HELP PLEASE! Scammed out of nearly $100K

Hi everyone,

So I'd like to precede this by saying I already feel absolutely horrible. I feel like throwing up constantly just thinking about this, but thought I would put it out there to see if anyone in the OzBargain community might have had any similar experiences or any advice.

Long story short, it appears a scammer hacked either my conveyancer's or the other side's conveyancers email accounts. and from doing so, got my details as well as the details of my upcoming property settlement. They knew the amounts due in terms of stamp duty payments etc, as well as the dates these amounts were due. They created a near identical email account to my Conveyancer, who I was emailing around 5-10 times a day and so simply didn't notice anything out of the ordinary when I received the scammer's email. It popped up only with my Conveyancer's name and the email address didn't come up as 'new sender' or anything. I know that I should have checked the email address before doing anything, but I had just answered about 3 other emails from my Conveyancer and still had about 3 to go. I had 6 emails in a row from her on different matters and it didn't at all enter my mind that 1 of these 6 might not be like the others.

In short, I transferred nearly $100K at the direction of this scammer who I believed to be my Conveyancer to the account they directed in the email. I called the Conveyancer later that afternoon to discuss another matter, and mentioned to her I had transferred the stamp duty payment for this property. It was then we both realised what had happened.

I searched the BSB and realised it was a Bank X account. I called Bank Y first (my bank) to ask them to commence a scam investigation and try recover the funds immediately. They advised the funds had already reached the other account but they opened the Scam investigation immediately. I then went to Bank X and tried to have them freeze the account the funds were received into. They said the account was already closed and for some reason, they couldn't see any details in the system about who had opened or closed it (how is that possible?). That night, I attended the Police Station and filed a fraud/scam report.

I now have the Conveyancer's insurer, the Police and Bank Y/Bank X working on this case but I'm accepting the worst and not expecting to get anything back. In the off chance anyone here might have had similar experiences and have any advice, I thought I'd raise it to the OzB community. Again, please don't pile on me. I know and I feel horrible. I've barely been able to sleep and I am just hoping there may be some avenue I haven't thought of, even if its not likely to succeed.

Thanks in advance everyone

Mod: Edited for privacy

Comments

      •  

        My advice was to call before making large payments

        CBA has a better online banking interface, customer service, less waiting times at the bank branch.

        NAB has none of those, in fact their app has to be one of the most insecure banking apps I've ever seen.

  •  

    We've been subject to a similar scam at work.

    Supplier's email was compromised and the scammer posed as them and said they had changed bank accounts and for us to transfer the outstanding payments (USD 500k) to the new account. We thought it was suss because normally companies don't change accounts. So we called them and they had no idea about the email.

  • +1 vote

    I have no help/advice to give, but my heart really breaks for you. I hope you get your money back. :(

  • +4 votes

    One issue we have with EFT transfer in Australia is correct account name is not technically needed for a transfer. You can enter any account name, as long as BSB and account number match, it goes through. In some countries, name and account number have to match for the transfer to go through.

  • -1 vote

    Just wanted to add a general comment in relation to banks and scams, from a recent experience.

    I was scammed (only couple hundred dollars) by clicking on a facebook ad which directed me to a vendor website in which I purchased (thought I was) an item.

    It didn't take long to realise I had been scammed when I received no confirmation emails and found there was no way to contact the vendor. A quick search in google quickly uncovered many others having been duped by the same site.

    I rang my bank and lodged a dispute, but what surprised me was how uninterested they were in shutting the scam down. They didn't want any details and didn't care. Their only advice was to wait a few weeks just in case the item would arrive (I knew it wouldn't). So I followed their instructions, contacted them again a few weeks later, in which the bank then covered my loss.

    But in those few weeks, hundreds, if not thousands, more of their customers would have also been scammed. Are they going to cover all the losses? It seems like a stupid business decision to not try and stop the scam at the source.

    Sorry for your loss OP, hope it works out, but I like some others on here, I feel the banks need to be more responsible in stopping the scammers, and with their overall inaction (at least in my experience), they should be at least partly liable for your losses like yours (as well as facebook for allowing fraudulent ads). These are billion dollar organisations, they have a larger social responsibility.

