You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
My sister just fell victim to a request from her work space landlord asking for payment to be sent to a different account.
Emails appear to come from the landlords firm. A new 6 email chain back and forth following the trpical monthly emailed invoice, not just one out of the blue with an account number.
All emails written in the same format and use of language and abbreviations that the landlord typically uses and time lines up with normal payment window so no red flags as far as the nigerian princes typos. Same signature etc
Landlord has of course followed up with 'sorry you were hacked...assume you'll be making payment to us'...
Haven't seen the original message headers but apparently his email provider say he's not been hacked.
Just wondering how they would be able to tell that?
My sisters hosting/email provider also say she wasn't hacked and say it must be the landlords end.
IF it was her emails that were breached, this has to be a long game. Does that mean that theres a reasonable chance that her clients might end up being sent an email from the hackers saying that my sisters account details have changed for their upcoming invoice.
Presumably she'll be out of luck with any bank protection if so?
Are trhere any goverment or private resouces to help understand what happened with this flow of emails and where the fault lies?
They cannot definitively say he has not been hacked though it might not be the email account that is compromised. If the email has authentically come from his provider then surely the liability is with him (as it his end that has been compromised one way or another).
Look at the full headers of the emails and you'll be able to see which servers they were sent from. If you don't know how to see the headers, Google for the method for whatever email software / provider you're using. The headers take a bit of interpreting but it's usually obvious, if you compare genuine emails from the previous month with the suspect ones.
If it's sent through the same servers as before it could be a inside job in the landlords office - ie, email not hacked as such, just somebody found out the password and used it.
This happens a lot. Unfortunately she’ll probably be out of pocket.
In hindsight she should have picked the phone up and spoke to them to verify the changes in bank details. Hindsight is a wonderful thing though.
She should raise it with her bank, who may investigate and involve the police but she’s is likely to get anything back.
Same thing happened to my ground worker, emails looked proper kosher, weve had a new bank account blah blah. His wife made the payment as normal, it was in the 10s of thousands I believe. They started to have a fall out, threats of barristers etc. After taking advice he was advised blame lay with him and not to pursue.
Emails appear to come from the landlords firm.
But where do they go back to when she hits 'reply'? If the reply address is genuine I can't see how it's anything other than an inside job.
Spoofing email addresses is trivially easy.
But where do they go back to when she hits ‘reply’?
This is a very good question. In the case I saw at our work where someone's address had been hacked the hackers (I use the term loosely) had put a filter on his mail to forward all replies to the hacker and delete in incoming mail. It was basic but effective. It didn't catch us because we have rules to always confirm account changes or unusual stuff by a second method
So, if the landlord's account has a filter in it they they were hacked. She should be able to tell that by the reply address being EXACTLY correct ie. watch out for dots or slightly wrong domain names (I would open the item in the Sent folder to see where it went). Someone was most likely hacked if the language is the same. Again, that's what we found. They not only found addresses they copied the writing style
No consolation but hopefully this simple and effective method of fraud will be wiped out within six months with Confirmation of Payee.
https://www.wearepay.uk/confirmation-of-payee/
Funnily enough I’ve been setting up some banking governance today, the banking guy was telling me there’s a fair amount of this happened lately with crafted trojans on the pc end. Typically they were setting up stealth rules to hide emails in deleted then retrieve and reply. One client was landed for over a mill in in a diverted payment
it turns out it is much easier to trick humans than hack computers - who would have guessed 🙁
Apparently happens quite a lot in property sales as well.
Replies go to his correct email, no sneaky mistypes.
He's been away for a few weeks travelling in the US so perhaps compromised credentials in unsecured wifi use?
She's a smart cookie but no one's immune to being caught napping I guess, but the chain of contact between 'them' and timeline was not enough to raise concerns I guess.
See what the bank say tomorrow but at present he's waiting for his rent..
Spoofing email addresses is trivially easy.
It shouldn't be trivial in this day and age. SPF means that part of running landlordcorp.com is having a public record of how legitimate emails from landlordcorp.com are sent. If someone just sets the from: header and then sends an email through the mailserver at scammer-isp.org it *should* be flagged as illegitimate.
Of course that doesn't get round someone registering landlordcorp2.com or hoping "Hi, it's your landlord really" from landlordcorp@hotmail.com will be accepted.
If, however, she's been replying to landlord@landlordcorp.com and the scammer has been getting the emails, it suggests that scammer has landlord's email credentials (which would also explain why they can send as him), or her computer has a virus that's sending the scammer copies (or someone in landlord's office is running a scam while he's away).
"should" (-:
Anyway. If they are insistent that the email hasn't been hacked then ipso facto it's a problem within their office, I'd be pointing that out to them. The flaw in the logic that "his email provider say he’s not been hacked" is that it only refers to the email in transit, it doesn't take into account that the landlords themselves might have been compromised.
If the email address is indeed correct, and they haven't fallen victim to some sort of hack / infection / rogue employee, how do they explain why the people who should be reading her emails weren't flagging it up?
If it is the landlords email (and it does look as if it is) then I would imagine that they are missing a lot of rent this month. In this case it is difficult to work out where the legal liability lies and if it is the landlord who should be taking the hit.
I wonder if a monthly direct debit payment (set up once at the start of rent) should sort out this trouble?
If it was a 6 email reply chain, and the replies went to the correct address, whoever was reading the landlord's email must have seen the original. So the fraudster must have had access to the landlords email account, not just forged the 'from' address. I can see no way to run that fraud by hacking the recipient, so it's either somebody in the landlords office or somebody who has got hold of their email credentials and accessed the account - probably doing it out of hours and (as mentioned above) temporarily diverting incoming emails from the tenant into a hidden folder. Either way, it's the landlord's problem as their physical or IT security has been breached. It's possible that their email provider was hacked to get the credentials, but that would only work if the provider stored passwords in an accessible (unhashed, unsalted) form which nobody should still be doing.
If the attacker had gained email credentials and was logging on externally to web mail or something, this would - well, should - be visible to the email provider as rogue IP addresses. If we assume that everyone is telling the truth (a dangerous assumption) and the email provider has ruled this out then it has to be an internal compromise.
They really need to get someone in to look at it, a half-decent security professional would likely get to the bottom of this in about 30 seconds.