Sunday, 22 October 2017

Fraudsters get £120,000 in email scam - who is to blame?

An interesting story in the Guardian yesterday, ‘We lost £120,000 in an email scam but the banks won’t help get it back’.

The story is relatively simple, and one of those cases where the victim of the fraud was the couple that lost the money.

I have spoken out about banks and credit/debit card fraud before, where the bank are the ones being defrauded (someone lies to a bank pretending to be me, the bank believe them and give them money) - in such cases the victim is the bank not the account holder. However, this story is one where the couple in question have been defrauded, not the bank.

They were lied to by a fraudster claiming to be solicitors, and given the fraudsters bank details to which to make a large payment. The story is not 100% clear on how the email exchange was done such that it was with the fraudster and not the actual solicitors, and suggestions are that the solicitors were hacked - but that is not even necessary for such a fraud.

Twitter is abound with cries for changes. Basically, the bank did what they were told and sent money to a specific sort code and account. The CHAPS form the couple filled in will have had the warning about them not checking names, and the bank staff should have explained that, so: "presumably, they knew what they signed up for".

Who is to blame?

We all look for someone to blame, but it is perfectly possible that nobody is to blame - that the fraudster defrauded the couple, and they sent money to the wrong place, simple as that. From the story, the bank simply did as instructed (with the explained caveat that they don't check the name). If the solicitors email systems were hacked and they were negligent then maybe they have some blame, but this scam could quite easily have happened without the solicitors actually being involved or doing anything wrong.

Should banks check the name on payments?

The issue here is people are surprised banks don't check the recipient name, and are saying that they should. You can see why, and on the face of it I would agree, except...

I am not in banking, but we deal with banks and customers and I can be pretty damn sure that this would not work.

Every day people pay us by bank transfer and get the reference wrong. We tell them the sort code, the account number, and the reference, and people manage to just about get two out of three right. If we had to tell them recipient name, as well then they would get it wrong a lot. If the recipient name had to match then a lot of payments would fail, services would get cut off, late payment charges applied, and arguments about whether people quoted the right name or not would ensue.

We digitally sign the email we send with the bank details on it, by the way.

Even worse, do you know what your bank use as the 18 character version of your name - this is what BACS has for a name, 18 characters. Your account will have one. But even I do not know. I could be:-
  • MR AJ KENNARD
  • MR A J JENNARD
  • MR A KENNARD
  • MR ADRIAN J KENNARD*
  • MR ADRIAN KENNARD
Or any of these without the MR, or any of those with REV instead. Actually the one with a * is too long, so most systems would send MR ADRIAN J KENNAR instead. So I don't even know what to tell people as the recipient name to pay me, and it is not a lot easier for companies - which may use trading names, or have complicated abbreviations to fit in 18 characters.

Just for high value payments?

Arguably, if this was only high value payments, maybe it could be done with some manual sanity check by the receiving bank. After all, CHAPS payments have a fee, which I guess could be made higher to cover that manual work.

So fraudsters would do more frauds on payments that fit within BACS or fast payment levels, but actually, it is not hard for fraudsters to work with this and still get the large payments.

In the story the fraudster made a company - this makes sense as it is easy to make a company and then, as the company is legitimate, easy to get a bank account. So all they have to do is make a company in a similar name.

That means that either the banks manual checks for a match pass, as name is close enough, or simpler still, the fraudsters use the similar name in their instructions, e.g. "Pay STEED PARTNERS LTD, sort code, X, etc" when the company they are dealing with is Steed & Steed. What normal person would spot that as an error? Indeed, I bet loads of people would just follow the instructions even if a very different name - how many times have you seen companies with a well know trading name that is actually some limited company you have not heard of?

I checked there is not a Steed Partners Ltd, but googling for Steed Partners Ltd gets the Steed & Steed web site all over the place.

So basically checking names would have stopped the specific fraud, but will not stop future frauds which simply need to take a few more steps. It will also have a side effect of breaking many genuine bank transfers and causing a lot of hassle because of that.

What about signed email?

Well, sadly, signed emails still are not common or simple. One of the big issues is that any system typically needs blind trust in third parties (like https uses certificate authorities) or a web of trust (complicated for end user to manage), and some degree of user involvement in the process (not being gullible).