    • +1 vote

      I was scammed (only couple hundred dollars) by clicking on a facebook ad

      Blame facebook accepting ads from non legit businesses

      I rang my bank and lodged a dispute, but what surprised me was how uninterested they were in shutting the scam down.

      You need to report to the police. Victim needs to pursue charges. Bank can't take the stand on your behalf unless you sign over the rights.

      • -1 vote

        Following your advice would only result in a waste of my time.

        • +1 vote

          It is only because you wasted your time clicking on ads that waste your time on Facebook.

          •  

            @netjock:

            It is only because you wasted your time clicking on ads that waste your time on Facebook.

            Then the guy has the audacity to claim that his bank should investigate the Facebook ad / business rather than law enforcement or the appropriate agency in this case being ACSC (formerly ACORN).

            Just because he got his money back via CC charge back, it is now a waste of time to report the business to ACSC?!?

            Epic FAIL! 🤦🏻

            • +1 vote

              @DoctorCalculon: LOL people don't like to self report themselves for wasting time.

              Even if they got their money back via charge back still a waste of time having to call, wait, explain, fill out forms. But I guess these people would argue the potential pay back if the deal was true would make it worthwhile (problem is 80% of the time it is a scam not a misprice from a reputable seller)

    • -1 vote

      I rang my bank and lodged a dispute, but what surprised me was how uninterested they were in shutting the scam down.

      Do you expect a bank to pursue a fraudulent vendor / scam ad on Facebook?

      Perhaps, you should have tried reporting the incident here: https://www.cyber.gov.au/acsc/report

  • +1 vote

    Sorry to hear that OP.
    I feel bad for you and felt even worse that you somehow felt you need to ask for people not to pile on you as if this is somehow your fault for being scammed in a way that even the most tech savvy amongst us might fallen prey to. OZB community, please be kind to OP, as you should be in any situation, whether it's online or not.

    OP, you are by no means at all at fault nor should you blame yourself for being in this situation.

    Now that that's settled, I can only pray for you and send you a big hug. I suggest that you do not let up on NAB nor CBA nor your conveyancer in getting your money back. As some of the other helpful responses have mentioned, there are government entities that would be able to assist you in getting your money back. I am a little tech savvy myself so am happy to help you look at your email headers (from the scammer) and compare it with your email headers (from the real conveyancer) to find and see if there's anything that may help you in your case.

    Good luck and godspeed.

  •  

    You have my sympathy OP.

    Not looking forward to the days when cash disappears.

    Whilst clearly this TX couldn't have been practically done with cash, it certainly brings into question the systems banks have in place…..and come the day when we all have our unmentionables firmly and exclusively in the banks grip….well, I'm more than a little concerned.

  •  

    God damn OP, you've already taken all the steps I would have done, so I have nothing of use to add, I just hope the outcome is a positive one for you. Best of luck

  •  

    Felt sick and sorry to read through all that. Unfortunately have nothing concrete to offer except wishing the best of luck towards your way - hope you'll get all your money back !

  • +6 votes

    this is all shopback's fault.

  •  

    How did a large sum of money that you transferred that day get to the other bank, and get out of the other bank all within one business day? I thought clearances were normally overnight - and some banks had agreements between each other to do intra-day clearing?

  • +1 vote

    that's a lot. I will be more cautious from now. Hope you will get urs back soon.

  • +9 votes

    I've purchased 3 properties in my life and every time I've hand delivered a check to my solicitor in person made out to his law firm and no one else :)
    Well worth the $15 bank check fee and piece of mind… EFT was available all 3 times but no way would i ever risk it. I've been an IT Admin for the past 20 years.

    CBA have a policy to hold funds for 24 hours when sending money to "new accounts added"… $100,000 dollars and it went through right away… that sounds suss.
    Last time i paid a non CBA account it was pending for 24 hours. After that account was added to my net bank it now only take 12 hours unless i use payID and even then payID is also flagged and held for 24 hours now for new accounts if the sum is over $100 :)

    Good luck with the bank fraud claim. Fingers crossed it all works out.

