different source, made to look like they’ve come from the builder.

Worth talking and explaining and asking before going in with big boots.

The banks are being forced to offer greater protection but I think the new rules don’t apply until [edit]september?  Whilst obviously it may not be the same bank that is involved their ability to detect and stop money laundering is staggeringly bad.  It should not be possible for someone to operate an account that receives large payments and then makes offshore payments without significant safeguards.

The fundamental flaw though is in the payment system.  It requires only the sort code and account number to make a payment.  Whilst many systems ask for the account name there is no check this matches and no safeguard in place – such as showing you the name you are about to send payment to.

it can be just as likely that the it’s the recipient’s email that’s been hacked

I can understand spoofing (which the OP has said hasn’t happened) but hacking a recipients email account on the offchance they’ll get some bank details in and then somehow altering the content of a recieved email seems a lot of effort.

Just had this at work. A new subbie for us did some work and sent his invoice via outlook.com email. 2 days later we get another email from him saying that his bank account has had got issues and could we send the payment to an alternative account.

The pidgeon English made me suspicious so called him up. He had no idea that someone had compromised his emails and were sending the “wrong bank” message to all his clients.

We had a similar issue but with a holiday let.

Advice was to call the receiving accounts bank (UK) and get them to put a hold on the account.

Don’t accept any suggestions that they can’t do it immediately. Family member did and by the next day when ‘the right people were in’ to paraphrase, the funds were out of the UK account and somewhere else.

I’m pretty sure there would have been some recourse on the receiving bank but it wasn’t pursued hard enough. There was a guardian podcast around that time 2015 I think, about people successfully getting compensation, I think through the Financial Ombudsman.

There is little recourse at present and IMO it’s **** disgusting the way the banks wash their hands of this sort of problem.

Of course the builder may also be guilty to some extent of not securing his email. I would be very surprised if these problems are predominantly due to customers rather than tradesmen getting hacked, but I could be wrong about that. But at the end of the day he didn’t commit any crime, he didn’t steal anything and unless he’s been demonstrably incompetent or naive it’s hard to prove that he did anything wrong.

The fundamental flaw though is in the payment system.  It requires only the sort code and account number to make a payment.  Whilst many systems ask for the account name there is no check this matches and no safeguard in place – such as showing you the name you are about to send payment to.

EU REG 2015/847 is making my life a PITA at the moment*, but this requires all inter-EU transfers to identify a) the sender by account number, name & address and b) the beneficiary by account number and name.

Banks must keep records of senders who do not provide this information and may be required to stop payments where it is not provided.

*Edit: I working in banking technology

about people successfully getting compensation, I think through the Financial Ombudsman.

Your bank has a complaints procedure, use it. They didn’t treat you fairly by dismissing your original enquiry, they acted slowly in not recalling the funds before they were moved offshore etc etc.

If you don’t get what you want, go to the ombudsman and state your case. IIRC, roughly 50% of cases are decided in favour of the consumer( there are stats on their website).

Advice I saw last time was transfer a few pounds initially, phone the intended recipient and confirm receipt before sending the large sum. We’ve done this a few times on large purchases and it’s given peace of mind.

Even more than that, I told my parents not to accept any bank details over the email unless they could also confirm them with the recipient in person or by phone.

So when the invoice for their bathroom fitter came in, with details on it, they called him up and he confirmed he had sent it, and then read his details over the phone to them so they could match them against the details on the invoice.

Paranoid – maybe, but you have to be.

Whilst obviously it may not be the same bank that is involved their ability to detect and stop money laundering is staggeringly bad

I don’t really agree with this (and money laundering is the wrong phrase for this situation anyway). There is a lot of logging/reporting going on related to large transactions (not sure if £5k is under the limit though) but you have to take into account the sheer volume of transactions and the affect it would have if payments of this (relatively) small amount required additional checks and the associated delays and overheads.

I don’t work for a bank nor do think I banks are doing everything possible or are necessarily acting in the best interests of their customers all the time but I don’t think it’s as easy as holding them accountable for trying to allow payment processing to be as fast and seamless as possible, we and the wider economy demand it. It’s also unlikely, assuming the account the payment was initially made to was a UK bank, that it was transferred straight out to a dodgy country bank account (although possible for that sort of amount as there are less checks in place) so you can’t just blame the initial bank it was deposited into.

If the banks and/or the police won’t help, there is a way to try and get the money back, but to be blunt it is likely to be uneconomic to do so.

You can seek a freezing order against the bank account into which the funds have been received, and an order to trace where the funds have been disbursed to. If the monies have stayed in England and Wales (unlikely) then you may be able to assert a proprietary claim against the eventual recipient of the funds and get their return.

Unfortunately that is likely to cost you a minimum of £20 – £30k.

I would be on the bank’s case pretty hard!

FuzzyWuzzy, I bet if banks were made responsible for this the problem would be solved in days. Well, maybe weeks.

