An outline of an online scam worth potentially thousands of dollars. This scam shows the importance of having strong unique passwords and two factor authentication on email accounts.
I heard of this scam on an episode of Money Box, an English radio podcast about money and finances.
This scam starts out with hackers scouring the internet for previous data breaches such as this one at LinkedIn, and this one at Ashley Madison. What they are looking for in these breaches are email and password combinations, specifically those for small businesses and trades people.
The hackers will then try to gain access to the email accounts of those businesses or trades people. If, like a surprising number of people they use the same password for everything, then gaining access is trivial. Otherwise they will try to guess / brute force entry into the email account.
Assuming the hackers are able to get into the email account they then wait for the right time to pounce.
The small business or trades people are likely performing services for clients and communicating via email. Once the conversation looks like it is turning to payments this is when the hackers strike. The hackers will seize control of the email account and communicate with the client. The hackers will then send across payment details, which will be the bank account of the hackers and not the small business / tradespeople who did the work. The client doesn’t realise anything is wrong as they have been communicating with the small business / tradespeople using the email all along. They don’t know that the email account is now under control of the hackers.
The client, believing all is well, will transfer the money directly to the hackers.
- Client – has just transferred a substantial amount of money to the hackers
- Tradesmen – still hasn’t received payment for services performed
- Hacker – has just received a lump sum
Once the client realises that they have transferred the money to the “wrong” account there is little they can do to get the money back. The hackers have likely transferred the funds to several other bank accounts, possibly overseas or into Bitcoin.
The banks will take no liability for this scam because as far as the bank is concerned there was no fraud involved. The client knowingly and willingly transferred the funds to the hackers account. The fact that the client was tricked into entering the “wrong” account details to transfer the funds is the fault of the client, the bank has no responsibility in the matter.
The client still has to pay the small business or trades people for the work that was done, in essence paying double for the work done. They have been conned out of substantial funds through no fault of their own.
How this could have been avoided
If the small business or trades people has used 2 factor authentication on their email account then it is likely the hackers wouldn’t have gained access to the email account in the first place.
Perform a small test transfer first. The client could have sent a smaller amount initially then confirmed with the small business or trades people that they have received the money. The confirmation communication would preferably be through a different means, ideally in person.