Scammed Though Fake Invoice via Compromised Email - Need Advice Please

cathaygirl on 04/07/2021 - 00:48
Last edited 04/07/2021 - 09:42 by 1 other user

After being in a lost state of mind the past month since the scam, I hope to seek advice from the OzBargain community. I’m here asking for advice and please spare any grief as it’s been a difficult experience.

I have been emailing back and forth with our builder and when they sent me an invoice for the first progress payment, the scammers intercepted and sent me builders letterhead with the amended bank account details.

I even replied to this email to confirm the payment details etc, unknowingly by then I was communicating to the scammer instead. And he replied to the forwarded email and confirmed his account was correct. So I transferred $13k to the account.

It’s only when I spoke to the builder the next day was when we both realise that he did not get any of the emails I sent to him nor the money. It only hit me when he told me he is using Bank A not Bank B (that I remit payment)

I immediately forwarded the email thread and typed out his email address, letter by letter - [email protected] and the builder still did not receive the email thread. How is that possible? And The scammer had the audacity to reply that forwarded email later that day he received the money!

Long story short- because the account is interstate, and the account by then is closed, it took 2 weeks for WA cyber police to open the investigation ( I was in a long queue apparently) the scammer has left the building and the case is pretty much cold by now. The Banks are not helpful at all and made it very clear they won’t recover the money. I feel helpless and don’t know what else to do. I have already spoken to both banks Branch Manager, went to local police and called WA Cyber Police and Nothing from them. I went to QBCC for a solution and they offered nothing. I will be going to ombudsman if I can’t get any resolution.

The builder is not taking any responsibility and said his emails are secured so it would be my emails that has been intercepted, so it’s my responsibility. I have asked him to inquire with his builders insurance but he is not willing to. Everything is at a halt now which makes it very difficult to continue the built. I feel like I’m at his mercy as he is still halfway with the built.

I wish I could take this further and get a PI specialising in Cyber investigation but not sure where to start or if it’s even worth it. This experience have taken a huge toll on me and my family. I feel sick thinking this scammer have gotten away with it and is continuing to scam more people 😔 Any advice is greatly appreciated.

Regards

Cathayg

Internet

Comments

- - parsimonious one on 04/07/2021 - 16:34
    
    Exactly. The OP has said he emailed back to confirm the details.
    
    Speaking with the builder would have raised an alert
  - Jimmycfc on 04/07/2021 - 17:16
    
    -2
    
    I said email back in a new email from an address you can verify?
    - djkelly69 on 04/07/2021 - 18:09
      
      +4
      
      If the builder's email is hacked (most likely man in the middle as these attacks are) it doesn't matter what 'verified' email address you use, the hacker is intercepting it and can change it, etc.
  - dust on 05/07/2021 - 10:48
    
    Yes, especially as it seems the builder's email is compromised.
screensaver on 04/07/2021 - 14:24

-1

Do a thorough search on the builder, if hes involved, dishonesty could show up somewhere. Also contact the police ombudsman, the thief is in plain sight and action needs to be taken This is fraud, and obtaining money by deception
Herbse on 04/07/2021 - 14:51

Hasn't this happened to someone else recently? I remember reading a post about it.
It was a deposit for a house from memory
- vengeance88 on 04/07/2021 - 16:11
  
  +1
  
  https://www.ozbargain.com.au/node/610544
gromit on 04/07/2021 - 15:01

+2

firstly it is unlikely they intercepted the email, the scammer either has access to the builders email or access to yours. Contact your email provider and get them to check when and where your email has been accessed.

secondly check with haveIbeenpwned.com to see if your email and password has been compromised with other providers. check the builders email address here too.

Thirdly if it is the builder that is compromised then it has almost certainly happened to other people. For these organised scams it is more likely the builder that has been compromised as watching thousands of peoples accounts hoping for a bill to come through that they can resubmit with new details is a lot of work compared to watching a single builders account.

lastly, sadly your money is likely gone unless you are lucky enough with the banks.
MorriJ on 04/07/2021 - 15:24

+4

It is likely the builders email address is compromised rather than your own account unfortunately.

If you sent your email out and it was accepted by the builders email provider (whether personal domain/business domain / gmail / outlook) etc, their account is likely compromised. The fact the builder isnt seeing your emails is likely because its autoforwarded based on subject etc and deleted. The builder would be unaware.

This is very common in conveyancing and property settlements; so much so nearly all conveyancers require a verbal confirmation of the details before sending it along.
Sidog on 04/07/2021 - 16:22

Wouldn’t be surprised if the builder is in on the scam, all seems a bit to convenient.
- derrida derider on 06/07/2021 - 11:14
  
  Na, as Morrij says it is a common scam in building (including conveyancing) and is always done without the knowledge of the compromised invoice sender (too risky otherwise). The builder is only being stupid in not co-operating afterwards.
  
  Mind you if OP wants builder to co-operate one way would be to imply he's under suspicion - "show me you're innocent or my lawyer will be after you".
BluePlum on 04/07/2021 - 17:08

+3

Sorry to hear about your hardship.

I'd agree with the majority in this thread that is likely the builders account that is compramised.
Based on current trends, I'd guess the builder was likely compramised through a social engineering attack (phishing etc.) or bad password hygine.
It sounds like mail rules were established on this builders account to forward and delete certain emails, likely with keywords relating to finacial matters e.g. invoice.

