$51K Concreter Scam

Tradies frustrated by banks as business email scam costs them $51,000

By consumer affairs reporter Amy Bainbridge and Loretta Florance 

I will email them both a link to this page and offer my advice and experience around this type of scam

Jane Fleming realised too late she'd sent $51,000 to the wrong account 

As Jane Fleming lit the candles on her son's birthday cake, she was preoccupied with a substantial sum of missing money — $51,000 to be precise

"It was a horrible day. I just felt sick all day, just wondering where the 50 grand was," she said

It was on her son's ninth birthday that she realised she'd transferred that amount into a scammer's bank account

Jane helps run the family building business, and in May she was arranging to pay $51,000 to a subcontractor

 May?  WTF?  Why is this a story in November?  Here I was thinking I could help but it's way too late.  But I'll press on.

I thought it's a huge [invoice]. I'll break it up into two payments until we've got more funds to pay for the whole invoice," she said

She'd worked with concreter Simon O'Donnell for almost a decade, making countless payments to him in that time

It get's a bit confusing with regard to names, I have deduced that Matt is Jane's husband and Simon is clearly the concreter they contracted to do the concreteing work which was valued at $51,000

Simon O'Donnell is frustrated the scammers were able to set up an Australian
bank account and send the money overseas  (ABC News: Amy Bainbridge) 

Simon asks the big question right here, why is it so easy for scammers to open Australian bank accounts when the rest of us have to walk into a branch and offer up 100 points of ID plus we have to look exactly like the photo on our drivers licence or passport.  The answer is that most banks require LESS identification when bank accounts are opened online and MOST banks don't even require that you look like the photo on the licence or passport details submitted and SOME banks don't even require you to upload a copy of the document.  Why indeed?  More on this later.

But a couple of days after Jane transferred the funds, Simon called her husband, asking where his money was. 

"I had my bank account on my computer screen right in front of me and there was no money there" Simon said

Simon could see that the funds had not been transferred into his bank account as per the invoice he had emailed Jane

"His wife said in the background something to the effect of, 'I've paid Simon, he was the one that changed his bank details"

"His wife" is actually Jane who said this to her husband Matt while Matt was talking with Simon about the missing payment

"Then the penny dropped."

Simon realised he'd been scammed.

This is where it gets a bit confusing.  Simon did not get scammed, Jane & Matt got scammed.  Jane & Matt still had to pay Simon the $51,000, so I think in the sentence above which refers to Simon is actually referring to Matt.

He (Matt) said such a substantial loss of money was a kick in the guts in an already difficult period.

"You feel completely helpless," he said.

"I've, from my angle, done nothing wrong. I finished a good job for someone, he was happy with the job, and I'm a lot of money out of pocket for six months, which during COVID hasn't been ideal."

But the money was gone — and so began (Matt) and Jane's efforts to get it back.

This is the brutal reality of scams, the moment you realise you have been done for a substantial amount of money where your are fearful that you won't get it back, a view which is often reinforced by the typical approach by banks who will work hard to blame to the target of the scam

Spot the difference

When Jane received the $51,000 invoice from Simon, she did notice his bank account had changed and updated his details before transferring the money.

Now we get to the nitty gritty, this is the first red flag, which is only a red flag if you know this is a "thing".  As Jane said to the reporter, she did not even know emailed invoices could be changed like this.  The scammer has to let you know the bank account details have changed so that they can receive the stolen funds.

"We hadn't used Simon for six months so I thought he's possibly changed it over that period of time," Jane said.

This is a reasonable assumption when everyone plays nice, as people do change banks and therefore bank accounts so the advice about the updated bank details was nothing out of the ordinary.

The email itself didn't seem unusual and it showed clear details of the job that'd been completed.