    ALL - This whole post sounds a little like a scam in itself…

    The information is a little unrealistic with currant CBA transfer pending policies on new accounts.
    The OP mentions that they were transferring money for stamp duty! ?? $100k is stamp duty for a $2.1 million dollar house. (NSW)
    https://www.realestate.com.au/home-loans/stamp-duty-calculat...

    So the OP is rich? … $100k stamp duty + $210k for 10% deposit with $91k for mortgage insurance or $100k stamp duty + $420k for 20% deposit without mortgage insurance

    •  

      is your theory that rich people can't be scammed?

    • +4 votes

      Well worth the $15 bank check fee and piece of mind…

      Which piece is that?

      Cerebral cortex, Cerebellum, Hypothalamus,Thalamus,Pituitary gland, Pineal gland, Amygdala, Hippocampas etc….?

  •  

    Good luck with getting your funds back - hopefully it will work out in the end. Fingers crossed!

    I echo comments made earlier - NAB should be doing KYCs and reporting any suspicious transaction to AUSTRAC. Failure to do so is a breach in AML obligations and can land the bank in serious trouble - so definitely report this!

    Did Westpac ever get back to you when these scumbag hackers tried to get you to wire money into another acc?

  •  

    Best of luck in resolving this
    Question - is the conveyancer email a generic one e.g. gmail, hotmail etc
    If not how did they create a 'similar' email that fooled you?
    If you can prove some error or scam perpetrated on the conveyancer e.g. their email or PC hacked this will aid in claiming on their insurance
    Might not work if they use Gmail etc and they just copied it
    If so I would expect better from the Conveyancer - no professional should be using generic

    • +3 votes

      You can spoof your "sent from" email to be literally anything.

  • +40 votes

    So an interesting development in the last hour for anyone interested.

    At about 2pm today, I called my conveyancer's paralegal as my Conveyancer is OOO today and asked her to clarify my final settlement figures so I could get the funds in order etc for Monday. She said she'd start preparing the settlement sheet right away. At approx 3pm, I receive an email from the scammer with a settlement sheet and asking me to transfer the balance of cash required on top of the loan to the Bank Z account they'd provided previously.

    I sent this settlement sheet on to my conveyancer & her paralegal and within 10 mins, the Paralegal calls me saying that was the exact sheet she had sent on to the other side's conveyancers only about half an hour before. So to me, this would seem to indicate the hackers are in the other side's system right? Because my Conveyancer, her Paralegal and I have all been emailing back and forth about the scam and had they been monitoring one of our 3 accounts or in my conveyancer firm's server, they'd know we're on to them. Yet half an hour after my Conveyancer's Paralegal sends the settlement sheet to the other side to request they agree the figures before sending to me, the scammer has clearly intercepted it and emailed it to me directly. I had never seen this settlement sheet until the scammer sent it to me and when my conveyancer's paralegal called me, she confirmed it was the exact same sheet she had emailed a few mins before to the other side.

    Crazy stuff! Hoping this means that Insurance Comp A can make the clear inference that its either Conveyancing Firm that have been breached from this.

    • +16 votes

      That is good news. Make sure you make a diary note or something of your conversation with the Paralegal, or even better confirm the convo over email. That way you have a record of it when you make the claim with the Conveyancer's insurers and can point the blame at their systems.

      • +16 votes

        Yep sounds pretty clear cut to me the conveyancer's IT systems have been compromised. Keep careful details recorded of times, date and content of conversations.

        There is a legitimate argument that if there was no a failure in their IT security systems leading to a data breach then the scam would not be possible, hence liability exists.

        • +6 votes

          Yes either your conveyancer or the seller conveyancers email system is comprised and used on multiple occasions to intercept confidential documents.
          You now have a great case for your conveyancer insurance .
          As someone said.. Start writing down the time and exact conversations.

          I am surprised that the conveyancers aren't checking their systems like crazy looking for unauthorised access to their mail systems.

          • +3 votes

            @Roary: I agree, they should be in damage control mode by now, trying to work out where/how their systems were breached and how to get them secure again. They can't be in business with a compromised system especially when there's this level of money being transferred around.