For future peace of mind for your own email security, you may consider changing your password to your email account, enabling multi-factor authentication (if not already on) and checking for any suspicious email rules in place.
- burningrage on 04/07/2021 - 20:13
  
  +3
  
  The critical step of this scam is that IF your email is compromised, they would have created an auto-forward to the scammer's own email address AND from there, they would become aware of any payment due and sent you instead a compromised invoice with their own bank account.
  
  So if you are using Outlook, you need to check if this auto-forward rule was created and immediately delete it (IF not already deleted by the scammer to erase their track).
  
  Then change password immediately, create an alias email address that can only ever be used to log in, and finally enable multi-factor authentication.
  
  You could try to argue if the rule was not there, then you could say it's the builder's email that was compromised.
billy77 on 04/07/2021 - 17:18

+5

Account name matching should be mandatory with all transactions, especially how quick the payments are these days.
- Settero on 04/07/2021 - 17:55
  
  Was there not a big issue when NPP payments were new and the banks got recipients nickname? People were not happy , now imagine they had access to the actual account holders name and not the payid nickname.
  
  It's also not practical. A high amount of payments would be going to an account in a different name. Legal and real estate trust , company names , nicknames etc.
- jpl on 05/07/2021 - 21:46
  
  +3
  
  Yes, account name matching should be mandatory to reduce this type of scam. Australian Banks are lazy and they just wanted to put the responsibilities to the customers and authorities are too chicken to force the banks to do this.
  
  I tried sending payment to Taiwan, missing a dot and commas in the account name. The payment got rejected. Problem was some Australian Banks won't let you enter comma or dot in the Account name field. I had to write a special letter to my bank confirming the account name and the payment was special handled from backend. This is how strict other countries are dealing with this.
FittyFitty on 04/07/2021 - 17:31

+1

As Reagan one misappropriated a Russian proverb; trust, but verify.

Always double-check important stuffs.
- nwa on 06/07/2021 - 16:52
  
  Ronald or Reg Reagan ?
No ONE on 04/07/2021 - 18:21

+3

I once received an email from compromise email address. I googled the company and called the bloke that his email account was compromised. Later in the evening, an email was sent to all his clients about any phishing email they have received.

It is always good to call beforehand to confirm things.

I am hopeful that you will eventually recover the money from the bank, via police investigation should the compromise not be from the builder side.
100KK on 04/07/2021 - 18:58

-6

Think positive, work hard and have the right attitude.
[Deactivated] on 04/07/2021 - 19:28

+1

Do they ever catch these people? If so we never see them on the news. The punishment really should be life in prison since we don't have capital punishment anymore.
- immortalbjr on 04/07/2021 - 20:18
  
  +2
  
  These guys are all overseas (India) and even if they were right here on our doorstep literally nothing would happen to them, even if they were caught.
  
  Why do you think fraud is so rampant and always will be.
Mrgreenz on 04/07/2021 - 20:17

+4

Did the invoice come from the builders actual email address?

If so it would be the builders issue IMO.

Note: I may be wrong legally
bigbadboogieman on 04/07/2021 - 20:41

+6

To be honest this makes my blood boil. I was targeted in a similar way through my solicitor and got an instruction to pay 12K to their "trust account" via email out of the blue when we were purchasing our home last year. Thankfully I thought of calling the solicitor before obliging. Well I gave the bank details to my solicitor who supposedly sent it to the NAB risk team.

I think the only way to stop this kind of scam is to make the banks accountable by law to cover this fraud. They are one of the key weak links. This would give them a strong wake-up call to introduce better procedures to vet any new account coming through the internet.

I mean banks have rights to access credit files which have all our details including addresses, phone numbers, etc. How long does it take to give an automated call or text to perform some form of verification. For e.g. enter last four digits of your XXX bank account or XXXX credit card or TFN number.

Another way could be that the credit bodies provide the vetting as a service to the banks. Basically the online Bank's API handovers over the verification to the credit provider that performs the above secondary checks. They are already doing primary checks for credit card applications, why not something stringent for new accounts.

Other options could be getting verification through the MyGovID processes. There is so much these bloody banks can do and all they choose to do is brush their hands off saying "not my job".
- MorriJ on 04/07/2021 - 21:17
  
  +2
  
  We have a 100 point id check but as many people would be aware; non-resident; non-citizens can open australian bank accounts including foreign companies which is how they slip the gaps.
  
  I know a few people who were coming to australia on temporary 457 visas and opened accounts months before landing. One of my friends whose been using commbank for 25+ years set up his account when he was in russia under a different name. They finally cracked down on him recently and now refuse to recognise him when he goes into the bank as the name on his drivers licence doesnt match his patronymic name.
  - bigbadboogieman on 04/07/2021 - 23:21
    
    +1
    
    I have never seen a 100 point check when opening a bank account online.
    - Settero on 04/07/2021 - 23:51
      
      they dont need 100 point id check , it requires either a Drivers license or medicare card number with the other details matching the ID check system they use ( no clue what database it is but its an official one ). if the details don't match e.g. you recently moved , then the ID check fails and they ask for more info.
      
      a lot of Id takeover where an account is opened fraudulently , the details will match the customer or it will be their last address, its not just made up info.
      - derrida derider on 06/07/2021 - 11:25
        
        @Settero: But most of these scams don't use a new bank account. They get hold of some tech-illiterate pensioner's existing account via a mini-scam (phishing, "make money at home with your computer", etc) and pass the money through that. When the cops finally roll up to the address they find a scared and bewildered 90 year old.
    - MorriJ on 04/07/2021 - 23:54
      
      Oh wow, you are right, I figured it was still the 100 point check as it was when I opened my ME bank account years ago, it isn't. You just need someone's medicare card number and a physical address to skim the card from. So I grab your name, medicare number and address and give them a "postal" address around the corner that is currently not being resided in and away I go.
      
