You receive an email requesting a payment. It could be for rent, it could be fees for a course or any other legitimate reason. Typically, the payment is a significant sum. The email contains the banking details you need to make the payment. Then shortly after the 1st email arrives you receive a 2nd email. It says the banking details have changed. There was a mistake, they’re sorry etc. but here are the correct details. You make your payment using the new banking details.
Time passes. Nothing happens…
You contact the organisation to say you have paid. You weren’t expecting a thank you note but you were expecting at least some acknowledgement. Instead, they say;
‘You’ve paid? Really? We are not seeing any record of a payment’.
You get a sinking feeling. Where has your money gone?
So what went wrong?
Here is what we think is happening in these cases. The email requesting the initial payment was legitimate. But it went into an email account that was compromised. A fraudster had access to the account and was keeping an eye on the emails coming into it. They might have been doing this for some time. We have seen this with accounts from service providers like Gmail or Yahoo (though there is no inherent reason why these email accounts shouldn’t be secure).
You might assume this is the banking system, and you do know exactly who you paid the money to, right? You have their account number, sort code etc. So the bank should be able to retrieve your money? Wrong. It’s unlikely that the bank account is controlled by the legitimate account holder. Any money you paid in will be moved out of the account almost immediately. This is money laundering. The money will be split and moved into other accounts with other banks all to hide its progress through the banking system before being integrated back and emerging for the fraudster to collect.
Bottom line is it’s unlikely that the process can be unwound to retrieve your money.
What is new is we are seeing fraudsters appearing to detect exploitable financial opportunities, like requests for payments and really pounce quickly. They can turn around a plausibly forged email attempting to redirect payments (with email signature / graphics etc.) in as little as 10-15 mins. This suggests some automation is involved; enough logic to spot simple patterns like banking details in otherwise routine email traffic and bring it to the fraudsters attention.
Preventing Payment Redirection Fraud
If you are sending out banking details, double check they are correct and tell recipients you won’t be changing them by email. Tell recipients they should immediately report any attempt to countermand the details as suspicious, but not by email because the fraudster may just intercept and delete the warning. If people follow this practice it defeats the fraudsters attempted redirection in its tracks. (The downside is if you really do need to change banking details you might have to write a letter to the recipients).
If you’re paying someone, using bank details they provided by email, and you receive a change to the banking details; don’t believe it! Find the contact details for the sender independently of the email, and check with the sender before you part with any funds. (A fraudster who forges an email can fake the contact details in the message – it could be the fraudster you end up calling and of course they will say the change is legitimate!).
If you have transferred money and it has not arrived, you need to act quickly. Stay calm:
- talk to the fraud team at your bank and tell them what has happened
- regain control of your email account by changing your password
- tell OxCERT (or your local security team) so they can secure any logs as evidence
- and, because this is a crime, ultimately, you are going to need to tell the police.