A London woman has been scammed out of almost £50,000, thinking she was sending it to her solicitor as a down-payment on a house purchase, after crooks apparently gained accessed to her email account and monitored her online conversations.
58-year-old Vivian Gabb, a self-employed single mother, was in the process of buying a house when she received an email purporting to come from her solicitor, asking her to change the account information she used for making payments to the firm and requesting that she send the sum of £46,703.20 (about $73,000), which she was already expecting to have to pay, into the new account.
She made the transfer as asked, but four days later realised that the funds had never reached the intended recipient. By then it was too late for banks to retrieve the money, as the account it had been sent to had already been emptied.
She believes the crooks must have been monitoring her email to know precisely how best to trick her into handing over her savings.
Types of phishing scams
Email phishing scams fall into two broad categories. The “normal” variety is all too familiar – a mass mail is spammed out to large numbers of people, with a message generally along the lines of “please log into your account by following this link”.
The hope is that if enough people are targeted, at least a few of them will turn out to be users of the bank/shopping site/whatever the mailer is posing as, and, of those, some will follow the link and hand over their login details to the scammers.
The popularity of this type of scam is the reason we try to discourage businesses from including direct links to their login pages in emails sent to customers.
The more targeted variety, usually referred to as “spearphishing”, requires a little more effort. The victim is first carefully researched to find out enough about them, either as an individual or as an employee in a particular role in a given business, and is then sent a carefully-crafted email made to look like something they would expect to receive and take action on.
It might be a request seeming to come from a superior asking for some sensitive or useful piece of information, or perhaps a message posing as an update from IT, carrying a malware-laced attachment.
One particular variant, as seen in this incident, pretends to come from a supplier or third-party contractor, “updating” details of the account they use to receive payments from you. Of course, the details provided are for a bogus account in the control of the phishers.
It’s generally assumed that such spearphishing is only really a danger in businesses and other large organisations, where access into protected networks, privileged information or doctored payments can bag large enough rewards to merit the work that goes into setting up the scam.
However as this case seems to show, the bad guys are willing to spend considerable time prying into the affairs of everyday individuals in the hopes of finding a way to sneak some of their cash.
Protect your email
There are some ways to mitigate this kind of risk, starting with protecting our all-important personal email accounts.
Given the huge amounts of personal and often highly lucrative information that can be gleaned from our email accounts, it’s vital that they are locked down as securely as possible.
One of the most powerful tools to prevent people getting unwanted access to our accounts is of course two-factor authentication (2FA). All the major players in the email space offer some sort of 2FA, and if yours doesn’t, you really should consider moving off that service.
Even when we’re fairly sure our accounts are well secured, there’s always a danger from social engineering tricks.
Whenever we receive important information via email, it’s vital that we double-check the authenticity of the source and the information.
Particularly when dealing with large sums of money, it’s worth the effort to contact the other party directly for confirmation, using a known and trusted address or phone number rather than one provided in the message being questioned.
It’s always easy to be wise after the fact of course, and these words won’t be of much comfort to Ms Gabb.
Fortunately friends and family rallied round to help her complete her house purchase, but with both police and banks suggesting there’s not much they will be able to do to retrieve the lost money, it looks like she’s going to be heavily out of pocket as a result of the scam.
Be careful out there.
Image of house money courtesy of Shutterstock.
8 comments on “Spearphishing gets personal as woman scammed out of £50k house deposit”
When I make a payment to a new beneficiary I always make a small payment (say £5) first, contact the beneficiary directly and only when I know its been received do I send the rest.
^Thats a really good tip. And thanks for sharing.
Of course, it doesn’t help if you’ve crossed the bridge to paying a bogus beneficiary in the first place. If you contact them, they’ll tell you the payment went through…because it did 🙂
“Fortunately friends and family rallied round to help her complete her house purchase”
They stumped up the £50,000? Blimey, I wish I had friends and family like that!
Any bets on whether she used her account via web mail access? Using a proper email client like Thunderbird, Mac Mail or equivalent and promptly deleting messages from the server goes a long way towards protecting email accounts. Of course most emails are still vulnerable since few are encrypted, but limiting web mail access makes it much harder for accounts to be monitored. Web mail coupled with weak passwords and ISPs losing password databases leaves users vulnerable to compromised email accounts. Web mail users leave their whole message history there in plain view to be accessed by anyone who trips across their credentials in a paste site.
There is a price to be paid for the convenience of being able to check email from any random computer.
“promptly deleting messages from the server”
After downloading them to a single device? Sounds like poor advice to me; a single device can be hacked, phished, lost, stolen or simply go kaput. If you’re serious, accessing emails at a trusted provider only via a secure browser session with multi-factor authentication is the way.
Just make sure your provider has securely setup POP3, SMTP and IMAP with the latest TLS protocols. Most providers have not. Webmail using a browser often provides more secure connections. I do understand your point though about access.
yes, like with banks it’s best to use the info you have for the contact not the info they give you! I must confess I’d ring and check for such a large amount, and I’m so old fashioned i might even have popped into the branch with a cheque!