      Go for the one with the highest ATM withdrawl limit, request a couple of cards and get you to deposit into my new BSB and ACC# and then head to the nearest ATM with a ski mask on late at night and clean the account out.
      
      I figured in scam world, getting actual cash out would be the hardest, but only needing a valid medicare #, expiry date and away I go.
      
      Man, why am I working?
      
      Most Australian banks now allow you to verify your ID online. You will need to have your driver's licence, passport, Medicare card or birth certificate handy when applying for an account online, and then follow the prompts to have your ID confirmed. If you'd prefer to do it in person you can head into a bank branch.5 May 2021
    - Nicko99 on 06/07/2021 - 00:27
      
      Same. Maybe it's different if you're overseas, but VPNs and all that
codenamesharp on 04/07/2021 - 21:12

+19
I work in an email/server related field and have helped customers on both sides of this scam (the company being impersonated by the scammer as well as the person who was scammed) - 11 in the past year. Here's my insights, hopefully it helps someone or answers some of the stranger parts of these scenarios.

The email addresses of one or both parties have been listed on https://haveibeenpwned.com/

Three of the scammers sent their emails from a 'gently altered' email address. (jon@company in place of john@company) and had masked a different 'reply to' address.

One victim was asked to send replies to a gmail account instead because "[Internet Company Name] had broken our work emails again and it looks like it'll be days this time". This had actually happened the week prior so it didn't arouse suspicion.

Company emails had been used by employees for non-job related mailing lists, newsletters and social media accounts as well as iTunes, Netflix, Amazon, you name it. Most used the same password across multiple services. Of all of them, only one company had a policy against using business email for this.

After a virus/trojan was found on one company's network, employees were instructed to update their passwords. The accounts person was 'too busy' and a month later deposited 30K in a scammer's account.

A company with a monthly password change policy found their hacked employee used an identical password with a number at the end but increased the number by 1. They'd been doing this for 2 years.

In most instances either online webmail or Outlook was set to forward email replies "from a certain address" or "containing specific words" to the hacker's own email. This is why nobody saw the scam as it occurred.

Out of the companies that were being impersonated, server task logs show that only THREE of have since updated email passwords. It's as if doing so would admit they were at fault.
- unwashed00 on 05/07/2021 - 20:26
  
  +2
  
  I'm sure that monthly password changes only lead to people having numbers at the end that they increment each time. Even more likely if the password rules are like 12+ symbols. There should be some reasonable middle ground.
  - derrida derider on 06/07/2021 - 11:36
    
    +1
    
    Yep, regular password changes have, like requiring numbers and special characters, long been shown to be counterproductive because they inconvenience users who then revert to insecure practices (like a very predictable pattern, or sharing them, or writing them down).
    
    If money is involved there really is no substitute for 2FA in the form of a phone call or SMS. It is not as though elaborate fake invoices are new - it's been happening ever since the postal service was established.
    - DiscoJango on 06/07/2021 - 19:33
      
      i would say 99% of people who are forced to change passwords often, would literally just change the number at the end, eg: Monday1, then next month it would be Monday2 and so on
ChickenTalon on 04/07/2021 - 21:51

+14

Unlikely your email has been compromised compared to the builder’s email. A scammer is far more likely to target people and business who send or receive large sums of money; lawyers, builders and realestate agents usually. Targeting individual people is very low yield as a random individual is unlikely to be making large EFT payments.

Not saying it’s impossible, but it’s more likely to be the builder’s email which is compromised.
Vent89 on 04/07/2021 - 22:41

+9

The fact that you typed your builders email letter by letter and confirmed with them, and they still didn't receive it but someone else did reeks of them being compromised. Also, how else would the attacker know you were about to be sent an invoice from them of xx ammount?

It's possible the attacker has placed an auto forward + delete original email rule in the account settings of the builder - or is just reading them first and deleting. I wonder what email system your builder is using, do you know? Put your builders domain in here https://mxtoolbox.com/ and it'll tell you info on their mx (if they're using outlook online etc). Wouldn't be suprised if your builder got fooled by a recent phishing email and is now being defensive when you suggested they check their account. Also, I wonder if they use 2 factor authentication, you should test if yourself by attempting to log into your builders email and see if it prompts for the 2nd auth or not.
andyken on 04/07/2021 - 22:43

+1

can you share the email header? can you say to the bank "i sent to the wrong account?" by law they need to :

Quote from FOS (Financial Ombudsman Service pdf:

If you have made a mistaken internet payment, you need to contact your bank or credit union immediately. Your bank or credit union will then contact the unintended recipient's bank to try and get the money back.

