HELP PLEASE! Scammed out of nearly $100K

Hi everyone,

So I'd like to precede this by saying I already feel absolutely horrible. I feel like throwing up constantly just thinking about this, but thought I would put it out there to see if anyone in the OzBargain community might have had any similar experiences or any advice.

Long story short, it appears a scammer hacked either my conveyancer's or the other side's conveyancers email accounts. and from doing so, got my details as well as the details of my upcoming property settlement. They knew the amounts due in terms of stamp duty payments etc, as well as the dates these amounts were due. They created a near identical email account to my Conveyancer, who I was emailing around 5-10 times a day and so simply didn't notice anything out of the ordinary when I received the scammer's email. It popped up only with my Conveyancer's name and the email address didn't come up as 'new sender' or anything. I know that I should have checked the email address before doing anything, but I had just answered about 3 other emails from my Conveyancer and still had about 3 to go. I had 6 emails in a row from her on different matters and it didn't at all enter my mind that 1 of these 6 might not be like the others.

In short, I transferred nearly $100K at the direction of this scammer who I believed to be my Conveyancer to the account they directed in the email. I called the Conveyancer later that afternoon to discuss another matter, and mentioned to her I had transferred the stamp duty payment for this property. It was then we both realised what had happened.

I searched the BSB and realised it was a Bank X account. I called Bank Y first (my bank) to ask them to commence a scam investigation and try recover the funds immediately. They advised the funds had already reached the other account but they opened the Scam investigation immediately. I then went to Bank X and tried to have them freeze the account the funds were received into. They said the account was already closed and for some reason, they couldn't see any details in the system about who had opened or closed it (how is that possible?). That night, I attended the Police Station and filed a fraud/scam report.

I now have the Conveyancer's insurer, the Police and Bank Y/Bank X working on this case but I'm accepting the worst and not expecting to get anything back. In the off chance anyone here might have had similar experiences and have any advice, I thought I'd raise it to the OzB community. Again, please don't pile on me. I know and I feel horrible. I've barely been able to sleep and I am just hoping there may be some avenue I haven't thought of, even if its not likely to succeed.

Thanks in advance everyone

Mod: Edited for privacy

Comments

      •  

        Really some great valuable information here! Thanks.

        • +1 vote

          Glad a few people appreciate. I am a person who likes to help others, so I tend to provide as much info as I can. A lot of other people apparently don't like this on Ozbargain and they've had a go because there is an unwritten expectation that comments only extend to 2-3 lines max. It kind of discourages people with expertise and knowledge from spending their time to pass on the bits and pieces they know. I think there are only a handfull of people really who work in this area and have detailed knowledge of the BECS Rules. Really interested to hear how this whole thing plays out, once the ins and outs are truly exposed.

    •  

      In most jurisdictions, for the stamp duty to be $100k you would be purchasing a home in the vicinity of $1,800,000 to $2,000,000. Did you mean you transferred stamp duty and deposit, or did you buy a really expensive property for your first home?

      •  

        why does any of that matter?

    •  

      I would have placed one cent into this new trust account to give it some activity!

  • +6 votes

    I feel for you. You could have bought 1.32275 Bitcoin with that money.

    Seriously though, it’s a lesson to us all to never let your guard down when transferring large sums of money.

    • +2 votes

      This wouldn't have happened if OP used multisig.

      • +1 vote

        OP didnt pay with bitcoin

        • +1 vote

          They wouldn't have this problem if they did.

  • +6 votes

    Sorry to hear about your situation OP, hope it all works out for you.

    If you haven't already, make sure you change your email password to something secure and enable two-factor authentication to prevent further access.

    • +9 votes

      Thanks mate. I have already done that and I've had 2 factor authentication on for years, which is why I'm convinced it wasn't hacking of my account. Any time I sign into a new device, it triggers an alert on my main phone asking me if I just signed in and I then need to press yes or no to allow the sign in. Praying Insurance Comp A does find the hacking came on one of the conveyancer's servers

      •  

        Good man - you're keeping on top of it and that's all you can do right now. Best of luck.

      • +2 votes

        The email address is definitely the conveyencer's? You should get someone here that's knowledgeable about such things to tell you how to see the email headers and have a look at them for you to see if it was spoofed or actually came from the conveyencer's email account. Might make you feel better if you know the hacker came from the conveyencer's side as then their insurance is more likely to cover you

      • +2 votes

        I don't know if this is relevant.