    • +5 votes

      I just read through this horror of a story… I'm so sorry this happened to you! The anxiety would have killed me. I'm dry retching when it comes to some exams let alone losing 100k to a low-life scammer.

      That does look very promising regarding that email you received. It's quite clear (and it makes sense that the conveyancer's O365 tenancy is compromised and someone is looking at the whole thing going on. The only problem is, it looks like their getting a bit cocky and it will be their downfall…Maybe you can keep them going as long as possible…would be great if AFP could jump on this while it's alive and kicking.

    • +1 vote

      Good news.

      Can you share with me your own email system? A friend of mine was compromised recently (office365) and the scammer had inserted a hidden rule to forward on all his emails. Here is a guide that's excellent if this is what you or they use:- https://docs.microsoft.com/en-us/microsoft-365/security/offi...

      You will find a similar guide for all other systems online.

      The other thing is they could run exchange… this was a few days ago:- https://www.zdnet.com/article/everything-you-need-to-know-ab...

    •  

      Assumedly they would have changed their passwords.

      There must be a forwarding rule!! Probably on the web client. Get them to find it and screenshot the email address it's going to.

    • +1 vote

      I hope you have informed this to cops. This is what cops need if they decide to get on to your case

    •  

      That's exactly what I said yesterday. And you need to tell them that it is going to be the same for all of their clients!

    •  

      I wonder if it has anything to do with the Microsoft Exchange hacking tools floating about. Perfect use for them.

    •  

      This is nuts. If they're doing it to you then they're doing it to others too. Surely the police can get involved now…

    •  

      great chance to work with the police to catch the scammer! just play along and stall them as long as you can. don't pay a cent more.

    • +2 votes

      My advice OP.

      I successfully dealt with a scam that involved 10k stolen, but was similar to your case.

      Don't give up on anything right now. The trail is still fresh, work as fast as you can to make sure you're pushing everyone involved to get your outcome.

      The more time elapses, the less likely you are to get a resolution.

      Best of luck.

    • +1 vote

      This is good news and hopefully you can tread carefully.

      Depending on where their email is hosted, it would be possible to see what IP addresses were logged in to their email server and browsing emails (including fraudulent parties).

      If they reset their email passwords, most likely this would lock the hacker out and you'd no longer receive the emails. But it may be best to not lock them out too soon depending on your strategy.

      the scammer with a settlement sheet and asking me to transfer the balance of cash required

      Imagine if it happened twice and you sent a second round of money lol. The entity you are dealing with that has a hacked email account and STILL hasn't locked them out despite potentially being responsible for a customer's loss of $100k is INCOMPETENCE.

    • +1 vote

      Highly possible one of the conveyancer has been hacked. If you were a hacker would you go after one customer, or a conveyancing company with lots of customers that could be scammed. Also check out this news article for another victim in the news today….
      https://www.abc.net.au/news/2021-03-17/aged-care-resident-sc...

    • +1 vote

      loan to the Westpac account they'd provided previously

      Any closer to getting the money back? Just curious, was it to a NAB or Westpac account that you sent the money to previously?

    • +1 vote

      The scammer had provided Westpac account previously?…. I thought they provided an NBA account previously… which you paid in to (after adding that account as a new payee) ?

    •  

      Hello, I work in IT and I have worked with a company that had this exact thing happen.

      Are they using Office365 if they are they should immediately enable Microsoft 2fa on all their accounts as well as change their passwords.

      However, this may not be all, in some cases hackers will use a redirect rule to redirect directly to them - but this does not show up in new version of Outlook.

      They need to logon to https://outlook.office365.com/mail/login.html and then go to the rules area and delete any rules that are in their.

      If they are using exchange they need to go to their OWA portal.

      If they are using exchange chances are they are breached by the latest exchange hack and need to update and patch immediately https://cyber.dhs.gov/ed/21-02/.

    •  

      I did reply, they have hacked your email or there's.

