A WA Land Rover Dealership is in damage control over a deposit stealing scam impacted one of their customers. Perth car buyer loses $20,000 in ‘distressing’ email scam | news.com.au — Australia’s leading news site (https://www.news.com.au/finance/money/costs/outraged-perth-man-claims-he-lost-20000-in-distressing-email-scam/news-story/35d01425c3efa49756bbf4a2947ef4df)

You'd reckon there might be some blame to be held by the banks as the facilitators of large fast money transfers......


Regards,
Tote

Businesses should NEVER provide bank account details in emails, instead refer customers to their web-site for account details if the business doesn't have online payments via a web-site. Furthermore, people should never rely upon bank account details that have been provided in an email.

Definitely 'caveat emptor', however, I find the following interesting: It wasn't Medibank's fault either. Or Optus.


“Their email had been compromised,” Mr Palmer told news.com.au.“They said they had been hacked and it was not their fault.

These email scams have been common for nearly 10 years now, so companies should be aware of them - law firms in particular have been hit by them and now have agreed protocols for payments. It just goes to demonstrate that email isn't very secure.

I am not sure that "email isn't very secure" is the right comment. The problem is not that email is not secure but that email is nearly as easy for impersonation as is snail mail.

I mean if I get an email purportedly from an Australian company or government organisation that actually was sent from a gmail address from an organisation that has a website, why would I not be just as suspicious as if it were a letter with a Perth return address but that was posted in Russia? Especially if it was supplying details for payment.

I am not sure that "email isn't very secure" is the right comment. The problem is not that email is not secure but that email is nearly as easy for impersonation as is snail mail.

I mean if I get an email purportedly from an Australian company or government organisation that actually was sent from a gmail address from an organisation that has a website, why would I not be just as suspicious as if it were a letter with a Perth return address but that was posted in Russia? Especially if it was supplying details for payment.

That's the way I look at it. I simply ignore all such communications in the knowledge that my bank etc. will NEVER ask for details or payments. Same with utilities.

The FIFO worker mentioned in the article got lazy because he had dealt with the dealer on several previous occasions successfully. He was excited for his new car and let his guard down. Parasites prey on vulnerability. I'm willing to bet he goes in and pays in person next time.

Scammers can also spoof sms messages from banks, utilities, etc so the fake text appears in the ongoing conversation on your mobile.

Before sending funds phone them from a number you have obtained from them to confirm details

Under current law Banks have no duty of care when you use the internet and that includes internet banking. If it goes wrong is your problem not theirs

I am not sure that "email isn't very secure" is the right comment. The problem is not that email is not secure but that email is nearly as easy for impersonation as is snail mail.

I mean if I get an email purportedly from an Australian company or government organisation that actually was sent from a gmail address from an organisation that has a website, why would I not be just as suspicious as if it were a letter with a Perth return address but that was posted in Russia? Especially if it was supplying details for payment.


You don't understand how these scams work: they aren't impersonating or spoofing addresses, the emails actually come from the relevant company's own email servers and address. What happens is that the criminals get access to the companies email servers - through phishing/trojans/malware - and sit and watch. They then, when the time's right, make a request for payment or direct a payment somewhere, often at the end of an existing email chain. There is nothing to indicate that the email is inauthentic because it is authentic, it's just that it's been sent by a criminal. As a result the protocol in banks and law firms is to verbally confirm every payment request using a known contact number that isn't on the email, because the scammers usually amend the contact numbers to one that links to their own phone numbers.

For those who may be interested, some resources for businesses to assess their preparedness and ability to respond to an attack. Just a moment... (https://exerciseinabox.cyber.gov.au/app/)
The micro exercises are worth having a look at, I'm not sure there is much time in business to spend 3 or 4 hours on the other ones (not saying the ASD nerds are out of touch with reality [bigwhistle])


Regards,
Tote

You don't understand how these scams work: they aren't impersonating or spoofing addresses, the emails actually come from the relevant company's own email servers and address. What happens is that the criminals get access to the companies email servers - through phishing/trojans/malware - and sit and watch. They then, when the time's right, make a request for payment or direct a payment somewhere, often at the end of an existing email chain. There is nothing to indicate that the email is inauthentic because it is authentic, it's just that it's been sent by a criminal. As a result the protocol in banks and law firms is to verbally confirm every payment request using a known contact number that isn't on the email, because the scammers usually amend the contact numbers to one that links to their own phone numbers.


This is it right here. It goes one step further where the scammers systems act a as a proxy between the two parties monitoring all communications until an appropriate message is found (like the request for deposit). The message is intercepted, modified to include the fraudulent details and then released to sent on to the intended recipient with both parties none the wiser with, for all intents and purposes, a genuine email being exchanged. This thing about this one is that there is no strange request to a change in details or an out of the blue payment request. The fraud is insidiously inserted into a current and real time expected transaction.