        With the recent Shopback hack, my Outlook account has been repeatedly attacked and was twice successfully sync'ed (I don't know what this means because I then got a notification from Microsoft saying my account has been suspended so did it go through or not?) via IMAP into the hackers' desktop mail client.

        2 Factor Authentication was effectively bypassed because of this.

        If for example your email was managed to get sync'ed, it would be logical to think the hacker would have access to your prior email about buying property and that might explain why the hacker knows the amount due by heart. Conveyancer's email could have been spoofed and so on.

        I am hoping this is not the case but nevertheless, possible.

        Really must be prepared to force your case against the banks if insurance didn't go through.

        I really hope you will get your money back.

        • -1 vote

          2 Factor Authentication was effectively bypassed because of this.

          Please explain how this is possible. Are you saying M$ sucks at implementing MFA/2FA?

          • +2 votes

            @DoctorCalculon: Ms allows creation of an application password which is different to your normal username and password. The main purpose of this is.. guess what? To bypass 2fa for mail clients which need direct login to your mail account.

            •  

              @wyrmy: yep, sadly many apps and older protocols simply do not or cannot support MFA and therefore there needs to be some sidechannels around it, but these must be created using your MFA'ed account.

        • +1 vote

          It's from an app password. You need to generate a new one.

    • +2 votes

      With respect I don’t think you understand what happened.

  • +5 votes

    My first PayID hold 24 hours even if I do about $500 and here bank did everything in the matter of hours. 😞

    • +1 vote

      I think CBA has a standard policy of 24hrs hold whilst doing a first transfer to any third party account. If the transaction was done via netbank you are able to call the bank and stop the transaction within a few hours due to the hold they put. I feel bad for you OP. 100k is a lot of money, I would have had a heart attack tbh!

  • +4 votes

    When I bought my properties, everything is down with bank cheque from the bank, I have never need to transfer more than 10K by direct transfer.

    Even with cash purchase, all are made by cheque

    • -1 vote

      Me too

    • +1 vote

      Yes, only 3 years ago I refinanced a property and was pissed that I actually had to get bank cheques and deliver them to the CBD myself ( there was no mortgage/bank involved to exchange documents) rather than do an online transfer. But after reading this very happy.

      • +1 vote

        Bank cheque cost $10 but you got to personally deliver for the safest option, if we are talking about $100k here, I will say it is the best option.

        After seeing what happen to OP's, I think I will stick with bank cheque for life unless thing change in the future.

  • +28 votes

    Last time I transferred $100k the bank called me for an explanation within an hour, pretty shameful from NAB

    • +7 votes

      Agree, I wonder if the bank also has some responsibility by law to do security checks on large transactions. A quick phone call confirming the name of recipient on this occasion probably would have been enough

    • +3 votes

      Why the hell would NAB call a CBA customer to ask - Hi OP, I know you are a CBA customer and we worked hard to find out your name and phone number but did you really mean to transfer $100k to one of our customer's accounts?

    • +1 vote

      Well OP is lucky that didn't happen otherwise the bank could then claim "well.. we called you and you reassured us the transfer was legit as you said it is going to your conveyancer".

    •  

      I think you mean CBA?

    • +1 vote

      That is very unusual. I transfer large sums and have never been called. Although Citi is harassing me regularly to do KYC checks. Which are PITA.

  •  

    Yes I have heard of this happening a lot in Europe.

    It almost happened to me when I was importing from China. I was about to make a payment to my supplier for $30k, ready to press send and decided to call the supplier in China as I thought it was strange the account number had changed!

    So her emails got compromised, she should certainly involve someone to secure everything before it happens to another one of her clients!

      • +4 votes

        Organised crime exists in Australia too, and this happened on Australia lol

  • +5 votes

    None of the banks will tell you the identity of the account owner…
    From now it's in their hands and still follow standard fraud and AML procedures.

    Unfortunately, whilst $100k is a lot to you, for the banks and case managers, this would not be a high priority. The amount is quite small transaction wise.

    From NABs side, standard AML controls would have kicked in and it is unlikely that the full amount could have been withdrawn on the same day.

    Talk to your bank and ask for a case manager to be assigned and get them to email you. CBA is actually really good when it comes to having an Australian managing cases and they'll understand from a personal view to get it moving.