Bear in mind, what I said about about Steed Partners Ltd. Once such a company is made and bank account made, a domain name can be obtained, and properly digitally signed with https, and certified signed email set up. The whole lot can be branded to look like the real solicitors, and the whole process can probably be done for under £100 within a couple of days.

So to scam someone, you just have to find someone that is dealing with those solicitors and send them an email (from your similar looking email address) with contact details for payment, and even (your) phone contact details and link to (your) https web site which shows the same contact details. No need to hack the solicitors email or phone system even, and calls can be made and received to confirm the payment, etc. It is quite easy to say that the email and phone number are your direct contact details. It is easy to get a number in the same area code even.

I do think proper email signing would help a lot in many case, but it would drive fraudsters to be slightly more sophisticated. Getting people using signed emails is a long game - and one I hope will happen eventually.

Paying HMRC

Someone did suggest banks should have details of known payees and check them. Sounds good, but hang on a second - they do that...

Firstly, if I owe HMRC they send a letter (aka demand) and they have the good sense to include bank details on that. As such, I never have any trouble paying HMRC large sums of money :-(  I am not sure why the couple were paying a solicitor they had not dealt with before, rather than just HMRC - perhaps there are reasons.

Similarly if I want to pay someone I simply put the name in the on-line banking, and known common payees are listed...


What is interesting here is that even though AAISP are listed if you check, Steed & Steed are not! Maybe they should contact their bank and get themselves listed. It seems to be a BACS level thing, so should apply to all banks.

Other ideas!

Maybe the banks should simply adopt a similar view to couriers - and when paying by CHAPS, for a small extra fee you can insure the payment (with a pay out if it turns out to be some sort of fraud). I expect it might be a large fee, and I bet people would turn it down - but if that happens the banks would have an even clearer case for "not our fault".

How did they know?

One thing I have not touched on - how did the fraudster know to send the fake email? Well, there may be ways, if an inheritance, check obits, etc. The other thing people forget is that scammers can spam millions of people with one in a million happening to be dealing with that solicitor that day - it works for bank site phishing frauds. But obviously a better way is if you can access the genuine email, either the solicitors or a load of end user email accounts. Just passively searching emails could find the details you need, but intercepting can ensure a genuine email from the solicitors is removed. For this scam to have worked, there may be more to it that a random email to someone that happens to be expecting an email, and it is guess work at this stage. It will be interesting if we see how the story pans out.

Conclusion...

At the end of the day, be careful, double check, especially when paying such large sums. As long as people are gullible there will be fraud, and all the checks and technology we put in place will not stop that, sadly.

P.S. As per one of the comments, assuming it is correct, it was the email of the couple in question that was "hacked", so there is nobody but the fraudster to blame really. The police really should be investigating - follow the money, trace who made the company, CCTV of cash withdrawals, etc.

21 comments:

  1. One other suggestion - if you're doing an electronic payment of a large sum of money, then make a small initial payment (say £100) first. Even if there's no attempted fraud involved, this will ensure that you haven't muddled the numbers up in some way.

    Once you've done the initial payment, check by an independent means with the payee that they have received the money. Once they confirm receipt, send the rest.

    (And on the number muddling front, yes I know there are checksums which will pick up a simple pair of swapped digits. Nonetheless, when I was running an on-line business, we more than once had instances of credit card payments which were initially approved by the bank, and then came back later with a "card does not exist" error. Each time it was because the digits had been mangled in a non-trivial way which then still passed the checksum.)

    ReplyDelete
  2. Other coverage of this fiasco suggests that the receiving bank (NatWest) permitted the fraudsters to withdraw £20K per day IN CASH from the same account on six successive days, and then walk away.

    If that kind of behaviour doesn't automatically ring alarm bells in the bank...? Five opportunities (to apprehend or at least delay the fraudsters) missed over five days.