If the money is still in the other person's bank account and it is a genuine mistake (because the account name and number do not match), then the process for recovering the money depends on how quickly you have reported the mistake to your bank. If you report the mistake:
* Within 10 business days: the funds will be returned to you.
* Between 10 business days and 7 months: the recipient's bank will freeze the funds. The recipient will then have 10 business days to show they are entitled to the funds. If they do not, the funds will be returned to you.
* After 7 months: the funds will only be returned if the other person agrees.

Source
- thatonethere on 04/07/2021 - 23:11
  
  +2
  
  "If the money is still in their account"…
  - Gaz1 on 05/07/2021 - 15:38
    
    So the bank has no responsibility if the receiver withdraws the money? I guess it becomes a fraud situation but that's certainly a loophole.
noz on 04/07/2021 - 23:26

+5

To the OP, one thing I would do if i were you is I'd engage with an IT professional to help determine whether or not the builder was compromised. By looking at the message header, in particular the From and Envelope addresses and checking DNS records to see SPF and DKIM, and also comparing the headers of the dodgy message with legitimate message from the same business one should be able to determine whether or not they were compromised. I would not lay down and accept what the builder has been telling you.
pogichinoy on 05/07/2021 - 01:12

Poor thing. I hope you get your money back OP.

:(
peterpaoliello on 05/07/2021 - 08:41

It's their email domain, and their contract with their email provider. It may not be their fault directly but it's definitely not yours. I'm not aware of any attack which can redirect emails from senders machine and more importantly rename incoming mail from another address to something else. I would really think this is on the recipients side surely… Any cyber investigation is going to be cost you more than you're out of pocket and probably sour the relationship with the builder. If anything try follow through after handover.

I'm surprised they don't seem to care their emails are very likely compromised. Sounds suss.
- gromit on 05/07/2021 - 08:59
  
  +4
  
  He probably doesn't need to go to the extent of getting a cyber investigation done. An educated email professional that is technically savvy will be able to quickly review what has happened (assuming he kept all the emails etc) and then provide a bit of a summary of timelines and which emails originated from where or at least where they "appeared" to originate from (if no DKIM and SPF). this should be more than enough to provide evidence to the builder that it is his fault please contact your insurance or tell him bad luck you got done over locally. a couple of hours effort would easily do it if you can find someone locally willing to help.
  - peterpaoliello on 05/07/2021 - 09:16
    
    +1
    
    Yes I agree, more from the perspective of proving it to the builder by retrieving the results from an official source.
    - gromit on 05/07/2021 - 10:27
      
      to get the ball rolling you shouldn't need to go to that extent unless the builder is going to be a real Ahole about it, in which case make it clear you will be passing on all costs to him if you have to go to that extreme to prove he is the root cause. Also there is no official source, It will all just be technical analysis of what info is available, a cyber expert isn't going to be much more helpful than an email specialist here unless it is he who has been compromised instead of the builder, but then all it will do is tell you in an expensive way how to rectify your security and won't retrieve any money. Collect the info with the persons qualifications detailed and provide that to the builder (assuming it all points at the builders email).
- zazutata on 05/07/2021 - 10:28
  
  +6
  
  We saw a very similar scenario when we were contracted to investigate an almost identical scam involving an invoice being doctored with the scammer's bank details. Forensically we pieced it together. Supplier A was in email contact with Client B. Supplier A was using a well-known subscription-based hosted email provider (but not using multi-factor authentication). Supplier A clicked on a link in phishing email that redirected them to a fake site that then asked for their email provider login details. They provided these details and the scammer harvested them. The scammer then logged onto Supplier A's mail account and patiently watched emails going back and forth. Scammer could see from the conversation that an invoice was about to be generated by Supplier A and sent to Client B. At that point the scammer added a rule into the mail flow that effectively hid any inbound mail from Supplier A's inbox but allowed the scammer to still monitor all the new emails. The invoice email arrived and the scammer downloaded the attachment, doctored the invoice and then sent it to Client B with their own bank details. Client B processed the payment which was for a considerable five figure sum. The email rule was then removed and Client B only found out about the scam when they sent a remittance advice to Supplier A but there was no evidence of the money in Supplier A's account. The bank queried the amount (going to a first time payee) and blocked further withdrawals but the scammer had already made a partial withdrawal of the amount. In this case, Supplier A was found to be liable due to sloppy security around their email service. As others have said here, 2 factor or multi-factor authentication would have killed this dead at the point the scammer tried to log in as Supplier A. It's a no brainer to add that level of authentication whenever possible.
  - peterpaoliello on 05/07/2021 - 12:32
    
    Yeah fascinating, very sneaky and relatively low-tech.. I thought there was some man-in-the-middle domain hijacking who knows what happening.. Very simple and very effective..
    
