Small business owner here. Am I the only one who doesn't understand what's going on?!
On Friday I was very nearly caught out by a scam that would have cost me over £9,000
I received a deposit from a known customer (who’s account had been hacked) and shortly after received a phone call from someone supposedly being my customer. In this instance I knew my customer personally and recognised that the voice was wrong. He then became my customers son!
As I didn’t have my customer’s bank details, he sent bank details across by text message. At this point the alarm bells had truly kicked in and I told him that I wasn’t doing anything until I had seen my customer in person to discus it. I heard no more from the other guy and am left with a large sum of money sat in my account.
The bank then suspended my accounts. After a lengthy conversation, my accounts were freed up and I was advised that this money must only go back to the account that it came from or I could be in serious trouble.
Apparently it’s quite normal for scammers to use a third party (always a small business) as once it has passed through another account it can’t be taken back. The reason being that the account holder (me) would have made the payment and therefore under the rules, it’s not a fraudulent transaction whereas the payment to me was fraudulent because it wasn’t made by the account holder.
Had I paid the money back out, I’d be £9k down.
I was lucky but I was almost taken in. In a company where the person dealing with finance doesn’t have direct contact with the customer, it could easily pass through without a thought.
I though it wise to share my experience to hopefully stop anyone being caught out.
Small business owner here. Am I the only one who doesn't understand what's going on?!
In the financial services world everyone from chairman down to the lowliest clerk receives regular training on anti money laundering.
I wouldn’t be surprised if mandatory training was introduced for owners and directors of all businesses in the foreseeable future. Arguably it should be.
Scammer hacks customer account
Scammer pays legitimate business
Scammer phones business pointing out payment
Scammer gives account details to return the money
Business “returns” money to scammer’s account
Customer bank reclaims money as paid fraudulently by scammer
Business can’t claim money back from scammer as payment was made legitimately by business.
Customer gets his money back
Scammer gets money
Business left in the middle (in this case) £9k out of pocket.
The thing is that when you see someone has paid you by mistake, you want to get it back to customer ASAP so when you get a call, you’ve got it in your head to get the money back.
Last edited by Dave+63; 18th November 2018 at 11:21.
It sounds like he’s received some money into his account, a fraudulent transfer. He then had a call from his supposed customer exclaiming that it was made in error and would he be kind enough to transfer the money back, the scammer then texted some bank account details over. If he had fallen for it as he would have initiated the transfer he wouldn’t have been protected. The bank eventually cottoned on, suspended his account demanding that the fraudulent transfer go back? This is the bit I don’t really understand as surely it’s up to the bank to correct as the OP was an innocent party in all this.
Plenty of people have fallen for this, I remember reading of a lawyer whose secretary transferred over a large amount as she received an email supposedly from him to do so. Being a lawyer as he knew the legal processes he managed to put stop orders on some of the scammers bank accounts and actually got some of his money back, not something that everyday people can do unfortunately as the banks don’t care and hide behind their rules.
Tell me if I am incorrect:
The reason the hacker doesn’t simply send the £9k to his own account - is that all he has access to is existing payees of the customer?
By doing it the way he does - it breaks the trail for fraud investigation.
A couple of people have tried that trick on my trust company, to the point of registering a domain name that looks at first glance identical to ours and then sending an email to one of my employees purportedly from me giving instructions to transfer money to a named account. A stupid scam to attempt on a business like ours where we have to have controls in place to prevent this sort of thing.
The so-called "Fake president" fraud has yielded scammers billions over the past years. Again and again company employees are falling for it, sometimes for hundred million Dollars at a time.
French businesses have lost an estimated €465m since 2010, official figures suggest, with 15,000 firms falling victim to the scam, including big names, such as Michelin, KPMG and Nestle.
https://www.bbc.com/news/business-35250678
Someone who lies about the little things will lie about the big things too.
Wouldn't anyone want something a little bit more tangible than a phone call and txt message in order to justify monies leaving their bank account if only for the sake of balancing their books?