    ReplyDelete
  3. Interesting recent reading on "identity fraud" and the role of the police and the banks from Cambridge University Computer Lab's Professor (of Security Engineering) Ross Anderson:
    https://www.lightbluetouchpaper.org/2017/08/26/is-the-city-force-corrupt-or-just-clueless/
    and
    https://www.lightbluetouchpaper.org/2017/07/10/national-audit-office-confirms-that-police-banks-home-office-pass-the-buck-on-fraud/
    which has this in the closing paragraph:
    "the FCA explained in response to the Tesco Bank hack that the banks it regulates should make fraud victims good. And it has always been the common-law position that in the absence of gross negligence a banker could not debit his customer’s account without the customer’s mandate. What’s lacking is enforcement. Nobody, from the Home Office through the FCA to the NAO, seems to want to face down the banks. Rather than insisting that they obey the law, the Home Office will spend another £500,000 on a publicity campaign, no doubt to tell us that it’s all our fault really."


    Prof Anderson isn't a newcomer to the subject of identity fraud (unlike the banks and especially the police) - e.g. this from 2006:
    https://www.lightbluetouchpaper.org/2006/08/08/identity-fraud-again/

    He's also had a few words to say on The War On Encryption.


    All worth a look.

    ReplyDelete
  4. Apparently they phoned the solicitor for bank details - why weren't they given them there and then? This is the way it usually works - yes there's a risk you misdialled and got a fraudster but it's much lower as you're initiating the call to a known person.

    Sending an email with the details on seems to be just opening yourself up to risk of fraud (as is post.. email isn't special here). Given the sums involved I'd get the details when I was at their office (as I did when I was buying my house).

    ReplyDelete
  5. The solicitor is responsible for the breach of their email systems (they could of course try to reclaim from the culprit), but other than questions about how a fraudster got an account in the first place I can’t see how the bank is responsible.

    ReplyDelete
  6. I think this episode illustrates well how useless the ever increasing bank regulation is, in terms of theory, practice and enforcement. Know Your Customer regulations should have foreseen or prevented this kind of fraud - how can an account formed by a company run by a director with many shady-sounding different companies of no clear purpose, receive £120,000 and then withdraw it in cash over 6 days?

    Surely either there should be restrictions on such withdrawals, eg amounts above £x000 cash withdrawal require formal identification (eg passport), logging and verification of real purpose? Or if a new account suddenly receives an enormous payment inbound it should be put into escrow while investigated?

    I know people will say - oh, more regulation? But the existing regulation is already annoying enough for regular people yet loose enough for these kinds of fraud! Why, if as an individual with a provable, safe history, I can't withdraw more than a few hundred pounds in cash each day, can a brand-new limited company with a shady director then withdraw tens of thousands?

    Only the other day did I receive get another one of those paperwork forms from a financial institution I deal with, asking for details of my nationality, NI number and whatnot. What's this all for?!

    And then the police refusing to investigate a theft of £120,000...

    I think a lot really needs to change with our current banking system - it's heavily biased in favour of 'the institution' and businesses, and needs to be refocused back onto individuals. There's no reason why someone should be allowed to form 10 different fake limited companies without a good reason. It all just makes me so terribly angry...

    ReplyDelete
    Replies
    1. Yeh, don't understand police not investigating. As for a company, well, the company is "legit", and the ID could be the bank issued debit card... So not that simple.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Tricky - the only non-legit case is someone that has been formally disqualified from being a director, else anyone can make a company and that company is absolutely "legit" from a banking point of view. i.e. a threshold is defined in "disqualified as director" and making a new threshold is not usually sensible.

      Delete
  7. So this fraud isn't a new thing and when buying my current home, there was even a warning in the solicitors' email signature/small print warning of such.

    However, I was rather surprised that the company were a little put out about me phoning them after being emailed their bank details for payment, and checking they were correct! I suspect the signature was a generic one and the individual people didn't really know what it was about.

    And to cap it off they even asked me to stop signing my emails as their email system didn't like it and was causing them problems!!

    ReplyDelete
    Replies
    1. Wow, just wow, ask them to stop singing their letters as you scanner does not like the colour!

      Delete
  8. If banks aren't going to make any kind of check on the account name, wouldn't it be better if they removed it from the form?

    ReplyDelete
    Replies
    1. Well, I suppose. It is included in the BACS/CHAPS data as far as I know, but you have to wonder why I guess.

