You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Just wondering if there's any extra advice I can give him, as it's a busy time for him and us.
I'll try to keep it brief.
He's moving away and went to view a house to rent with his wife through a letting agent. Exchanged emails after and I presume the agents email/data has been breached.
The fraudster has used a very similar email to carry on the conversation and they've handed over £1k+. He seemed quite calm I'd have been seething. Also some ID passport I think one other item.
I've told him to contact action fraud possibly the police as the fraudster will now use his ID in future frauds and possibly set up credit cards etc.
There appears to be another victim who turned up at the letting agency with her bags and kids. My boss has told him to pursue the letting agent for the money (doubt bank will be interested) as they've had their data breached and even after knowing this have not contacted him until it was to late.
Anything else, feel sorry for him as I was very nearly conned myself once in a different manner.
Police will be interested as it's a multiple victim scam...and paper trail.. get all the info he can to give them the best shot...
He may be able to get some compensation through his bank under a new scheme.
https://www.bbc.co.uk/news/business-48385426
If hes done bank transfer, he may as well have handed over cash, as far as the bank is concerned.
It’s just been on the one show where a charity choir got done in the same way. Not much anyone can do about it now it’s happened unfortunately, as you’ve authorised the payment. (They did get some money back, 85 quid, out of 2 grand)
He's got some kind of paper trail on his iPhone email. They'd managed to delete it off his main computer. He seemed glad it wasn't more as he was due to hand over more. I'll tell him to try and get the other victims contact details.
My ground worker got took for 16k last year, via a hacked email account from a plant company. His wife never questioned the new bank account details they got sent in a request for payment email. Lost the lot as it was bank transfer.
If hes done bank transfer, he may as well have handed over cash, as far as the bank is concerned.
Its not just about the bank though - it wasn't just some random phishing attempt that got lucky. The agent failed to keep their business transactions, customer data and correspondence secure and left their customers wide open to targeted and credible looking attacks - the fraud attempt was successful because the fraudster was able to know exactly who was planning to make what transaction. Wouldn't this be a Public Liability issue on their behalf?
In relation to the bank though - it should be the case now that its not just the sort code and account number - the transaction requires a name and that name should tally with the account holder* being paid... so who's name did your colleague put in as the recipient? Was it the same as the Agent?
*you always have had to type in a name... but In the past the banking system ignored it when validating the transaction - its didn't matter if the name you entered differed from the name of the account holder - now it has to match.
My ground worker got took for 16k last year, via a hacked email account from a plant company. His wife never questioned the new bank account details they got sent in a request for payment email. Lost the lot as it was bank transfer.
This chap nearly got done for £7k. I was nearly done for a £1000 a couple of years back. How'd you get over handing over £16k.
Should we be making these payments by CC?
'They’d managed to delete it off his main computer'
Are you sure it wasn't his email/computer that was hacked rather than a hack at the agents ?. If it turns out the agent has been breached then potentially some big fines could be coming their way under GDPR.
Oh and definitely report it. I've reported stuff to action fraud and got sweet fa in response but at least it adds to the stats if nothing else.
He’s got some kind of paper trail on his iPhone email. They’d managed to delete it off his main computer.
wait - deleted off who's computer?
That's kind of what my boss said it's a GDPR issue. The agent has told him about the other victim as it was the same house.
I think it's his wife whose made the transaction. I'll ask him tomorrow as I'd also read about the name having to match.
wait – deleted off who’s computer?
I presume their home computer/tablet as she's on maternity leave.
If it’s any consolation to those being done, companies get done too, in a similar fashion. I know of one that was taken for 9 figures...
I think he needs to get the other victims details then try and get the money back from the letting agents insurance as they've not kept their details protected. I'll get some more info tomorrow.
I just got done for nearly £12k, however the perp was HM Revenue and Customs, and it was part of a pension savings plan set up specifically to pay off the mortgage, an interest-only one I was advised to take on.
Feeling thoroughly shafted right now, but there’s no PPI equivalent for misselling mortgages that goes back to 1994.
Quietly seething at the moment. 🤬
This chap nearly got done for £7k. I was nearly done for a £1000 a couple of years back. How’d you get over handing over £16k.
Should we be making these payments by CC?
