The press cover many different types of fraud and phishing attacks, but I’ve never read about this one. I’d unlikely believe it, but I have heard of it happen to “friends of someone I know” and then in mid-2016, I saw it for myself. It’s quite involved and takes a bit of understanding, so it’s forgivable that there’s little public awareness.
In short, sending payments by internet banking is safe. Assuming that you’ve got the right account number and sortcode, though, isn’t safe. What if you’ve not? You’d be sending money to the wrong person – it’d be your fault, and no-one will refund you.
Quick summary: Before you send a big bank transfer to someone for the first time, send them a small amount first, and check they got it. Assuming that they did, send them the rest.
Read on for what happened to a real-life company that I saw with my own eyes in mid-2016:
The tractor attack
I was working for someone in mid-2016 when they asked me how someone could have sent them £50,000 but they didn’t receive it. It was not a banking error. Let’s call them Tractor Co. They had sent a prospective customer in Cornwall an invoice for £50,000 for a tractor. Let’s call the customer Farmer Pete.
Farmer Pete had seen an advert for a £50,000 tractor that he wanted to buy. He called Tractor Co and they discussed options (who knows – a bracket for his wellies, a shelf for his pasty, and go-faster stripes) and agreed that Farmer Pete would buy the tractor from Tractor Co.
Tractor Co would deliver the tractor to Farmer Pete in Cornwall within three days of Farmer Pete paying £50,000 by bank transfer. So on Friday morning, Farmer Pete sent an email to Tractor Co so that they had his email address. That evening, Tractor Co raised a £50,000 invoice, saved it as a PDF, replied to the email they received, and attached the PDF invoice – and emailed it to Farmer Peter. All pretty standard stuff.
On Monday morning, Farmer Pete saw an email from Tractorr Co, opened it, and saw the invoice. He noted down the account number and sortcode, logged into his online banking account, and transferred £50,000. Still pretty standard.
On Wednesday, Farmer Pete phoned Tractor Co to ask when they’d be delivering his tractor. Tractor Co said they’d not had the money yet – nice try – pay us, then we’ll organise the delivery!
Farmer Pete checked his account: the £50,000 had left it on Monday. He checked the invoice: he’d sent it to the correct place. He phoned his bank, they checked, it had gone to the correct place. Tractor Co phoned their bank – nothing.
Tractor Co think that Farmer Pete is trying to scam them out of a tractor, but he can’t – because the tractor is still parked outside their office. That’s when they asked for my help.
What the hell happened?!
I phoned Farmer Pete and he sounded pretty straight. Someone is scamming someone, but Farmer Pete sounds too backward to be the scammer (with apologies to all Cornish farmers for the stereotype, but I’m yet to meet one of you who can blind me with science). Tractor Co are reliable, I know them, so I don’t think that they’re the scammer. Besides, they don’t have the money and pulled the advert for their tractor because they thought they’d sold it – they’re not winning here.
Farmer Pete described the invoice he’d received. It just didn’t sound like the one that Tractor Co were showing me, so I asked him to send me a copy of it. It wasn’t the same!
Farmer Pete emailed Tractor Co so that they had his email address. Tractor Co’s email account had already been compromised! Someone read the email before Tractor Co. That person deleted Farmer Pete’s email from Tractor Co’s account, then created a NEW email address for Farmer Peter, and sent an email from “Farmer Peter” which Tractor Co saw. Tractor Co emailed their invoice to “Farmer Peter”, thinking it was Farmer Pete.
The fraudster, on receiving the invoice sent to his new “Farmer Peter” account, created another new email account in the name of “Tractorr Co”, and used that address to send a modified invoice to the real Farmer Pete. (Go back and re-read the first few paragraphs – it isn’t a typo where I say “Tractorr” or “Peter”)
That means that the fraudster is both “Farmer Peter” and “Tractorr Co”. The fraudster saw the email that the real Tractor Co sent, thinking they were sending it to the real Farmer Pete, changed the bank account details at the bottom of the invoice, and then sent the invoice to the real Farmer Pete from the fake “Tractorr Co” address.
Why wasn’t it spotted?
The real Tractor Co didn’t realise that their email address had been monitored, and didn’t know that the email they got from “Farmer Peter” was a forged message, they thought it was from the real Farmer Pete.
Farmer Pete got a message from “Tractorr Co” without realising that it wasn’t from the real “Tractor Co”.
There is no relationship between a bank account number and sort-code and a person’s or a company name – so Farmer Pete wasn’t to know that he was sending his £50,000 to an account that didn’t belong to Tractor Co.
What can you do to protect against that?
Technically, you can use a domain name based email address that uses SPF or DKIM (or both) to help verify that the email you see is really from the people it claims to be, but that wouldn’t help in this case because Tractor Co used a Yahoo email account. Besides, checking SPF/DKIM is way beyond most people.
Both Farmer Pete and Tractor Co should have been more careful with the email addresses they were using, but in reality, it’s a very very easy thing to miss.
Tractor Co shouldn’t be using Yahoo Mail, and should look after their password more carefully.
The real recommendation that would take very little extra effort though: Farmer Pete should have sent a bank transfer of £10 to Tractor Co and then phoned them to check that they received it. If they didn’t, he’d be able to check why he’d lost £10. He did not do that, so he lost £50,000.
What happened in the end?
Farmer Pete is £50,000 down. He didn’t get the tractor. He’d sent someone else £50,000… presumably someone who’d had their internet banking details stolen, had £50,000 pass through their account and it got emptied sharpish.
Tractor Co re-advertised their tractor and sold it to someone else. Tractor Co asked me to help them protect their email account to help guard against such an event reoccuring. (They didn’t let me do it in the end, so perhaps there will be a 2017 supplement to this story when someone else gets stitched up)
It’s genius, really. A lot of criminal effort, but it “worked” perfectly.