Fas est ab hoste doceri
That and the fact that as it was a fraudulent transfer the bank would claw it back whereas if the OP had transferred the money, even though it was part of the scam the bank would simply shrug their shoulders stating that you willingly made the transfer so tough. I really can’t see why there can’t be some sort of bank code or conduct that would protect people in these sorts of cases?
You would think so, but you would be amazed what some people do unless they have been educated in the risks, especially in larger businesses where there is less personal contact (as the OP said).
Most large companies now have a special process for registering supplier and customer bank detail changes that doesn’t rely on responding to emails and phone calls.
we had a fax come through (remember those?) from a reliable customer but with bank details badly written on top of obviously tippexed out print
someone in that company thought they would 'divert' funds
had they been more professional about it probably could have got away with it if someone in accounts didn't recognize the change in account details for that particular customer
Good to know this, thanks for the heads up
We lost £9k this year, they always try for under £10k. The director was away and a scammer cloned his email and emailed the accounts lady asking to pay a client. The email was letter perfect in her mail box but when you clicked reply it changed by 1 letter. Unfortunately she did not check with me and just did the payment the same day. £9k gone in less than 5 mins. Like above because we sent the payment it not fraud and the neither the police or the bank showed much interest!
I really don’t know what’s going on here; the week before the attempted scam a customer genuinely overpaid me by a factor of ten and another customer did the same yesterday!
In both instances it was a genuine mistake and has been rectified face to face but that’s the only two times it’s happened in nearly ten years!
In the last month I have received the most convincing "PayPal" phishing email I have ever seen - and today received a totally convincing bogus invoice "from" a regular business contact.
I presume there is so much money to be made from this type of scam, and so little chance of being caught, let alone successfully prosecuted, that there is some serious investment from organised crime going into it.
I can't help but see this as a missed opportunity for banks to gain massive kudos from dealing with this kind of fraud. All domestic banking transfers should be traceable, and someone's money remains their money until they part with it legitimately however many accounts it passes through.
There really is a technical solution to most of the bad being committed here but it takes determination and commitment to sort it - 'though surely the banks that would do it would instantly clean up in their markets? Id move my business to such a bank without hesitation.
Someone who lies about the little things will lie about the big things too.
A company who have carried out work for me had their accounts hacked, I was sent two bogus invoices, I knew I did not owe the money so did not make any payment. I telephoned the secretary to tell them,and she knew nothing
The law is not a problem. If your money is in someone else's account (in England & Wales) and you didnt put it there or were tricked into doing so, it's still your money and a court will order its return. The problem is that banks will not usually act without an order from the court or the consent of the other party. Another practical problem is that as part of a fraudulent transaction it'll be gone in an instant. If you were to find money in your account that you knew not to be yours, and you spent it, you would be liable to repay it to the proper owner.
What is needed is for banks to have terms of business with their customers, and agreements between themselves, that allow wider powers for freezing and recovery of misplaced funds within their accounts network, without the need to go to court to get an injunction. That's actualy a significant burden on the banks to administer, but my argment is that the cost of doing it would be offset by the benefit to the crediblity of their wider business. Plainly they dont (yet!) agree.
Actually never realised this, just checked some history on my business account and low and behold no details other than a reference! so I can see why it would easily catch someone out! I guess the only answer is to call the bank and get them to do a reversal on the transfer?
'Against stupidity, the gods themselves struggle in vain' - Schiller.
BTDT... 20K down. This was about ten years ago and it was a payment to us by a stolen/fake cheque. Punter was screaming saying please send it back asap because it was a mistake and my boss will kill me. My MD made a BIG mistake and after a couple of days TTed the money back. The very next day the payment was refused by our bank due to it being a fraudulent cheque..... we were 20K down! 10 years later and it still makes me break out in a cold sweat.
Send me £10000. Then tell your bank it’s all a mistake, you meant £1.00.
'Against stupidity, the gods themselves struggle in vain' - Schiller.
How is it in cases like this it’s not as simple as finding the scammer based on their bank account info?
Surely to have a bank account you need to be giving legitimate details? And then they go and try and draw out he £9k (which is a fuss in itself these days)
If they put more onto the bank to make them responsible for having a legit account it may not be quite so easy for these scammers.