Posted 40 minutes ago
The big problem he had was the fact the plant company still wanted their 16k, there was talk of barristers on both sides at one point, they came to a gentleman's agreement because they knew it wasn't a great situation for either party.
But...it was a shining example of how easily it could be done, even the usual links from the payment request email worked as normal so his wife never thought anything of the change of bank account. I believe they are still married....
Maybe it is a fraud by the letting agent, or someone working there. They could just deny knowing anything about it.
Or a completely fake letting agent, they just showed him around a random house.
Have seen too many of these over the years, I work in IT and maybe it's just having ad to deal with yet another compromised account, but I have zero sympathy for those who get caught out. *shrugs shoulder* Might sound cold, but when you hear 'Janice in accounts has had her account hacked, again' you start hiting your head against the wall.
I can almost guarantee that someone at the letting agent was sent an email which contained a document/attachement shared with them which then asked them to sign into office 365. Bingo, stage one done. The attacker has access to the letting agent's email account and all of their emails. Then, the waiting begins. They will wait for an email chain with an invoice, or something requesting payment, take that invoice, copy it, alter it, carry on the email chain (as they have access to be able to send emails as the user) and set up rules to delete any further emails in the chain. Letting agent is none the wiser as they see no emails coming in or out, as the ones being sent by the attacker are deleted instantly. Recepient gets an email with the standard 'we've changed our bank details, please pay these ones now' and becuase it's from the letting agent, don't question. Money paid, money lost.
Users are the weakest link. Oh and not having MFA set up!!!!! grrr, that gets me, I've dealt with companies that have refused to have MFA set up even after multiple succesful phishing attempts.
All it takes to prevent this (apart from having MFA set up) is to go 'hmm, wait a second, maybe I should check this..' and the person paying the money to pick up the phone and speak to whomever is requesting payment, to confirm the bank details.
Some phishing emails are downright terrible, but some I've seen, oh my even me as someone who's seen hundred, if not thousands, I still have to take a minute or 2 to confirm. Some are bloody good nowadays.
Sorry to say but don't expect much from the police, the likelyhood of the attackers being in the UK is slim, and I doubt the letting agent (unless they have a decent IT company managing their environments) will have the knowledge to be able to do a thorough investigation.
What's an MFA?
Users are the weakest link.
It sounds like the IT is the weakest link. You're blaming the victim because the system being used make it too easy for fraudsters. Theres only one action by a user in that whole chain of events you described.
@jim25 MFA = multi factor authentication. You're asked to supply an additional piece of information to prove it's you, for example, you might get a code number texted to your mobile to enter when you log in.
What’s an MFA?
Multi factor authentication. Also called 2 factor authentication. Basically, if someone signs into your account from a non-trusted device, a 2nd authentication factor will then have to approved in order to approve the sign in. Text message to a mobile, phone call, or application notification. none of which the attacker will have.
It sounds like the IT is the weakest link. You’re blaming the victim because the system being used make it too easy for fraudsters. Theres only one action by a user in that whole chain of events you described.
And that single action by a user is what causes the entire thing to fall apart.
Now, granted, if the business doesn't have MFA enabled then they are also a weak link, and it doesn't sound like their security is amazing (but probably typical of many small businesses), but you can stll have the most secure IT sytem in the world, and the attackers will seek out the path of least resistance, which is the user.
What happens if the user doesn't fall for that phishing email? No-one loses any money.
I've seen companies provide training after training after training, and the same people still get their accounts compromised.
Google "IT security weakest link".
To equate it to real life, it's like having a house with a massive moat, guard dogs, a 40ft high fence, cctv, alarms, etc.
And then leaving the key under the mat.
A single act by a user will negate all your security worthless and mean the attacker has basically been handed the keys to the house.
the transaction requires a name and that name should tally with the account holder* being paid… so who’s name did your colleague put in as the recipient? Was it the same as the Agent?
*you always have had to type in a name… but In the past the banking system ignored it when validating the transaction – its didn’t matter if the name you entered differed from the name of the account holder – now it has to match.
that's interesting earlier in the year had HSBC hold a transaction and when i rang they queried had I got the recipient account number from an email - answer no so from their viewpoint all OK - I pointed out that equally I could have picked up the details from a fake website that claimed to be the organisation I wanted to send funds to and were they able to confirm the account&sort matched the name - they told me no which I thought was pretty unhelpful
that’s interesting earlier in the year had HSBC hold a transaction and when i rang they queried had I got the recipient account number from an email – answer no so from their viewpoint all OK – I pointed out that equally I could have picked up the details from a fake website that claimed to be the organisation I wanted to send funds to and were they able to confirm the account&sort matched the name – they told me no which I thought was pretty unhelpful
I think banks record your voice during calls to match it to future calls. Not 100% on this though.
