Jump to content
House Price Crash Forum

Authorised push payment scams


rollover
 Share

Recommended Posts

Quote

 

Authorised push payment (APP) scams - where people are conned into authorising their bank to pay a fraudster. In the first half of this year, 19,000 victims lost £100m.

One such, Kate Blakeley, described the "sheer horror" of discovering the loss of almost £300,000 through such a scam. Ms Blakeley, who was in the process of buying a house with her partner, described her experience. "Everything had gone very smoothly," she said. "Our conveyancing solicitor provided details by email of the bank accounts to make the money transfers on the day of completion. "We transferred just under £300,000 on the day and within about three hours, we realised the money had gone missing. "The moment of realising the money hadn't arrived as intended with the bank account we sent it to, or thought we'd sent it to, was just sheer horror." BBC


 

How does APP scams actually work? Must be very stressful situation for the victims, when they realize they were conned.

Link to comment
Share on other sites

1 hour ago, rollover said:

How does APP scams actually work?

A better question is "how do they not work."

Let's take an example.

I have recently been involved in a personal injury case. I was encouraged by the solicitor to communicate via email. The solicitor in question also has a conveyancing operation. And just to prove this happens, here's such a firm (not the one I am involved with):

http://www.lyonswilson-solicitors.co.uk/

(image attached)

Now consider this. As a client of the solicitor, I was in possession of evidence - pictures, reports etc - which the solicitor was happy to receive as email attachments. They also accepted such evidence on usb sticks, posted to them.

Both of these modes of communication are fraught with vulnerabilities, allowing code injection and arbitrary code execution. That means that, were I so minded, I could have invisibly pwned the client machine onto which these vectors were loaded. Moreover, that machine would be inside the company intranet, with access to the conveyancing dept.

From there I could send emails from the client machine or better still, from a solicitor's machine in the conveyancing dept, to instruct clients to send monies for the purposes of conveyancing, to my own personal account. Moreover, as banks are not in the habit of using the name on an account to identify where funds should be sent, I need only use my bank account, with the solicitor's company name, to get the money in my account.

So when a house buyer acting under this bogus instruction seeks to complete, the payment will be 'pushed' into my account by the home buyer, using my account number, and all the authorisation that would normally take place via any legitimate transfer of funds. ie it is an APP.

Solicitor website.jpg

Link to comment
Share on other sites

18 minutes ago, Sledgehead said:

A better question is "how do they not work."

Let's take an example.

I have recently been involved in a personal injury case. I was encouraged by the solicitor to communicate via email. The solicitor in question also has a conveyancing operation. And just to prove this happens, here's such a firm (not the one I am involved with):

http://www.lyonswilson-solicitors.co.uk/

(image attached)

Now consider this. As a client of the solicitor, I was in possession of evidence - pictures, reports etc - which the solicitor was happy to receive as email attachments. They also accepted such evidence on usb sticks, posted to them.

Both of these modes of communication are fraught with vulnerabilities, allowing code injection and arbitrary code execution. That means that, were I so minded, I could have invisibly pwned the client machine onto which these vectors were loaded. Moreover, that machine would be inside the company intranet, with access to the conveyancing dept.

From there I could send emails from the client machine or better still, from a solicitor's machine in the conveyancing dept, to instruct clients to send monies for the purposes of conveyancing, to my own personal account. Moreover, as banks are not in the habit of using the name on an account to identify where funds should be sent, I need only use my bank account, with the solicitor's company name, to get the money in my account.

So when a house buyer acting under this bogus instruction seeks to complete, the payment will be 'pushed' into my account by the home buyer, using my account number, and all the authorisation that would normally take place via any legitimate transfer of funds. ie it is an APP.

Solicitor website.jpg

Interesting - so if the fraud account number is sent from an ip address in the solicitors' office, surely the solicitor is at fault for not having a secure enough system as the client takes the solicitors' instruction via email in good faith

Perhaps they should send payment emails from a standalone and 'sterile' pc which accepts no incoming email/no usb slots etc so cannot execute malicious email/allow snooping etc

Link to comment
Share on other sites

I was warned about this by a solicitor recently and they sent their bank details by post and warned they would never send them by e-mail.  Any money they needed they asked me to take directly to their office by cash or cheque and when there was a large amount I went into my bank to arrange the transfer. 

Most solicitors are aware of this scam which has been around for a while and are warning their clients.