    So given that, it is more likely the recipient (OP) has been compromised in this example.
    - zazutata on 05/07/2021 - 13:06
      
      +1
      
      We were surprised how relatively straightforward the scam was and like you say, simple and effective. In the OP's case they would be Client B and the builder Supplier A. Can't say if the circumstances are exactly the same for the OP but in our business we have seen this type of scam more than once. It's really hard to pinpoint liability and/or apportion blame and that''s not part of our role - we just do the forensic work and provide a report and recommendations. Sadly, the socially engineered hack is still one of the most effective.
  - Gaz1 on 05/07/2021 - 15:56
    
    zazutata: Thanks for the really interesting explanation.
    One question:
    You mentioned that "The invoice email arrived and the scammer downloaded the attachment,"
    Wouldn't the invoice have been sent via SMTP direct from Supplier A email client - I can see that the scammer would have access to the supplier A incoming messages but not sure how they would have seen & downloaded the outgoing invoice (unless the customer replied to the message).
    - zazutata on 05/07/2021 - 16:26
      
      +2
      
      Sorry, I wasn't clear and actually missed out a step. Supplier A sent the invoice to Client B whilst the scammer was 'watching' the mailbox of Supplier A. At this point, the scammer re-sent the invoice message stating there was an error in the original invoice details and that the error was around the line items rather than the bank details even though those details were also changed. Crude but in this case effective as the retouched and attached invoice was done well enough to look legitimate. They even used the 'recall' facility on the original invoice message to make it look legitimate (despite the fact that this rarely works it does at least leave an attempted recall message in the recipient's mailbox). The scammer did a lot of this towards the end of the day possibly to take advantage of the COB rush etc. The Outlook Web Access rule was effective too - 'move all incoming mail to the deleted items folder and mark as read'. To Supplier A, this just looked like a quiet day at the office with not much mail coming in. Effectively, these circumstances conspired enough to make everyone think it was business as usual. As is often the case in these scams it's easy to roll eyes and say things like 'how could you not see this, or check that, or realise this' but Client B is used to moving large sums around so this was just another ordinary transaction.
      - Gaz1 on 05/07/2021 - 16:36
        
        @zazutata: Thanks for the additional details. Great to be aware of these things to avoid it happening.
        It certainly sounds a likely possibility for the OP too (and analysing message headers would prove it was a supplier email issue).
        
        zazutata on 05/07/2021 - 16:51
        
        @Gaz1: Agreed. If the OP can prove that the builder's mail was compromised then there may be a case (business insurance, cyber insurance perhaps?). 2FA would stop a majority of the phishing scams but it's not always an option for small businesses or one-person operations. Sadly, this is not the first one we've seen in our work and it's not likely to be the last. The Kaseya breach over the weekend is a worry for all MSPs as that's obviously an attractive vector for ransomware too.
        
        Gaz1 on 05/07/2021 - 16:58
        
        @zazutata: A lot of people think about their passwords for Banking, etc but your email password is actually very critical too.
        With so many websites allowing a "forgot password" once a scammer gets you email password (easy via fake login emails) then they can look through your mailbox & get the password for almost all other websites you use (filtering the inbox to stop you seeing the forgot password emails).
      - cathaygirl on 10/07/2021 - 00:09
        
        @zazutata: I appreciate the explanation. It makes more sense how our email was so easily compromised and so conveniently be overlooked. I believe the scammer have been waiting for the right timing .The scammer did sent the emails by COB so i would not consider calling the builder after hours to confirm the bank details etc.
        And I fell for it. Because the builder is a family run business, I remitted the payment immediately for their services as I knew they would appreciate the prompt payment.
        I think back and I lose count how many times, if only, I waited the next day to call them. This all could have been avoided.
- derrida derider on 06/07/2021 - 11:40
  
  +1
  
  "I'm surprised they don't seem to care their emails are very likely compromised. Sounds suss."
  
  More likely very scared and in denial. OP may not be the only victim of their compromised email account.
aimon on 05/07/2021 - 10:10

+2

This is why everyone here should make sure you use Two Factor Authentication on any site you use as well as a password manager like Bitwarden to make strong passwords.
- gromit on 05/07/2021 - 10:32
  
  better off using solid pass phrases and two factor, password managers are an added weakness to be exploited (but better than really weak reused passwords).
  - SBOB on 05/07/2021 - 10:57
    
    password managers are an added weakness to be exploited
    
    Depends if you think your pass phrases are unique enough per site while still being memorable (and I guess how good your memory is)
    
    Also, the security on the password manager 'blobs' like bitwarden are going to be a pretty big hurdle to brute force .
    
    For the most 'regular' people a single decent pass phrases securing a password manager account, and password manager generate unique long random passwords per site is likely to result in an overall more secure solution.
    - gromit on 05/07/2021 - 11:03
      
      +2
      
      For someone that doesn't create secure passwords, then yes sure a password manager is better. However password managers are only as good as your local machines security, you are only a single incident of a key logger, or exploit away from losing everything (which is also why if you use a password manager MFA is even more critical). Many password managers like bitwarden stay open and accessible in memory after you unlock so are vulnerable to any bad actions by the user while open.
      
      for this reason I use a password manager for forums and unimportant accounts. anything critical such as bank details I would not put in one or have them in a seperate offline store.
      - SBOB on 05/07/2021 - 12:27
        
        @gromit: If your machine already has key loggers and malware, youve got issues anyway.
        
        You're offline password makes no difference (as it's captured the first time you type it in anyway) and the only thing saving you is the 2fa (and hoping for no man in the middle etc)
        
        Makes a password manager just as secure , as it's the 2fa that you're hoping saves you from any local machine based malware
        
        gromit on 05/07/2021 - 12:30
        
        +2
        
        @SBOB: of course if you have a keylogger or malware you have issues. But with a password manager your issue is magnified exponentally. a secondary offline password means it can ONLY be captured when I enter it as opposed to a password manager which can expose it regardless of whether I have just used it or never used it. a password manager is a convenience and for many it has a benefit as without it their passwords are pathetically bad or reused, it is definitely NOT more secure though..
    - Janko on 05/07/2021 - 16:51
      
      +1
      
      Password managers have still too many vulnerablites to keep all your eggs in one basket. Not only keyloggers but disgruntled employees, clone browser extensions, even things like when LastPass changed pricing plans and there was mass exodus to other password managers. 6 months later you find the exported plain text file because you simply forgot.
      