Maybe it is a fraud by the letting agent, or someone working there. They could just deny knowing anything about it.
Or a completely fake letting agent, they just showed him around a random house.
It was their response but I think the agent has an office so seems unlikely.
Tallpaul, so would things like the above be better done over WhatsApp than email.
Should my colleague be chasing the agent for monies. The worst be is he still doesn't have a property and the agent could probably is still under attack.
Have seen too many of these over the years, I work in IT and maybe it’s just having ad to deal with yet another compromised account, but I have zero sympathy for those who get caught out
I work in IT to, inc. on the security side and personally I do have sympathy with victims of this sort of scam. Yes it's preventable but when it's a case of the recipient's email has been hacked it's still not something people in general expect and due to human nature put too much trust in that. Ofc people should do test transactions and phone the person to ensure it went to the correct account etc. but it's all too easy to skip that step.
I thought some banks had signed up to a voluntary scheme whereby they'd compensate victims of this sort of fraud? Unless I'm making that up it's def worth the OP's colleague checking with their bank.
Should my colleague be chasing the agent for monies. The worst be is he still doesn’t have a property and the agent could probably is still under attack
Legally they have no recourse to get anything from the agent, even though it may have been the agent's poor security practice that helped/enabled the scam to take place the fault is still with the victim. Possibly they might be able to sue but I can't see that going anywhere
blah blah blah MFA Users are the weakest link. Oh and not having MFA set up!!!!! grrr, that gets me, I’ve dealt with companies that have refused to have MFA set up even after multiple succesful phishing attempts.
All it takes to prevent this (apart from having MFA set up) BLAH. MFA blah
Classic. And you're surprised people in your org keep getting hacked and don't listen to your awesome advice?
it’s still not something people in general expect and due to human nature put too much trust in that. Ofc people should do test transactions and phone the person to ensure it went to the correct account etc. but it’s all too easy to skip that step.
Agreed - when I heard about this kind of scam I made sure both sets of parents were aware - particularly as both were dealing quite heavily with tradesmen at the time, new kitchens etc, and so could be exposed.
The biggest obstacle to their understanding was the fact that email was not secure, and a message that looked like it came from the landscape gardening company, might actually be from a fraudster pretending to be them. If anything, this has now gone the other way - and they regard almost every email as a scam, and spend ages on hold trying to confirm payment details
Some phishing emails are downright terrible, but some I’ve seen, oh my even me as someone who’s seen hundred, if not thousands, I still have to take a minute or 2 to confirm. Some are bloody good nowadays.
I have a theory that the terrible ones are intentionally terrible. The initial hook is automated so it's easy, but once you start to reel people in that takes effort. So, someone gullible enough to click through an obviously fake email is less likely to go "wait, hang on a minute..." down the line and thus waste the scammer's time.
I’ve seen companies provide training after training after training, and the same people still get their accounts compromised.
User education is hard.
Back when I was in IT, I was working on someone's PC when coincidentally a malware-laden email came in. I explained patiently and at length what it was, then deleted it. I hadn't got back to my desk when I got a call, "my computer's gone funny." Went back, they'd retrieved the email from Deleted Items (my own oversight for not fully deleting it), opened it and run the attachment. When I asked "why on Earth would you do that?" I got told "I wanted to see what it said."
Email is a big problem right now. Time was, an initial point of infection was due to crummy security or unpatched software (I'm looking at you, Flash and Java). These days it's email-borne phishing and malware attacks, by a very long way.
User education is hard
Very true - I work for an IT consultancy where there's not just a lot of mandatory training (basic security, GDPR etc etc) but they also do internal phising tests and if you open the attachment or click on a link in the email you get flagged up. First failure and you get a friendly warning, second failure and your manager gets notified and you need to repeat the mandatory security training courses, third failure and it's likely to be a disciplinary (I think they still get a 5% 'failure/idiot' rate though). That said some of these tests do look pretty convincing and are much better crafted than your typical ones - not failed one myself yet though :p
they also do internal phising tests
I was talking to a pen tester* the other week. He'd recently performed testing for a police force. He asked for permission to do phishing simulations and got told by the chief, "fill your boots, all our staff have been well trained." IIRC about 20% of the force clicked on the emails...