    • +12 votes

      Unfortunately, whilst $100k is a lot to you, for the banks and case managers, this would not be a high priority. The amount is quite small transaction wise.

      This is absolute codswallop.

      Source: Work in Fraud and Scam prevention.

      • +2 votes

        It’s great to hear someone who works in fraud and scam prevention call out BS as they see it.

        But I’m also intrigued that someone who has worked in the area contribute nothing else, so far, in this thread.

  • +3 votes

    For someone who is just about to settle on a property in the next few weeks, this is a terrifying read :(

    • +1 vote

      but could save you lots of money!

    • +8 votes

      The old fashioned way of bank cheques driven over in thr car and given a receipt is quite good. Unless you are scammed and drive to a fake office…

    •  

      did you read about the water damage to an apartment too?

      •  

        I did, a good building inspection is one of my highest priorities as well because we are building.

    • +5 votes

      Nah super easy. A number of conveyancy offices have next to zero IT security now - eg just use Google Gsuite or O365 without 2fa - or just plain old hacked on prem email. The hackers phish the email accounts and just monitor the email and lie in wait for a nice whale to come in (a few hundred k transaction ) and go for it.

      •  

        That's it!

        That would have been the reason why they want to IMAP sync your hacked email to their mail client so they can monitor the email and pounce at the right time.

        Oh Lord!

  • +11 votes

    OP I’m so so sorry.

    These scammers are so evil and it can happen to any of us. I worked in tech, had been trained to watch out for these scams and almost got done myself. Was so close to transferring the money. When you are in a rush, stressed, super busy etc…. that’s when they get you. I couldn’t believe I’d almost fallen for it despite being the last person who should have. Don’t beat yourself up, put the energy towards fighting NAB who should never have closed that account without questions. It shouldn’t have even got through their money laundering rules. All transactions over a certain about are meant to get checked and I’m pretty sure the threshold is less than $100k.

  • +13 votes

    How did they transfer 100k out and close the account so quick. I can’t even transfer $100 without some pain and you have to call the bank and wait on the phone for 4 hours to close an account or you go into the branch to do it in person - let alone opening an account. Your scammer managed to navigate all this in a day.

  • +4 votes

    Unfortunate story, hope you get it resolved.

    Thanks to your post, I'm going to take my business away from NAB, and migrate to someone else who doesn't claim they 'know nothing' about the accounts and information they should have on people.

  • +7 votes

    As someone who is currently building a home, i feel so, so sorry for you OP. The amount of time it takes to save a deposit, the sacrifices, the anxiety of going through a home buying process, only for this to happen, its disgusting to be honest.

    I think you should also try to talk to someone about whats happening, just to help you cope. I know i would go to a really dark place if this happened to me. I lose my shit when it comes to getting ripped off for a small amount of money and $100k is no laughing amount.

    This scam might be a common practice tho, as i specifically got an email from my solicitor early on saying before i transfer any money, to call her directly and confirm the bank details and if any transaction was actually requested.

    Also, keep calling the bank/police/whoever every single day. They wont rush to solve the case on your behalf, you need to keep on top of them.

    Good luck man, really hoping you get that money back.

  • +1 vote

    From now on have every message sign with digital certificate. Only the real person will have the private key to sign the message and the public key will be used to verify the sender signature.

    • +2 votes

      Or just call them first. It's what I do. I was only transferring 20k to a contractor and I called them and went through the amount and confirmed their account details that were on the invoice before I transferred any money.

    • +5 votes

      Unfortunately, I have a hard time seeing PGP encryption become used everyday by normal people for communication. Email providers/clients would need to make it mandatory before the average user even wants to think about it. Convenience always wins out over security.

      • +2 votes

        Plus many people would just keep the private key on their computer and if your computer is hacked then the signature means nothing

  • +5 votes

    If the scammer wants to transfer the final settlement fee to another westpac account are you able to alert police and set a trap?

    I hope police pick up and do something. This is crap.

    •  

      yeah get the cops to transfer the amount to them and trace the the bank acccount and then pounce on them!

  •  

    Sorry to hear about your circumstances. Hope they catch the culprit and you get your money back. What about the sale? You don't mention that at all in your post

  •  

    Can’t really add much as I don’t know anything about this sort of scam but I really hope you get your cash back OP. That’s just absolutely disgusting. If you peruse reddit the r/Ausfinance subreddit might be able to give you decent advice.