      Check your
      Email filters
      Email logs
      Disable Single sign on, app passwords (revoke permissions)
      Enable 2fa
      Disable SMS, voice as backup enable one time single use codes. Write them down. Don't screen shot, take photos. Same goes for the 2fa private key.

      This may not remove a hacker from a free service like Gmail, yahoo, outlook. If you want to pay peanuts use prontomail at least it has a good recovery secure policy.

  • +5 votes

    large ammounts should have delay's put into place like a mandatory hold period to avoid this stuff, sure many will cry about the inconvenience, but it might help.

    •  

      Although I agree with you $100k is a small amount in banking terms. But 100% agree that accounts that don't normally move these volumes of cash should be very, very easy to spot.

      • +4 votes

        It's not a small amount on a personal account though. It's ten times the amount that requires government reporting.

  • +3 votes

    Holly fxxk. This is some crazy shit. Feel sad for OP.

  • +9 votes

    why not approach News media, They might get this into lime light and banks might do their part to recover the lost money and they their name.

  •  

    Good luck OP, don't blame yourself it could happen to the best of us.

  • -1 vote

    Why did you pay into the settlement agents account in the first place? You Should be able to transfer all cash to your new mortgage account and your lender, your settlement agent and sellers agent all catch up over the phone and do an electronic settlement. Your lender and settlement agent will confirm all details with your written approval.

  • +1 vote

    All the conveyencers' I have ever dealt with have always requested a bank cheque in the vendors name. Seems the safest way to me.

  • +5 votes

    So this is "relatively common now" as in: real estate agents, conveyancers, and lawyers are often targeted by hackers. As in the scammers break in to the re/conveyancer/lawyer computer systems, watch for transfers, impersonate the compromised system, and reap big dollar rewards.

    I would demand that your conveyancer's systems be immediately audited by a third party for compromise. It's unlikely in the extreme that a hacker figured out you were conducting a real estate transaction and inserted the (wrong) payment details at the most (in)opportune time.

    If the conveyancer's systems have been compromised your money should be covered by their insurance.

  •  

    I remembered the first info pack given my lawyer clearly stated they will not provide their trust account via Email. They will call me personally to verify the account detail.

  • +9 votes

    I feel for you OP. I know, it's of no help now.
    I actually did mortgage transaction only in last December, my conveyancer first mentioned about this type of fraud and gave a printed bank details.
    But, at the end all I had to do was to transfer full amount to ING account in my name that was open for home loan and it was bank who did everything. So, no actual big transfer in one go, on new account I had several days to transfer around $100k.
    Also, my real estate agent never wrote full bank details over email, they left 2 digits that I had to confirm over phone.
    I am bit surprised, your conveyancer didn't take any precautions at all.
    Anyway, hope you get your money back.
    It's a horrible position to be in.

  • +7 votes

    Something similar happened to a co-worker’s sister-in-law.

    The sister-in-law runs a butchery. They received the invoice from the supplier of their Christmas hams via email. She goes on to pay the invoice via bank deposit like she’s done every other time. A week or two later, the supplier is asking about the payment that was due. After some back and forth she realized what had happened.

    All up she was out ~$75,000 and found out Christmas week.

    We are guessing the scammers had access to her email, created a new invoice with replaced bank details using the old email as the template and resent it somehow using the original address. The BSB was the same – but account number was different, so they had done their research and opened an account at the same branch. Fraud investigators confirmed the money had been transferred internationally.

    •  

      So what was the outcome?

      •  

        I've totally forgotten about the while ordeal until just now. OP's thread just reminded me.

        I'll ask him what happened when I'm back at work on Thursday as I'm curious too.

        •  

          The bank won't reimburse for this as the consumer has actively sent the money willingly - albeit to a scammer.
          It would be different if the scammer obtained access to the consumer's computer and transferred the money remotely.

          •  

            @drfuzzy: I doubt it would have ended differently. Scammers got on my mothers phone with teamviewer without her knowing transferred all her savings by western union and even after telling NAB and western union within maybe 1-2 hours they refused to take any responsibility.