It is unclear whose email account had been compromised.  Forget about "hackers" that's not how this scam works.  The scammer infiltrates a compromised email account, usually because someone has given up their email credentials to a fake email, fake Facebook post or fake website.  The scammer then logs in to the email account quietly, perhaps installs an email filter or auto-forwarder and then waits for an email to be sent or received.  The compromise can happen at either end and it's just a matter of luck which invoice gets altered first.  This scam could just have easily cost Simon $51,000.  Let's have a look at the email

The email Jane Fleming received from Simon showed a knowledge of the job
and didn't set off any alarm bells (ABC News) 

OK, first things first, we don't know the sender's email address which is a crucial point.  If the sender's email address was spoofed ie not the genuine email address of the sender, then that indicates Jane & Matt's mailbox was compromised.  If the sender's email address was correct, then it is more likely that Simon's mailbox was compromised.  When we are alerted to scams like this, the first thing we do is a thorough check of our customer's mailbox looking for any sign that it has been compromised and we advise the apparent sender to have their IT people do the same thing at the other end.  If either email address was a free service provided by an internet provider (you whistle, I'll point) then we would suggest a lack of email security by the provider contributed to the success of this scam.

The reason the email looks genuine is because it is a very close copy of the orginal email which is hidden from view, perhaps in the junk mail folder or perhaps in deleted items.  The scammer knows that the original language in the email will make it seem genuine and scammers also know that pretty much everyone only pays attention to the content of the email rather than the email header which often makes sense even with genuine emails!

The email advising the change of bank account details is often a separate email sent before the modified invoice, the article does not show the email with the new bank details.

But after looking at the email Simon sent, and the one Jane received, it was clear something was off.

Simon's outbox shows he sent the invoice to Jane at 4:56pm on a Friday — but it didn't appear in her inbox until 7:30am on the Saturday.

When Jane & Matt stated they had paid Simon the $51,000 and Simon stated he had not received the payment, the very next thing to do is to compare the invoice and email sent with the invoice and email received which is when the scam is uncovered.  The email delay bis incosequential, email delays tdo occur from time to time across the mail servers of the world and scammer can intercept and change PDF invoices within minutes, so this delay just doesn't matter.  I saw a headline about this scam which suggested the email delay cost them $51,000.  This is incorrect.

According to associate dean for computing and security at Edith Cowan University, associate professor Paul Haskell-Dowland, someone had gained access to either Simon or Jane's computer, and was waiting for an opportunity like this. 

We 100% agree with Paul as per the comments above.

Dr Haskell-Dowland believes hackers gained remote access by hacking the builder's website and surreptitiously redirecting visitors to another site which installed malicious software. 

However, we disagree on this point.  Whilst what Paul says can and does happen, it is highly unlikely to have occruured in this case.  Every fake invoice scam we have dealt with has come from an infiltrated mailbox where the owner of the mailbox has inadvertently given up their email credentials at an earlier point.  Which is why email passwords have to be unique and two-step (or two-factor) verification should be attached to every email account.

Cyber crime expert Paul Haskell-Dowland believes the scammers altered emails
by accessing one of the computers using malware (ABC News: Andrew Willesee) 

We agree with Paul on this point.  Malware delivered via an attachment to an email where the recipient attempts to open what they thought was a Word document, an Excel spreadsheet or (horror of horros) a ZIP file apparently containg an invoice (ironic much?) is certainly the starting point for a lot of different types of scams.  Some malware payloads will try and capcture key-strokes and report back to the scammers head office...

"So potentially having direct access to the computers and monitoring them, perhaps keeping an eye on them for a while, getting a feel for the kind of invoices that are being sent that way," he said.

"It's that control that has allowed the attackers to manipulate and modify emails between the two parties in this particular case."

He said the hackers may have had access to the computer for months, or even longer — and a late-afternoon invoice was a prime target.

"An end-of-day invoice coming through where they know that the receiving company isn't going to look at their email … that opens up an opportunity and it gives them time to analyse the email, to examine the [attached invoice]," he said.

The invoice Jane received looked exactly the same as the one Simon sent,
except the bank account was different (ABC News) 

Paul's analysis is spot on.  This is aexcalty what we have seen in our market here on Eyre Peninsula.  The attached invoice will look EXACTLY the same except for the altered bank details and it's really hard to pick visually without a strong magnification of the BSB & account number.

Dr Haskell-Dowland examined the fraudulent invoice and said the alterations could only have been made by a person.

"The email would have been intercepted potentially via automated means and would have then been modified by human means," he said.

Yes, we agree, scammer can manipulate invoices and indeed web pages in real time, their editing skills are superb and it is done manually

...to be continued