  • +3 votes

    Damn. I'd feel terrible too. That's a lot of money. Best to remind yourself it'll set you back a few years but in the long long long term your house will have increased by more than $100k. Try to think of it as paying a premium.

    I'm probably more concerned about your mental health than the money. If it keeps playing on your mind, you should go and see a GP, get a referral to see a therapist.

    • +4 votes

      Does that assume OP can still buy the house?

      •  

        Yeah good point. Hopefully they can still navigate a way through if they're still interested in buying.

    • +3 votes

      Thanks mate. Its a good way to think of it and thats essentially what I've been trying to say to myself. You're right though that its probably just as much the mental health side of things as the money. I juts can't get it out of my mind and keep waking up thinking its just a nightmare. Sadly, its all too real

      • +1 vote

        If you have your proofs up. Start a GoFundMe and put your evidence there. I’m sure there are kind people out there who collectively be able to help you out. I also hope that NAB does not get away with this and get punished hard.

  • +4 votes

    Sorry to hear OP

    In short, I transferred nearly $100K at the direction of this scammer who I believed to be my Conveyancer to the account they directed in the email. I called the Conveyancer later that afternoon to discuss another matter, and mentioned to her I had transferred the stamp duty payment for this property.

    is the stamp duty on your first home nearly $100k 😱 Is your first home over $2m?

    •  

      Probably the 20% deposit = 500k?

    •  

      In Sydney an average 2 bedroom home now costs $1.3 million.

      Thats just sh#t box on average street in an average suburb. So $2mill while shocking is quite possible.

      And to OP hope they find the duckhead who got your money and they get jail time and you get your money back.

  •  

    I hope you do get your funds back. May just take awhile, which I also assume has now stuffed your settlement. These scammers are scum. I recently had my credit card hacked and picked it up quickly as my card didn't work at an efpos. Checked and account had max'd out the limit. Sone little shit was holidaying in the South of Italy at some resort. Bank told me the investigation would take 28days. Card replaced. My case was a bit different as it wasn't my money lost. I didn't need to pay it as they have since cancelled the debit. The bank mind you still never called or emailed me though about it being closed out.

    • +7 votes

      The name literally does nothing. You can type anything in, go try it.

      •  

        Correct. Likewise, for credit card payments.

        At least with PayID transfers, the name is looked up automatically before you confirm.

    • +5 votes

      You can put incorrect name on account and the transfer still goes through.

  •  

    OP - firstly I want to say how sorry I am that this happened to you. Sadly the world is full of asshats.

    I know of someone who had $20k transferred out of their CBA account by a scammer by changing the Optus password and phone number to approve the transfer. Presumably the bank account details were hacked somehow??

    CBA were brilliant to deal with and the money was refunded to them. This only happened a few weeks ago. Once the bank received information from Optus to confirm the account details had been changed, it seemed to expedite the outcome. Maybe your conveyancers could provide written advice of their version of events to the bank.

    I wouldn’t be surprised if your conveyancers email was hacked. Hopefully they have someone looking into that?

    •  

      i think cba does not allow changing of mobile unless you visit a branch.

      •  

        naa have done it over the phone not long ago

  • +1 vote

    Sounds to me that NAB did the wrong thing and this might be an expensive mistake for them.

  • +7 votes

    OUCH - OMG.
    Someone tried this on at my work for a six figure transfer but we stopped it quick enough at the bank.

    It was a hacked email account. They can do simple things if they get into someone's account like setup a rule just to forward copies of emails to them and then delete that from sent box. The rule sits there forever sending copies of all emails to a duplicate mailbox even if you change passwords. They monitor it for keywords such as property settlements then intercept and send a copy of the email with changed details. If they still have access they can delete the legit email too.

    Then they tried it again. It was easier for me to identify as I had received the real details then got a separate email saying the account details had been changed which sparked my interest. Reported it to the police. Our IT department implemented two factor authentication and audited all access logs to the accounts.

    I think the NAB should have better records and maybe try on them for at least partial liability.

  • +4 votes

    I feel for you OP. I think I would have had multiple panic attacks and hospitalized if I were in your place. I made a similar transfer amount recently to my conveyancer, I would have been destroyed if this happened to me.

    Stay strong. From the sound of it, you seem to have a good enough case to get your money back from NAB.