Link to comment
Share on other sites

2 hours ago, knock out johnny said:

 

Perhaps they should send payment emails from a standalone and 'sterile' pc which accepts no incoming email/no usb slots etc so cannot execute malicious email/allow snooping etc

Well, firstly that would involve solicitors actually having a clue about such things. Why bother when you are on £365/hr for your bread and butter work?

Secondly, how would the client distinguish between that machine and one held outside the solicitors? By far the more common version of this simply involves spoofing emails from the client's solicitor at "opportune" times (ie at completion). The source of the problem here is the client, who fails to realise that the email is not from the solicitor - ie a failure to authenticate the source. Moreover, the ability to time these fraudulent requests can come from a variety of sources:-

the client machine (hacked with the hacker watching their emails)

the owning of the solicitors machines by a hacker

a tip-off from within the solicitor's office

a tip-off from the estate agent

The problem is there are so many points of vulnerability, even when (in the example I gave) you'd think there were none. But there is one abiding weakness that ll of these fall victim to: email. It's not secure, and yet we continue to treat it so, and are expected to do so.

Edited by Sledgehead
Link to comment
Share on other sites

16 minutes ago, Houdini said:

Send a £1 initial payment. By a second method - either phone or in person check that the money has been received. Then send the rest of the money.

It's simple really....

This is guaranteed to set off the fraud detectors at your bank. I did the exact same thing, sent 10 pounds to a new payment destination which arrived safely. Then I sent a much larger sum to the same account and my bank were on the phone within seconds asking if I meant to do this. They told me their systems specifically looked for this sequence of payments (amongst many other things I suppose.)

Not that I am complaining. Everyone has heard internet stories about people being scammed well I actually know a guy who nearly got done over. Known him for years he doesn't seem particularly stupid but apparently fell for it when "technical support at his bank" or "Microsoft" or somebody phoned him and said his computer was malfunctioning. Not sure what happened but they got him to login to his internet banking - he then almost instantly got a genuine phone call from the bank asking if he intended to move a large sum out of his account. You can't believe it can you as I say he does not strike me as daft or gullible but they got him good and proper.

Link to comment
Share on other sites

5 minutes ago, Funn3r said:

I actually know a guy who nearly got done over. Known him for years he doesn't seem particularly stupid but apparently fell for it when "technical support at his bank" or "Microsoft" or somebody phoned him and said his computer was malfunctioning. Not sure what happened but they got him to login to his internet banking - he then almost instantly got a genuine phone call from the bank asking if he intended to move a large sum out of his account. 

There's no helping some people.

Link to comment
Share on other sites

37 minutes ago, Funn3r said:

Everyone has heard internet stories about people being scammed well I actually know a guy who nearly got done over. Known him for years he doesn't seem particularly stupid but apparently fell for it when "technical support at his bank" or "Microsoft" or somebody phoned him and said his computer was malfunctioning. Not sure what happened but they got him to login to his internet banking - he then almost instantly got a genuine phone call from the bank asking if he intended to move a large sum out of his account. You can't believe it can you as I say he does not strike me as daft or gullible but they got him good and proper.

Yep, parents told me of a couple of friends they met up with last week. The missus had a call, supposedly from their broadband provider: "We understand you have been experiencing problems with your broadband." As questions likely to be answered in the affirmative it's right up there with "we understand you don't trust politicians," but that didn't stop her believing she might not be talking to her real provider, thanks to her general naivety in such matters. And thanks to that naivety, it didn't take long before she'd enabled remote assistance. 

She only tumbled when her bank's webpage appeared before her. That was the point when powered down her PC without ceremony. A call to the bank and some frantic password changing finally brought relief from the feeling of impending loss.

But nobody suggested she wipe her machine and fresh install the OS. Nobody wondered what might also have happened while the scammers had admin privileges. Nobody talked of trojans or key-loggers or screen grabbers.

Link to comment
Share on other sites

53 minutes ago, Funn3r said:

This is guaranteed to set off the fraud detectors at your bank. I did the exact same thing, sent 10 pounds to a new payment destination which arrived safely. Then I sent a much larger sum to the same account and my bank were on the phone within seconds asking if I meant to do this. They told me their systems specifically looked for this sequence of payments (amongst many other things I suppose.)