(* - penetration testing, not Biros.)
not necessarily a bad thing! It’s like the Wild West out there, and only going to get worse as more non-tech-savvy people start conducting business online. You see a few bank adverts on telly with anti-scam messages but there needs to be a national education campaign I think; so many people don’t even have a clue what the potential threats are or how to avoid them.If anything, this has now gone the other way – and they regard almost every email as a scam, and spend ages on hold trying to confirm payment details
Classic. And you’re surprised people in your org keep getting hacked and don’t listen to your awesome advice?
Not my org, one of the customers of the msp I worked for. You can only recommend what the customer should have set up, it's up to the customer to decide whether they implement it or not. In this case, they decided not.
And its not just my awesome advice, ask anyone who works in IT, security or otherwise, MFA is something so basic that it beggars belief that some companies don't have it turned on.
If anything, this has now gone the other way – and they regard almost every email as a scam, and spend ages on hold trying to confirm payment details
That's a good thing, if they've been targeted by the attackers once and fallen for the scam then the chances are they will get targeted again, as they are a known 'easy' target and their email address will have been kept for a later date by the attackers.
And its not just my awesome advice, ask anyone who works in IT, security or otherwise, MFA is something so basic that it beggars belief that some companies don’t have it turned on.
It's arguably not that "basic," but yes, you're right. 2FA is worth the effort just because of the amount of risk it stops dead in its tracks.
The problem really is that in the Good Old Days security was an afterthought. It was something you'd worry about after you'd completed a project, if we were lucky. But the industry is maturing and security needs to be the primary concern, not something you do at the the end. We're in an age of state-sponsored hackers and organised cybercrime, it's no longer sufficient to just assume that when you type your password into a website that website is being diligent in its handling of your data.
I was talking to someone the other day who was priding themselves that they'd responded to a vulnerability disclosure and were fully patched and mitigated inside of two weeks. The average breakout time for the Russian hackers - ie, the time elapsed between an initial single infection / compromise and spreading laterally across the network a la WannaCry - is under 19 minutes. Two weeks ain't good enough and companies need to realise this, yesterday.
A wrong click on a bad email used to mean that you ended up with pop-up adverts in your web browser. These days, it could potentially take out an entire company.
Further reading from a few days ago:
https://singletrackmag.com/forum/topic/your-password-doesnt-matter/
The average breakout time for the Russian hackers – ie, the time elapsed between an initial single infection / compromise and spreading laterally across the network a la WannaCry – is under 19 minutes.
I've seen cryptolocker attacks as they've been spreading through a file server, scary stuff.
Back up your data people!
Security is one of the areas I may go into (5.5 years on service desk - 1st/2nd/3rd line so ready to start specialising), I don't think you'd ever be out of work, not sure if that's a good thing or not Tbh. Pen testing is damn interesting too.
If you don't have it already, start learning Linux.
Pen testing - proper pen testing I mean, not rocking up to an office with a copy of Kali and a network map - is both fascinating and terrifying. I've met some properly scary bastards in the last couple of years.
Back up your data people!
On this,
Back up your data offline. Some cryptolocker-type stuff now targets backups before the host PC, so your backups are hosed before you even know you're infected.
If you don’t have it already, start learning Linux
You really need decent programming skills as well these days to be a pen tester (it's why I didn't try and transfer to our Cyber Security division)
Might sound cold, but when you hear ‘Janice in accounts has had her account hacked, again’ you start hiting your head against the wall
The problem is Janice in accounts has to open 100 invoices a day and they all look different. She has no idea who the companies are, she opens them looks at the PO number and then loads them onto the system for payment. Brain is only required if there's an issue tying in the PO.
Is she really going to be able to spot the once every so often that a scam comes through? Probably more effective to isolate her somewhat.
If I receive an invoice, that's unusual and I immediately think phishing unless I'm expecting it. But I'm not the juicy target, Janice in accounts is.
The problem is Janice in accounts has to open 100 invoices a day and they all look different. She has no idea who the companies are, she opens them looks at the PO number and then loads them onto the system for payment. Brain is only required if there’s an issue tying in the PO.