FuzzyWuzzy,

I’m not sure what the right term is then if its not money laundering?  I’m not talking about the initial fraud but the ability to make the stolen money disappear and the individuals involved be untraceable.

Its not supposed to be possible to open an account without providing proof of identity.  So if my funds get transferred to Mr X I expect them to be able to tell the police exactly who Mr X is.  If Mr X transfers it to Mr Y they should also be able to find out who Mr Y is etc.  Now things get complicated when Mr Y is outside the UK, but spotting accounts which suddenly have income and want to ship it straight back out (especially abroad) shouldn’t be too difficult.

And what do we learn for the future?

Cash.

With which you might even get a discount…

Happy days.

You can report it at Action Fraud:

https://www.actionfraud.police.uk/

Apparently they will take action if money has been lost.

If you flick through my ‘topics started’ the third one down is where I had 10k nicked out of my bank account last year. Not in a similar way to how this has happened, but a read through may be worthwhile as I documented the steps that I took to get the cash back (there were a few sleepless nights let me tell you!) In short, an email or two to CEO’s definitely got things moving!

Nothing helpful to add I’m afraid – hope your FIL gets things sorted OP.

Bloody hell it’s scary stuff – having a while back transferred a large amount of money to a solicitor they could have been hacked. It wasn’t but could perhaps easily have been.

It’s a tricky one, as really all the bank has done is exactly what you asked it to do – transfer X amount to Y account.

(NOT defending the banks decision or downplaying the crime, just exploring thought)

Really, the builder should have enabled two-factor authentication. Especially on a business account.

https://www.google.com/landing/2step/  – (Little use now I know)

You could speak to the builder to see if he can claim on his insurance as good will to you. I’m not even sure if thats possible.

Pretty scary, I paid for a deposit last month and didn’t phone up to confirm the bank details !

FuzzyWuzzy, I bet if banks were made responsible for this the problem would be solved in days. Well, maybe weeks.

I think you’d find initially you’d have a much harder job legitimately transferring money around, plus you’d probably be required to take out some form of protection insurance or put up with high transaction charges as the banks self-insured against the additional losses (we all know bonuses would be the last thing to be squeezed).

All the bank has done here is facilitate payment between two individuals, just that one of them was an imposter – the mistake was on the sender’s end (not saying they were stupid, as I’ve said I’d have probably fallen for it myself) + the builder’s end for having had his email hacked – I don’t see why the bank should be made liable. Sure, if the bank account was an offshore account (especially if from a country known to be a popular base for criminals carrying out this sort of fraud) there could be better controls in place (e.g. maybe for personal accounts you need to opt in to allow foreign bank transfers) but as some point individuals have to take some of the responsibility (people still fall for Nigerian prince type scams after all), I suspect some of these controls are actually already in place, just that criminals know how to circumvent them.

As for banks doing a better job at countering money-laundering, that’s a whole different level of complexity and there are a lot of measures already in place. However when it comes to tracing money moved by sophisticated criminal networks it’s far far more complex than just monitoring account transfers and bingo you catch the guy that makes the cash withdrawal at the end of it. Investigating it is also very time consuming and hence costly, it’s not feasible to do it for such small amounts (in the grand scheme of things, I know I couldn’t afford to lose £5k…) but that’s where I guess initiatives like ActionFraud come into as as it’s unlikely this was a one-time fraud.

When I transferred money to the plumber (my uncle) it was quite an eye opening process.

i started the transfer as normal then was contacted by the bank to say it was being held (not processed).

i had to call them to get them to push it through. During the call they said that due to fraud I had to click an extra box in the online process that basically said if I put the wrong details down that they were not responsible. My understanding was that if I enter the wrong details and send it is my responsibility and they cannot recover funds.

Just for reference it was about 4k.

the bank recommendation was a cheque handed to the person. My chequebook still has 19 pre printed on the date section….

Thanks all. I’ll update if there are any developments. I’ll certainly be more careful after this.

FuzzyWuzzy, the receiving bank (assuming in the UK, which it is in a large proportion of cases) should have full details of the account holder and cooperate fully with the police and victim in addressing what is clearly a significant fraud. Yes, the sending bank has only acted under instructions, but the receiver has aided and abetted a fraud.

When opening an account you have to provide ID which is supposedly to prevent (hinder) money laundering.

Yes, the sending bank has only acted under instructions, but the receiver has aided and abetted a fraud.

Lol no – they may have inadvertently helped facilitate a fraud but they haven’t aided and abetted in the legal sense.

As for providing information, indeed they are obliged to do so – as a result of a police investigation (so one needs to be started first). Also, as I’ve said, unless this is just a chancer who happened to get access to the builder’s email then it’s probably a bit more sophisticated than one hop and a UK resident has withdrawn the money.

I hope ActionFraud do investigate, cases such as this shouldn’t just be brushed off as too trivial, my original point was your local police force are unlikely to help as they don’t have the resources for financial crime investigations (especially given the low success rate in bringing the guilty to justice)