      I'm definitely in the camp of assuming a breach will occur and limiting the damage. If I forget a critical password, it's not the end of the world. Password manager like grommit for all inconsequential accounts - which are the bulk - but no way I'm open a vault with critical passwords in it just to get my Ozbargain password out.
      - SBOB on 05/07/2021 - 17:21
        
        @Janko:
        
        Not only keyloggers but disgruntled employees, clone browser extensions, even things like when LastPass changed pricing plans and there was mass exodus to other password managers. 6 months later you find the exported plain text file because you were too scared to delete it immediately in case the import didn't work, then forgot.
        
        disgruntled employees? where? at the password manager company?
        Your encrypted blob might be stored 'in the cloud' but the encryption is done client side.
        Lastpass/Bitwarden etc have no visibility of your password manager password or the contents of the data 'blob' containing all your passwords. Feel free to go look up how long it would take to brute force one of these encrypted data blobs. I'll happily send you my bitwarden one if you want :)
        
        Clone browser extensions seems pretty unlikely
        and plain text files on your local machine are again a local machine issue, in which case your password security is irrelevant.
        
        Yes, if you somehow have unlimited memory of pass phrase combinations, which are in no way related to things containing site names or replicated sequences/passwords, then sure. Go crazy just remembering passwords or writing them down offline if thats your thing
        
        shrug almost every single account breach issue could be resolved by just simply using long random site specific passwords and 2fa where available. A password manager just makes this much much more accessible (and likely to not repeat passwords or pass phrases) to most people.
        
        If password manager blobs were getting cracked/unencrypted all over the place, feel free to link to those articles detailing this
        
        Janko on 06/07/2021 - 11:37
        
        @SBOB: Client-side coders get disgruntled or devious too. Private repos get hacked. Employees mistakenly check in test code.
        
        Security updates to software aren't always covering hypothetical situations - they actually happened. A company's top priority is to hide breaches if they can. I remember catching some disingenuous code at a large company I was in, customers never found out they lost $100's, possibly even thousands - only the coder himself knew how much. Coder was sacked, but intentionally not prosecuted to keep the breach quiet.
        
        Figures made up for illustration, but I'll take a 1% chance of having one or a few accounts compromised because they're similarly diversified and I'll survive, over a 0.1% chance of having all accounts compromised which I might not. We don't know what such percentages truly are, so I'll take the option of limiting the damage.
imurgod on 05/07/2021 - 10:48

I can tell you that this happened to one of my clients. Exactly like this in fact.

They sold a vehicle to another business who paid to the wrong account due to hackers intercepting the email and amending the payment details - it was a really amazing job as the invoice looked identical to the original albeit with different account details.

The client has Cyber Insurance so it was claimable, but it was found that the person remitting the funds wore the loss. The reason being that they transferred funds to the wrong account. The onus is on them to verify the account details.
- ihbh on 05/07/2021 - 11:00
  
  If the sender is scammed then it's hard for insurance to cover it because it's a moral hazard and premiums will skyrocket pretty quickly if instances like this are covered.
  - imurgod on 05/07/2021 - 11:03
    
    That's what a Cyber Insurance policy is for. Insurance in general is merely transferring risk from your balance sheet to the insurers'.
    
    Not hard for insurance to cover it at all. It's literally what it does.
    - ihbh on 05/07/2021 - 11:05
      
      How do you avoid fraud situations? If people start burning their houses down or a situation (e.g. severe climate change) causes houses to burn down, then costs will be in the tens and hundreds of thousands, which means premiums will be, which mean it's not feasible.
      - imurgod on 05/07/2021 - 11:32
        
        @ihbh: Fraud is easily found out. They employ investigators like all insurers do for all classes of insurance. How do you think they catch people out?
        To begin with, you'll have to have controls in place to get the insurance. You can't get it if you have no security or systems in place.
        If you burned your house down you would get caught. This isn't too different.
        
        ihbh on 05/07/2021 - 11:35
        
        @imurgod: That's correct, but it won't cover customers who get scammed, because who knows what systems they have in place or what possible fraud they can commit (I'm not saying in this case). Check out CTP scams. Investigators, etc. are all costs that are including in the premium.
        
        imurgod on 05/07/2021 - 12:04
        
        @ihbh: Oh, I must've misunderstood you. You're right.
        
        Re the costs of investigators, etc. yep, it's sickening to see that, and it isn't just CTP. People think it's a victimless crime or that insurance is there for them to profit from.
        
        I used to work in the motor fraud team of one of a large Australian insurer. It's amazing how cocky these criminals are…. cocky, but not smart.
  - derrida derider on 06/07/2021 - 12:05
    
    Oh FFS. All insurance risks are subject to moral hazard - the usual way of dealing with it is to have a deductible (or excess) on claims plus no-claim bonuses or other risk-rating for future premiums. That's generally very effective, and will be for this. Adverse selection, not moral hazard, is the reason premiums can get in an upward spiral.
    
