The story is relatively simple, and one of those cases where the victim of the fraud was the couple that lost the money.
I have spoken out about banks and credit/debit card fraud before, where the bank are the ones being defrauded (someone lies to a bank pretending to be me, the bank believe them and give them money) - in such cases the victim is the bank not the account holder. However, this story is one where the couple in question have been defrauded, not the bank.
They were lied to by a fraudster claiming to be solicitors, and given the fraudsters bank details to which to make a large payment. The story is not 100% clear on how the email exchange was done such that it was with the fraudster and not the actual solicitors, and suggestions are that the solicitors were hacked - but that is not even necessary for such a fraud.
Twitter is abound with cries for changes. Basically, the bank did what they were told and sent money to a specific sort code and account. The CHAPS form the couple filled in will have had the warning about them not checking names, and the bank staff should have explained that, so: "presumably, they knew what they signed up for".
Who is to blame?
We all look for someone to blame, but it is perfectly possible that nobody is to blame - that the fraudster defrauded the couple, and they sent money to the wrong place, simple as that. From the story, the bank simply did as instructed (with the explained caveat that they don't check the name). If the solicitors email systems were hacked and they were negligent then maybe they have some blame, but this scam could quite easily have happened without the solicitors actually being involved or doing anything wrong.
Should banks check the name on payments?
The issue here is people are surprised banks don't check the recipient name, and are saying that they should. You can see why, and on the face of it I would agree, except...
I am not in banking, but we deal with banks and customers and I can be pretty damn sure that this would not work.
Every day people pay us by bank transfer and get the reference wrong. We tell them the sort code, the account number, and the reference, and people manage to just about get two out of three right. If we had to tell them recipient name, as well then they would get it wrong a lot. If the recipient name had to match then a lot of payments would fail, services would get cut off, late payment charges applied, and arguments about whether people quoted the right name or not would ensue.
We digitally sign the email we send with the bank details on it, by the way.
Even worse, do you know what your bank use as the 18 character version of your name - this is what BACS has for a name, 18 characters. Your account will have one. But even I do not know. I could be:-
- MR AJ KENNARD
- MR A J JENNARD
- MR A KENNARD
- MR ADRIAN J KENNARD*
- MR ADRIAN KENNARD
Or any of these without the MR, or any of those with REV instead. Actually the one with a * is too long, so most systems would send MR ADRIAN J KENNAR instead. So I don't even know what to tell people as the recipient name to pay me, and it is not a lot easier for companies - which may use trading names, or have complicated abbreviations to fit in 18 characters.
Just for high value payments?
Arguably, if this was only high value payments, maybe it could be done with some manual sanity check by the receiving bank. After all, CHAPS payments have a fee, which I guess could be made higher to cover that manual work.
So fraudsters would do more frauds on payments that fit within BACS or fast payment levels, but actually, it is not hard for fraudsters to work with this and still get the large payments.
In the story the fraudster made a company - this makes sense as it is easy to make a company and then, as the company is legitimate, easy to get a bank account. So all they have to do is make a company in a similar name.
That means that either the banks manual checks for a match pass, as name is close enough, or simpler still, the fraudsters use the similar name in their instructions, e.g. "Pay STEED PARTNERS LTD, sort code, X, etc" when the company they are dealing with is Steed & Steed. What normal person would spot that as an error? Indeed, I bet loads of people would just follow the instructions even if a very different name - how many times have you seen companies with a well know trading name that is actually some limited company you have not heard of?
I checked there is not a Steed Partners Ltd, but googling for Steed Partners Ltd gets the Steed & Steed web site all over the place.
So basically checking names would have stopped the specific fraud, but will not stop future frauds which simply need to take a few more steps. It will also have a side effect of breaking many genuine bank transfers and causing a lot of hassle because of that.
What about signed email?
Well, sadly, signed emails still are not common or simple. One of the big issues is that any system typically needs blind trust in third parties (like https uses certificate authorities) or a web of trust (complicated for end user to manage), and some degree of user involvement in the process (not being gullible).
Bear in mind, what I said about about Steed Partners Ltd. Once such a company is made and bank account made, a domain name can be obtained, and properly digitally signed with https, and certified signed email set up. The whole lot can be branded to look like the real solicitors, and the whole process can probably be done for under £100 within a couple of days.
So to scam someone, you just have to find someone that is dealing with those solicitors and send them an email (from your similar looking email address) with contact details for payment, and even (your) phone contact details and link to (your) https web site which shows the same contact details. No need to hack the solicitors email or phone system even, and calls can be made and received to confirm the payment, etc. It is quite easy to say that the email and phone number are your direct contact details. It is easy to get a number in the same area code even.
I do think proper email signing would help a lot in many case, but it would drive fraudsters to be slightly more sophisticated. Getting people using signed emails is a long game - and one I hope will happen eventually.
Someone did suggest banks should have details of known payees and check them. Sounds good, but hang on a second - they do that...
Firstly, if I owe HMRC they send a letter (aka demand) and they have the good sense to include bank details on that. As such, I never have any trouble paying HMRC large sums of money :-( I am not sure why the couple were paying a solicitor they had not dealt with before, rather than just HMRC - perhaps there are reasons.
Similarly if I want to pay someone I simply put the name in the on-line banking, and known common payees are listed...
What is interesting here is that even though AAISP are listed if you check, Steed & Steed are not! Maybe they should contact their bank and get themselves listed. It seems to be a BACS level thing, so should apply to all banks.
Maybe the banks should simply adopt a similar view to couriers - and when paying by CHAPS, for a small extra fee you can insure the payment (with a pay out if it turns out to be some sort of fraud). I expect it might be a large fee, and I bet people would turn it down - but if that happens the banks would have an even clearer case for "not our fault".
How did they know?
One thing I have not touched on - how did the fraudster know to send the fake email? Well, there may be ways, if an inheritance, check obits, etc. The other thing people forget is that scammers can spam millions of people with one in a million happening to be dealing with that solicitor that day - it works for bank site phishing frauds. But obviously a better way is if you can access the genuine email, either the solicitors or a load of end user email accounts. Just passively searching emails could find the details you need, but intercepting can ensure a genuine email from the solicitors is removed. For this scam to have worked, there may be more to it that a random email to someone that happens to be expecting an email, and it is guess work at this stage. It will be interesting if we see how the story pans out.
At the end of the day, be careful, double check, especially when paying such large sums. As long as people are gullible there will be fraud, and all the checks and technology we put in place will not stop that, sadly.
P.S. As per one of the comments, assuming it is correct, it was the email of the couple in question that was "hacked", so there is nobody but the fraudster to blame really. The police really should be investigating - follow the money, trace who made the company, CCTV of cash withdrawals, etc.