      Delete
  9. The Guardian article bangs on about something or other being "hacked". This is probably rubbish. We have clients who think that when we do a password reset on their account we are "hacking into their account for them". Most people, journalists included, don't know what 'hack' means.

    I have read this a few times and the telling bit in the Guardian article is this:

    "Peter telephoned his family’s long-used firm of solicitors, Steed & Steed, based in Braintree, Essex. He rang because he was due to pay his grandmother’s inheritance tax bill to HM Revenue & Customs and needed the law firm’s bank details. Later that morning, an email duly arrived with the firm’s account and sort code detailed in a Word file attachment. This was the first contact he had had with anyone at the law firm, he says."

    I don't think Steed & Steed were involved. I think a scammer masquerading as S&S contacted Peter using a similar domain name for the emails and a similar phone number for the calls. They will have sent out 10m emails reading, for example,

    "RE YOUR INHERITANCE TAX DEBT

    HMRC have been on to us and are going to take legal action if you/we don't pay the inheritance tax bill by Monday. They are also going to start charging a fine of £500 per month under new EU directive XYZ.

    So, please call my office immediately to arrange payment today and I can ensure the fines and legal action don't happen.

    My direct line is 0xxx xxxxxx. Thanks.

    FRED SMITH
    TAX PARTNER"

    As long as one or two of those 10 million emails reach a genuine S&S client who is due to pay some IHT then the scammer is a winner.

    Peter reads it, panics at the threats of fines and legal action from HMRC, "indeed we have dragged out the administration of Granny's estate for a couple of years, HMRC must be pretty mad, arrrgh!", in a rush he picks up the phone to the scammer, asks for the bank details, drives straight to the bank, and the rest is history.

    He then calls the scammer who confirms receipt of funds.

    His second call though is to the real solicitor ("Gee, Mrs Victim, S&S must have a problem with their phones today; their new number isn't working; I'll dig out their old number and try that"). The real S&S then denies receipt of funds.

    I reckon the real solicitor is clean - they didn't ask him for the money nor provide dodgy bank a/c details. I reckon the sending bank is clean - they didn't supply the bank details of the scammer - they just acted on correct instructions.

    Just a theory, but I have been at a company when scammers have masqueraded as that company and I have seen the calls come in when the victims called us asking where their money was, of which we had no knowledge of course...

    ReplyDelete
    Replies
    1. Given the number of solicitors and the low rate of spam success these days I think targetting a specific small solicitor would be pointless.

      I think a hack was much more likely, the scammer could easily collate a list of solicitors from comprimised account data, or phish them for a login or any number of methods. Given the very large prizes on offer it would justify significant effort.

      I think the likely scenario was:
      1) Victim calls solicitor, secretary doesn't have the bank details but emails a clerk or partner to forward on.
      2) Scammer is monitoring the mailbox where this message is sent. Perhaps the scammer has software to automatically filter emails into a subfolder where they can review them and decide to reply or move them back to the inbox.

      3) Scammer has access to all the solicitor's emails so they can compose a very convincing reply with the scammer's bank details. Presumably they delete it from the sent mailbox.

      4) Victim receives what appears to be an authentic email and would otherwise pass all tests for legitimacy.

      Delete
    2. Regarding the use of the solicitor - I assume "family" means his parents and grandparents use them and they were dealing with part of the estate somehow. I imagine most people not used to dealing with HMRC and tax processes might think that a solicitor dealing with it provides a level of safety/comfort...

      Delete
  10. Further to my replies, I have been following this on a forum I frequent (Pistonheads) and a poster on there claims to know the couple well, and disclose that the client's email was hacked, not the solicitor. Not what I was expecting!
    https://www.pistonheads.com/gassing/topic.asp?h=0&f=10&t=1703142&i=80 - the reply by "PIGINAWIG"

    ReplyDelete
    Replies
    1. That was one of the possibilities, as per my blog post. Shame. Police really should investigate as should have plenty to go on if they follow the money. But sadly a case where the couple were defrauded, not the bank, nor the solicitors. Sad.

      Delete
    2. I'm afraid that as soon as he was referred to as "a bloody decent lad" I stopped believing any of it.

      Delete