15 Nov 2017
Author: Stephen Breen
There’s always some online scam doing its rounds and most of us feel pretty confident that we’d never fall victim. However, a recent scam has caught out more than 19,000 unsuspecting people and netted fraudsters a total of £100 million in the first 6 months of the year.
Many of us will have paid money over to a solicitor, builder, company or friend at some point using the online banking system. Before we are able to make that payment, we need the recipient’s bank details – and over the years, it has become commonplace for these to be sent those via email.
Breens do not accept change of bank details by email, nor do we send out change of bank details by email. However, other firms, companies and tradespeople have used email – and still do – and fraudsters have seen an opportunity to exploit this practice.
The scam, known as push payment fraud, involves creating email accounts that mimic the firm of solicitors, tradesperson or company and sending over fake details. The same trick has been used both to provide initial bank details, and to notify the unsuspecting victim of a ‘change in bank details’.
In both cases, the email appears in almost every respect to come from the solicitor, tradesman or company. Either the email address is spoofed (i.e. the trickster uses a webmail programme to make it appear as if the email came from the EXACT email address that the victim has been dealing with) or the email set up is very similar to that provided by the firm.
Avoid falling victim
The only way to avoid falling victim in this trap is to call up the firm and ask them to confirm their bank details over the phone.
Never, ever transfer money to a bank account number provided in an email – even if it looks for all intents and purposes as if it comes from someone you know.
Do not call any phone number quoted on the email to verify the details – this could also be fake. Use numbers from genuine paper correspondence received from the firm.
If you use the firm’s website to find the phone number, take great care to ensure the web address you visit is correct. Fraudsters have in the past set up mirror websites that are almost identical to the correct web address save for one character, and it can be easy to miss these tricks. For example, would you notice if you visited breenonline.co.uk rather than breensonline.co.uk, if both sites looked exactly the same? It is extremely easy to get such websites listed in Google’s results but a listing in Google does not mean that the site is genuine.
What can I do if I’ve been scammed?
Unfortunately at this time, it is very unlikely that you will get any money back. In one recent case a hacker intercepted an email from Mercedes Benz and then used a spoofed email address to give a small business owner fake ‘Mercedes Benz ‘ bank account details with Barclays for payment of a vehicle, into which she transferred £12,500 from her Natwest account. Once the hacker received the money, they emailed the business owner to tell them they could pick up the vehicle. On discovering that she had been scammed and reporting it, the owner was told by Natwest that there was nothing they could do, as the money had disappeared. The bank stated:
“We know how distressing becoming a victim of a scam can be and we do everything we can to minimise the impact to the customer. When we become aware of a potential fraud or scam, we investigate and take appropriate action to recover any funds. Unfortunately in this case the majority of the funds were unrecoverable.”
Barclays told the business owner that when the fraudster set up the bank account, procedures had been followed – but it was only able to recover £40. Barclays said:
“…the majority of funds were withdrawn in cash or transferred to other accounts. Only the police have the authority to investigate the movement of funds and the person managing the account — banks do not have this authority.”
The Payments System Regulator has announced that it will consult on ways that people who are fooled into sending cash can be compensated. The Regulator also proposes to make it more difficult for people to open bank accounts and collect their fraudulent earnings.
Chief Executive of Which? Peter Vicary-Smith also believes that banks need to put in place better checks and protections, to prevent scams like these from happening.
Remember: never, ever transfer money to another person using bank details received in an email – even if it is from a ‘known’ email address. It is very easy to spoof an exact email address (i.e. make it look as if the email came from one of your contacts). Breens do not accept change of bank details by email, nor do we send out change of bank details by email.