Not that I am complaining. Everyone has heard internet stories about people being scammed well I actually know a guy who nearly got done over. Known him for years he doesn't seem particularly stupid but apparently fell for it when "technical support at his bank" or "Microsoft" or somebody phoned him and said his computer was malfunctioning. Not sure what happened but they got him to login to his internet banking - he then almost instantly got a genuine phone call from the bank asking if he intended to move a large sum out of his account. You can't believe it can you as I say he does not strike me as daft or gullible but they got him good and proper.

The same thing happened me. I was buying a new to me car and I transferred £10 initially. When I knew that the tenner had got to the right account I transferr the first 10,000, that being the limit on my account for a single transfer. Nationwide wre on the phone in very short order to confirm that I had meant to do that, what was it for and had I actually seen the car. Fair play to them.

Funny thing was that when I had sold my previous car the guy who bought it coule only £20,000 in one go and he wanted to take it away the next morning. so we went into his bank, got the £20,000 transferred and I got the rest in cash. I walked across the road to Nationwide to deposit the cash. The girl on the counter quizzed about where I had got the cash but there were no questions about the money that had jsut been transferred in.

Link to comment
Share on other sites

Stupidity is the primary attack vector.

I've got no time for people going on about keeping your OS updated with patches blah blah blah, it makes no ******ing difference, my win 7 machine has had no OS updates for 2 years or so. In order to launch an attack you have to 1) get network access 2)  get physical access 3) get someone to run some compromised executable on the machine. 99.99% of attacks are variants of 3 and rely on stupidity.

 

 

 

Link to comment
Share on other sites

15 minutes ago, Rare Bear said:

 

Funny thing was that when I had sold my previous car the guy who bought it coule only £20,000 in one go and he wanted to take it away the next morning. so we went into his bank, got the £20,000 transferred and I got the rest in cash. I walked across the road to Nationwide to deposit the cash. The girl on the counter quizzed about where I had got the cash but there were no questions about the money that had jsut been transferred in.

That reminds me when they ask at the bank counter why you're taking a chunk of cash out (e.g. £3000 - usually for a motorbike). I always take great delight to tell them I'm off whoring in Prague

Link to comment
Share on other sites

7 hours ago, leonardratso said:

Theres a fairly old device called a telephone that could be used to thwart such attacks. I use mine all the time.

I also wouldnt send 300K in a wire transfer unless id sent a single quid first and then used the old device mentioned above to check it actually got there, sending no more until i was sure.

Same here I only send a £1 less if possible and ask them to verify. People are over confident and even without the scam it's too easy to put in a wrong number.

Link to comment
Share on other sites

2 hours ago, goldbug9999 said:

Stupidity is the primary attack vector.

.99.99% of attacks are variants of 3 and rely on stupidity

I think that's a bit harsh. You are not necessarily stupid because you are unable to recognise an online scam. Some of them are extremely clever and unless you are a professional, actively collecting cybersecurity scalps, then you won't see them coming. 

Link to comment
Share on other sites

29 minutes ago, Funn3r said:

I think that's a bit harsh. You are not necessarily stupid because you are unable to recognise an online scam. Some of them are extremely clever and unless you are a professional, actively collecting cybersecurity scalps, then you won't see them coming. 

Yup.  I've put myself onto scammers' 'mug lists' for professional reasons, and received (and gone along with) many calls.  They are professionals, and extremely good at what they do.  

If you've received calls and worked it out, don't go thinking that you're clever and invulnerable to their techniques.  They've just not chosen the correct approach yet.  

Link to comment
Share on other sites

37 minutes ago, dgul said:

Yup.  I've put myself onto scammers' 'mug lists' for professional reasons, and received (and gone along with) many calls.  They are professionals, and extremely good at what they do.  

If you've received calls and worked it out, don't go thinking that you're clever and invulnerable to their techniques.  They've just not chosen the correct approach yet.  

That is a great post, in IT we used to say ‘if’ you are breached now the term is ‘when’ and what is your plan from that point 

Link to comment
Share on other sites

18 hours ago, goldbug9999 said:

Stupidity is the primary attack vector.

I've got no time for people going on about keeping your OS updated with patches blah blah blah, it makes no ******ing difference, my win 7 machine has had no OS updates for 2 years or so. In order to launch an attack you have to 1) get network access 2)  get physical access 3) get someone to run some compromised executable on the machine. 99.99% of attacks are variants of 3 and rely on stupidity.

 

 

 

A Win 7 machine with no updates for 2 years is an extremely easy target for a script kiddie, let alone a professional hacker.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.




×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.