    I mean are you saying that if this builder can claim he won't bother fixing his email security? I don't think so.
    - ihbh on 06/07/2021 - 14:12
      
      if this builder can claim
      
      No, I'm saying if the customer can claim…
ihbh on 05/07/2021 - 10:59

+2

In future, for any substantial amount of money, please transfer $1 and get the recipient to verify receipt.
- SBOB on 05/07/2021 - 11:01
  
  +1
  
  get the recipient to verify receipt.
  
  Via an alternate communications channel…
  - ihbh on 05/07/2021 - 11:03
    
    Cheers, worth stating to avoid being scammed.
    
    The principle is: In corporates, the back desk is separate from the front desk. E.g. a trader doesn't process his trades…
Bid Sniper on 05/07/2021 - 11:23

Contact Police cyber crime, this is getting to be a serous issue here. Happened to Tesla even

https://www.abc.net.au/news/2021-04-15/tesla-invoice-scam-co…
cathaygirl on 05/07/2021 - 11:25

+5

Thanks again guys for all the comments, suggestions above. I just received a generic email from the Westpac that they won’t can’t recover the money and suggested me if I knew the recipient contact to reach out to them to recover from them directly. What a joke right?

Will definitely be going to Financial Ombudsman now since can’t resolve with the bank.
I’m taking a careful full approach with the builder as we r in the middle of the built.

Will keep you guys posted. Again much appreciated with you guys taking the time to send through those links and previous posts.
[Deactivated] on 05/07/2021 - 11:47

This scam is becoming quite common lately. Make sure that you call the receiver to confirm the bank details and also to text you the bank details after the call so that you have triple verification.
Sneeze on 05/07/2021 - 12:00

+7

I investigated a similar incident on behalf of a company. The scam was discovered when they followed up an unpaid invoice and the customer provided proof that they had paid however the account details were different. The customer then provided copies of a followup email they had received after the real invoice was sent which had an edited copy of the invoice and a claim that first one contained wrong account details.

It was found that the businesses Wordpress website had been hacked via a very old plugin with vulnerabilities giving the scammer/hacker access to download any system file of their choosing. The email contact form plugin on the Wordpress site was using the companies admin email account to send emails and the SMTP credentials were stored in plain text in a config file. The scammers then accessed the business admin email account via IMAP at their leisure and lay in wait for several weeks an appropriate email to intercept. I determined that a number of weeks had elapsed between when the website was exploited and the scam email was intercepted.

The back account used by the hackers was that of a naive but willing participant within Australia who was likely provided with another scam story and allowed/assisted the funds to transit through their account and out of the country whilst keeping a small percentage of the total amount in return.

So in this case, the business was the source of the hack and both parties were victims in slightly different ways. As the business was the source of the hack they decided not to pursue the customer for further payment.
MattyTheMad on 05/07/2021 - 12:12

+7

Open the scam email and a legit email from the builder. View the source of both. See if they're coming from the same server. See if SPF and DKIM are verified.

If the mail server IP is right, SPF and DKIM tests PASS, you have proof that the builders email was hacked. You wouldn't even necessarily need all of those to be true to prove it.

You're welcome to DM me if you want me to help you look at the details.
- justsomebloke on 05/07/2021 - 12:14
  
  +2
  
  This… I am happy to have a look too if you want a 2nd opinion OP.
- Sneeze on 05/07/2021 - 12:39
  
  +1
  
  Email headers will easily tell you if the source of the hack is the builder or not. Any IT person can figure this one out for you.
- 00000000 on 05/07/2021 - 15:13
  
  +1
  
  OP can even check themself using the Microsoft Header Analyzer
  https://mha.azurewebsites.net/
- Gaz1 on 05/07/2021 - 16:38
  
  Interesting.
  What is an easy way to check SPF and DKIM are verified?
  - MattyTheMad on 05/07/2021 - 20:09
    
    +1
    
    I just view the source and see if they say PASS after them in the headers.
    
    If either of them is PASS, or if the server IP matches the legit server then it's reasonable to assume the builder has been hacked.
    
    In that case it more likely that the responsibility can be passed on to the builder and their insurance since the email was actually sent from their account.
netjock on 05/07/2021 - 13:09

I always call to confirm banking details for new payments.

If they change account details I will call to check validity of new account details. Only way.
DarkOz on 05/07/2021 - 13:22

+4

I always do this with any new accounts, even from my wife to me or vice versa just in case we made a typo with the account number:
- Add the new account number and transfer $1 to the new account
- Confirm the $1 went through
- Then can transfer whatever amount you want without the worry
- matthawke on 07/07/2021 - 11:30
  
  In instances where the parties are at arm's length (i.e. not transferring to people you probably already trust), this is even more robust: transfer a small amount, but keep the precise amount a secret. Then contact the recipient and ask them to confirm how much they received.
  - DarkOz on 07/07/2021 - 12:30
    
    Yup. You can deposit a small random amount and also with a secret reference number. Make a call or sms to confirm the payment so that it could be trusted. I actually had to verify a new credit card payment this way last week. It's not hard to do but people are complacent and don't think about it until after getting scammed.
Greem85 on 05/07/2021 - 16:11

Sounds like a compromised email account on the sender's end. The builder was probably hacked, and without him taking notice, forwarding rules were put in place to bounce the emails he generates to a 3rd party address (the scammer's), where they get doctored and passed along to their destination.