Is she really going to be able to spot the once every so often that a scam comes through? Probably more effective to isolate her somewhat.
If I receive an invoice, that’s unusual and I immediately think phishing unless I’m expecting it. But I’m not the juicy target, Janice in accounts is.
I read that to be "ditzy idiot I vaguely know through work but am not friends with has had her personal bank account hacked again because she entered a photo of her debit card to see which hogwarts house she would be in"
Having witnessed some mind-boggling incompetence when I tried to transfer some money at Halifax last week, I feel very pessimistic about the state of banking in the UK. The senior staff couldn't work out a very simple calculation without needing a calculator and then they tried to transfer ten times what I wanted to send. Then they couldn't get their printer to work, etc. etc. to the point where I was squirming in embarrassment.
If it’s any consolation to those being done, companies get done too, in a similar fashion. I know of one that was taken for 9 figures…
Yep, they are very sophisticated, our Financial Controller gets emails from what looks like our CEO demanding she urgently pays a supplier whose been harassing him about late payment etc.n They've researched the org structure, know who everyone is and their roles etc. Not been successful so far. As a result all incoming emails have "FROM EXTERNAL SOURCE" plastered all over them, to try to stop people using near identical email addresses etc..
... then a hacker gets a valid set of credentials from another source, shared passwords from a pastebin maybe, telnets onto the email server and sends an internal email bypassing that safety guard at a stroke. And the recipient implicitly trusts it because all external emails are labelled, right?
I'm sure there are other safeguards in place, not least the fact we never have any money and rarely pay our suppliers, so making a payment is a major decision which wouldn't occur by email. The fraudsters obviously don't know we've been running on fumes (or often less) for some time...
Oh, I don't doubt it. Point was, really, that that solution isn't as foolproof as it might first appear and could even lull users into a false sense of security. And granted, my hypothetical scenario is considerably less likely than the risk from random phishing emails.
Thought I'd update. It's pretty much as tallpaul explains except rather than use the letting agents email address for example tails@STWagents.com They've just made a similar email address something like tails@fraudster.com, his with has not seen the email has changed as you often just see the name and bingo £1k lost.
He's still trying to secure the rental as he's moving next week with 2 young children, so he doesn't seem hugely upset.
Question for the security geeks, what can I do to protect myself in such scenarios. Always call before making payment? I'll 100% be checking email addresses as mine just shows the name and not full address.
It must be very very lucrative for those involved if they can handle the guilt.
Did the fraudsters ask for payment to be made to different bank details? They will have had access to the letting agent's emails, so would have been able to get a genuine invoice/request for payment, and then carry on the email chain from the new email, and request payment of the deposit to their own bank with the edited invoice.
Question for the security geeks, what can I do to protect myself in such scenarios.
I guess, first of all be frosty about random changes. "Oh, yeah, we suddenly need to use a different bank account because my mum's dog died last week." Right.
Secondly, you can implement 2FA without clever technology, we do this all the time. Say I need to give a trusted colleague his credentials to a system, I might Skype him the username and ring him up with the password. Or other more secure methods. Point is that this is easy to do and all the info you (or a hacker) needs isn't in the same basket.
Did the fraudsters ask for payment to be made to different bank details?
Oh yeah she full on sent the money to the fraudster. She thought she was paying a deposit to the landlord. I'm not sure on the current setup but I thought you'd pay the agent or the deposit scheme.
Thanks cougar
They’ve just made a similar email address … his wife has not seen the email has changed as you often just see the name
Email clients that don't show the address are a pain, although it can often be changed in the settings. Worse are those (like Outlook) that make it difficult or impossible to see the full headers. You don't have to be that techy to recognise that the email hasn't come from where it should have. It would be useful if somebody wrote an email client that would interpret the headers and just flag up oddities.
Question for the security geeks, what can I do to protect myself in such scenarios.
send a small payment.
telephone the party receiving it (not using the phone number read from the emailed invoice you're paying), confirm they have the money
send the rest.
I'd always go for 'actually talking to people' over a possible misplaced confidence that you've got adequate measure in place to prevent fraudulent emails etc finding their way to you. It works for non-technical people too - they don;t have to worry if they can decide if bobthebuilder@ is the same as bob-the-builder@