  •  

    Feel for you. Hope you manage to get insurance to pay

    • +1 vote

      NAB should pay this for being incompetent and not doing their job.

  • +7 votes

    Condolences for you OP. I almost got done in last year when I was about to settle our home. My solicitor was already aware that he was hacked and told us from the beginning that we needed to settle directly through our own account and not use his trust account. This basically required me to give an authority to the bank to deduct any settlement amounts directly for the account. He also said that he would never email me for any monies and that in the rare chance that he emails, it will be followed by a phone call.

    Since his O365 tenancy was already hacked and he couldn't workout how or why, out of the blue, one day close to settlement I got a request from his email address that I needed to transfer $XX,XXX amount of monies to an account for stamp duty and to allow him to complete the PEXA process. I was kind of shocked because it was out of no where so I called him and found out that it was some a$$h0le trying to take me for a ride. I worked with the solicitor, played along to get the banking details and then reported those details to the police.

    Regarding the earlier 5% amount to the real-estate agent, I physically visited their office to get the account details and then transferred the monies. The bank also kept the money on hold for like 3 days before transferring since it was a new payee added to my bank address book.

    • +4 votes

      I physically visited their office to get the account details and then transferred the monies.

      I reckon this is the way to reduce risk of fraud, whether email accounts has been compromised or not…

    • +1 vote

      I worked with the solicitor, played along to get the banking details and then reported those details to the police.

      What happened after that?

      •  

        The solicitor passed on the details (along with the email trail attempting to defraud us) to the police and the bank's cyber security team.

        •  

          what happened then?

  •  

    Really sorry to hear what happened OP. Looks like you've done the right things by alerting both banks, the conveyancer, and police. Highly recommend you get yourself legal advice. The concern would be if your email were hacked. In that case, it's doubtful that the conveyancer's insurer will entertain a claim. That would be, to me, the worst case scenario. I'd also pursue the situation at NAB. They have a responsibility to perform KYC (know your customer). They should be able to trace the scammer, unless it's a very sophisticated scam with fake ID being used. If that's the case, then I'd expect the AFP could be asked to step in.

  • +1 vote

    Totally feel for you OP. To think how long it takes to save that much and to lose it just like that…

    It reminds me of one of the annoying features of mobile email apps I have used. They tend to hide the email address and you normally need to press on the name of the sender for the address to be displayed.

  •  

    This is so shit, I hope you get your money back OP. Please keep us posted.

  •  

    Really sorry to hear that OP, try a "go fund me" thing to get more help?

  •  

    I hope you get your money back OP and try to keep positive thoughts.

    I really don't know how people who do these types of things can sleep at night honestly its sickening.

  • +2 votes

    I lost $550 once in a scam. Trusting people I thought I could. I cant imagine how I would feel losing the amount you did.

    I wish you all the best and take care of yourself.

  • +2 votes

    So sorry this has happened to you, this is quite a sophisticated scam that has been around lately and I've seen it targeted at companies mainly, duping accounts into paying large invoices into the wrong account using the same method. Now they're onto conveyancers as well due to the large amounts.
    Something similar happened here: https://www.9news.com.au/national/masterchef-contestant-dani...
    Unfortunately that required publicity and was the fault of the conveyancer not the customer, but I really hope you can get it back. Definitely shame NAB widely and publicly for being a party to fraud!!

  • +1 vote

    Sorry to hear this happened to OP, really wish you can get your money back.

    Shouldn't the correct settlement procedure be:

    You first pay 10% deposit to Real Estate Agent's trust account.

    If you need mortgage, you would be setup an account under your name by the bank offer the mortgage, or use an existing transactional account under your name in the same bank, and you deposit/transfer whatever the shortfall amount that your lawyer/conveyancer calculate for you to that account. On settlement day, bank will withdraw the agreed loan amount from their loan book and the balance from this account, wire through the PEXA to complete
    the settlement, the stamp duty is included in that sum of money.

    If that's the correct procedure, fellow OzBargainers, please be extra vigilent if you get an instruction to transfer large sum of money to an account not under your name during the settlement process.

    Hope this can help other OzBargainers.

  •  

    I'm sorry to hear about the trauma you are going through right now. I hope you get back your money soon. I have a question here: for the fake email you received, what does the end of the email address look like? eg: @gmail.com? @companyname.com?