Like other people have suggested before, lawyer up - you have an email exchange with an address which belongs to the builder. You have acted as instructed in them, and probably have some sort of a contract in place which specifies how you will be communicating about the payments. If that email is mentioned in there, the builder SHOULD react to your demand to access his insurance if he gets an official letter of demand. If that doesn`t happen, you can escalate this matter to a court, where it could be properly looked into.

I wouldn`t be surprised, if it turned out builder's email was listed multiple times on www.haveibeenpwned.com.
Mr Random on 05/07/2021 - 17:00

+1

These scams seem to be occuring more frequently. I'm in the process of building and will be triple checking by phone that the accounts are accurate.
In future, never email to double check an account is correct. ALWAYS speak over the phone to confirm. If the builder, or yourself, were hacked, then it makes sense the hacker would be intercepting any future emails.

I would be doing everything I can to get the builder to provide details as to why he believes he is not the one who has been hacked.
The way I see it (and don't take this the wrong way), you, or I, are not as important to a hacker as the builder is. The builder would be receiving multiple payments per month, which makes him the ideal candidate to be hacked. Not the other way round. So unless you are somebody of importance (or rich?), you probably are not worth the time to be hacked.
Again, I don't mean the above in any disrespectful way. I apply the same logic to myself :D
hero000 on 05/07/2021 - 17:12

I understand your feeling. I hope you get your money back.

I went through a similar scenario. I lost $1800 to a scammer. I called the bank immediately to freeze the fund process.
Bank didn't do $$$$. So I lodged a police case. I talked to a lawyer who was a friend's friend. He told me don't waste my time and money. It's worthless unless it's a lot of money, and you take the bank to court to share the person's address, and then you involve debt collectors.

Police said we can catch the person if we ever come across a breath test or any criminal acts.
Le-Tentacle on 05/07/2021 - 17:23

+1

Ouch, this sucks, have no insight into how to help and i hope you see your money again (well at least toward the house).

But I wanted to add in my experience. Recently built in WA and my builder made me directly aware of this scam prior to any money being transferred, every email, document etc. all mentioned to only ever pay to the BSB and Account number that was listed on the initial contract and to call and ask them for advise if you ever are advised to transfer money to a account that differs from the original contract.

My guess is a lot of people have been hit by this scam in the building industry.

But anyway, Bikies?
- derrida derider on 06/07/2021 - 12:17
  
  +1
  
  Will have to be overseas bikies - Indian or eastern European. That's where the scammers are.
cheapass88 on 05/07/2021 - 18:00

Best way to avoid this for m365 is to have MFA and also disable POP/IMAP access to your accounts. Also block shared mailboxes from having sign in access.
91rs on 05/07/2021 - 20:56

Sure the builders not running the scam? They wiped their hands of it fast.
Wouldn't be hard to do and if the invoice is identical and was a PDF you received that means they'd need the original file to edit and change to put in their details (to make it 100% identical), maybe that template they store online but that seems less likely honestly.

If this was a base stage payment had you not gone to see the site and make sure the work was done? or had the stage been completed and was just super well timed?
I know the sign off for draw down when banks are handling the payments specifically ask you to confirm you've been on site and seen works completed to what seems to be the value of the invoice or stage being claimed.
pickme on 05/07/2021 - 21:27

+2

My parents-in-law lost money in what sounds like a very similar way. They themselves are builders and were paying an invoice they received in their email which had a faked pdf file attached. I don't believe they received any of the money back.

They told me they believed the contractor they were paying had their email hacked and they were responsible for the mistake. But, after i checked their email it was pretty obvious it was on their end.

They use hotmail. At some point someone had logged into their account and setup a automatic rule. If the email included the words invoice, payment, amount owing, etc it would move the email into a different folder and then automatically forward the email to another email (the scammers).

It seems the scammer then gets the email with pdf attachment with bank details, and they just use a basic pdf editor to alter the bank details on it. Then, they logged back into hotmail and put into their inbox the original email or a replica of it with the altered invoice. My parents-in-law who were expecting the email from that person for exactly that requested amount thought nothing of it. They made the payment and only days later when the contractor is looking for their money do they realise anything is wrong.

When this first occured they changed their password straight away. It was only weeks later when they complained that they were missing emails that they got me to look and i discovered the email rules. So for several weeks the person who scammed them out of the money would have been receiving even more emails with more receipts, but would have lost the ability to login when they changed their password.

If you are using hotmail/google etc then i would check your email rules and make sure there isn't anything there.
MITM on 05/07/2021 - 21:30

When transferring large sums for big ticket items (Car deposits, house deposits, rental bonds, progress payments) simply call the "customer care phone number" and confirm the BSB, Account number and account name - by phone. One day the banks will require matching account names when depositing - but not up till now and is a flaw in our banking system.
Usually a sales contract or invoice will list the bank account details. If these details change or you're asked to use a different account at some point - call up and ask why.
Be diligent with your money.
bohn on 06/07/2021 - 07:36

+3

Banks could easily fix this. UK banks have begun fixing a lot of these scams by requiring account names to match the sort code and account number.

AU banks should be forced to do the same.

Scammed Though Fake Invoice via Compromised Email - Need Advice Please

Comments

New Forum Topics