            •  

              @RandomFox: @randomfox - you could challenge this. Some banks would reimburse in this setting, but they don't like to advertise it.
              If your mother actively helped the scammers and installed the teamviewer software at their direction etc it gets a bit more complicated.

      • +1 vote

        Caught up with the work college today.

        The bank flagged the transactions as suspect and held the money. Out of the $90k that was scammed. $88k was recovered and returned. The whole process had taken over four months from initial discovery and reporting till when the money was given back.

  • +1 vote

    I once accidentally transferred $1000 to to a guy with ANZ account from my NAB account. And the guy whom I transferred left for overseas almost an year before this happened. I raised a case with NAB and got the refund in 20 days

  •  

    Sorry to hear that. I sincerely hope the police catch the guy, or you can get your money back somehow.

  • +4 votes

    This is out of my league but the only thing I will mention is, write down every conversation you have from now on regarding this matter. Lawers/police/bank or any other party. Time, date etc for legal reasons.

    It may drag on for a while and having this info, in writing is gold

    •  

      This is sound advice. Keep a detailed diary. Good luck!

  •  

    Nothing helpful to add but really wishing you the best in this terrible situation. Hopefully the real estate IT is super compromised so the insurance is more compelled to cover it.

  •  

    I would go to YouTube and throw shit on the fan, that will speed up nab and other agencies to find a solution

  • +1 vote

    My mother had her savings drained after scammers managed to get her to put teamviewer on her phone and transferred it through western union when she was not looking. Despite contacting both western union and NAB nothing could be done after opening the case multiple times over 6 months and that was only around 1.2k she still struggles.

    • +2 votes

      I feel for your mum. For the last few years I frequently remind my mum of scams and new ways they get peoples info'. But the problem is that the pro-scammers know how to weave a good tale.

  • +1 vote

    What are strategies to protect oneself from this type of scam? Always call the person (preferably after cross checking number) before transferring large amounts of cash? Would creating a cheque be safer?

    • +8 votes

      I'm a lawyer in Queensland. These scams aren't uncommon and our professional insurer has really drilled into us how to deal with them. In a nutshell, our insurer requires us to verify account details with clients by phoning them, and to advise clients to confirm account transfers that we request via a phone number from an independent source (eg firm website, Yellow Pages - not in the email).

      A bank cheque is an option, but not all clients can deliver a cheque to their lawyer's office. And bank cheques do have significant clearance times which may be an issue depending on timing. Another option is, if your bank allows, get them to draw all funds at settlement, rather than putting it into a solicitor's trust account. In fact you should be doing that regardless of cyber security issues.

      As linked elsewhere in the thread, it's not just lawyers who are having this issue (although it is more prevelant given the sums of money they deal with). The warning our insurer gives us is that if there is any exchange of money - whether to us, to an agent's trust account, to another solicitor's trust account - that the account details need to be verified with that person via an independently verified phone number.

  •  

    Maybe it's related to this news in the last few days

    https://www.cbsnews.com/news/microsoft-exchange-server-hack-...

    • -3 votes

      It's probably Chinese hackers again… Seconded by the Chinese government.

      • +3 votes

        Surely the Chinese govt. would have bigger fish to fry than some dude's random 100k?

        • +4 votes

          They're too busy planning to unleash covid-21

      •  

        It's probably Ukraine.

      • +2 votes

        yet we still post Deals on Huawei phones. :)

        • +4 votes

          Our government should put an import duty on them, like the Chinese are doing to our coal, wine, meat etc…

    • -1 vote

      It's actually the 5G they embed in the vaccines.
      No wonder they were able to scam OP

  •  

    My last house purchase was in 2019 and conveyancer sent me a letter with their details and made me use some payment portal which I had to pay $150 to use as well. They did say it was for security to which I said I'd write them a cheque.

    I was mildly upset at needing to pay an extra $150 at the time as I'd bought properties before. Not so much upset now though.

    Good luck OP and thanks for sharing so the rest of us can also learn.

  • +8 votes

    Very risky to be transferring a large amount of money blindly to a bsb+account you have never transacted on before. I always transfer a small amount first and confirm with other party before sending rest of the balance..

  • +3 votes

    Thanks for this post, OP

    It raises awareness which is one of the most useful tools.

    To be fair, I would have got done too. Doesn't seem unreasonable.

    The only caveat being…use bank cheques for this stuff in the future. Don't sign it until you're with the other party.

    I really hope you get the funds back.

    •  

      It serves as a great caution to all of us. Another thing to consider is what information do we store in an email account. Do you have your digital signature stored in your email ? What about account recovery codes ? I know I’m guilty of these and would need time to sort my security again.

  • +2 votes

    So what happens with the settlement is it still going ahead?

    • +9 votes

      Thankfully, yes!

      • +1 vote

        that's good, but how are you paying it?

        • +1 vote

          With the last of my savings. Will be living pay cheque to pay cheque after settlement for some time now unfortunately!

  • +5 votes

    https://www.abc.net.au/news/2021-03-17/aged-care-resident-sc...

    Here's a very similar case in today's news. Crazy shit.

    • +3 votes

      I came here to share that very article.
      This stuff is cancer. Microsoft need to do a re-evaluation on their security framework for O365 as this kind of scamming is far to common place.

      Put a 48hr delay on large transactions
      Encourage the Payer to contact the receiver directly to verify details.

      More needs to be done!!

      • +1 vote

        Yeah. I think the craziest thing is that it's kind of 'one fell swoop' in a very large transaction. Like, there is not even a chance for the victim to engage in denial (i.e. in Nigerian love scams and such) and have the scam continue. It's over before you know it.

        It's also amazing that the banks are so fast in processing the transactions. They could at the very least have a transaction size relative to the usual activity size of an account which creates a short term hold or something like that. It's the kind of thing we assume banks do but apparently do not.

      • +5 votes

        This has nothing to do with O365 but more to do with the fact that SMTP is an extremely old technology that was built without cyber security features in mind in the first place.

        Throw it into a field where large money transfers take place like conveyancers (who likely do not have the technical expertise nor the money to provide decent secured systems) and it's simply a disaster in the making.

        I never understand why people have this false belief. The easiest point of attack is not the vulnerability. It is actually the end user. Social engineering is the best and easiest form of attack to gain entry into a computer system, not a security vulnerability.

        Common tricks to getting people to click on links:

        "Hey, watch this funny Youtube video from your friend." Congrats, you've been hacked.
        "This is an Amazon bill payment that was made to you for orders that you purchased this past week. If you have a problem with this bill, please complete this form (click on this link)." Congrats, you've been hacked.
        "The fact that you are receiving this email from your own email account proves that your account has been hacked by us. We also have confidential information and have videotaped through your camera on some embarassing activities. If you do not wish to be exposed, please send money to this bitcoin wallet." Congrats, you've been scammed.
        "This is your parking fine. You have 14 days to dispute this charge. Click on the link to view the photos that were taken as proof of your traffic offence" Congrats, you've been hacked.
        "The ATO has launched an audit against your tax filing of 2020 and a few discrepancies were discovered and a sum of $xxxx is made against you. If you believe that your tax filing was correct and wish to dispute this charge, please follow this link and a customer support officer will get in touch with you shortly." Congrats, you've been hacked.

        You will be surprised how many people fall for this kind of thing.

        •  

          You're absolutely right, people are the weakest link in IT security. Kevin Mitnick highlighted human hacking (social engineering) back in the 90's.

          There are however a few assumptions in your post regarding the security of the conveyancer and how they've been compromised. I'm not saying you're wrong, just saying we don't have all the information to make assumptions, I'm speaking to myself too.

  • +2 votes

    Firstly this is not uncommon (see all the comments). Secondly where I have seen it, it has ALWAYS been the company who had their systems exploited. I mean it makes sense right, they aren't going after Joe blogs it's too hard to identify individuals who are going to transact large sums of money. It's much easier to go after the company who happens to have all their contact details over the place and linked in information available. I would be surprised if you were the only client affected.

  • +1 vote

    There needs to be a better security system from banks to prevent this from happening. What's the point of KYC if your customer can just disappear after committing a crime (receiving proceeds from crime is still a crime).