rollover Posted November 7, 2017 Share Posted November 7, 2017 Quote Authorised push payment (APP) scams - where people are conned into authorising their bank to pay a fraudster. In the first half of this year, 19,000 victims lost £100m. One such, Kate Blakeley, described the "sheer horror" of discovering the loss of almost £300,000 through such a scam. Ms Blakeley, who was in the process of buying a house with her partner, described her experience. "Everything had gone very smoothly," she said. "Our conveyancing solicitor provided details by email of the bank accounts to make the money transfers on the day of completion. "We transferred just under £300,000 on the day and within about three hours, we realised the money had gone missing. "The moment of realising the money hadn't arrived as intended with the bank account we sent it to, or thought we'd sent it to, was just sheer horror." BBC How does APP scams actually work? Must be very stressful situation for the victims, when they realize they were conned. Quote Link to comment Share on other sites More sharing options...
leonardratso Posted November 7, 2017 Share Posted November 7, 2017 Theres a fairly old device called a telephone that could be used to thwart such attacks. I use mine all the time. I also wouldnt send 300K in a wire transfer unless id sent a single quid first and then used the old device mentioned above to check it actually got there, sending no more until i was sure. Quote Link to comment Share on other sites More sharing options...
TheCountOfNowhere Posted November 7, 2017 Share Posted November 7, 2017 22 minutes ago, rollover said: How does APP scams actually work? Must be very stressful situation for the victims, when they realize they were conned. Was she scammed or typed the number in wrong ? Quote Link to comment Share on other sites More sharing options...
wasbuckers Posted November 7, 2017 Share Posted November 7, 2017 Usually email intercept/phish, appears to come from the solicitor suggesting different bank details. For £300K I would always check by calling the solicitor myself..... Quote Link to comment Share on other sites More sharing options...
Sledgehead Posted November 7, 2017 Share Posted November 7, 2017 1 hour ago, rollover said: How does APP scams actually work? A better question is "how do they not work." Let's take an example. I have recently been involved in a personal injury case. I was encouraged by the solicitor to communicate via email. The solicitor in question also has a conveyancing operation. And just to prove this happens, here's such a firm (not the one I am involved with): http://www.lyonswilson-solicitors.co.uk/ (image attached) Now consider this. As a client of the solicitor, I was in possession of evidence - pictures, reports etc - which the solicitor was happy to receive as email attachments. They also accepted such evidence on usb sticks, posted to them. Both of these modes of communication are fraught with vulnerabilities, allowing code injection and arbitrary code execution. That means that, were I so minded, I could have invisibly pwned the client machine onto which these vectors were loaded. Moreover, that machine would be inside the company intranet, with access to the conveyancing dept. From there I could send emails from the client machine or better still, from a solicitor's machine in the conveyancing dept, to instruct clients to send monies for the purposes of conveyancing, to my own personal account. Moreover, as banks are not in the habit of using the name on an account to identify where funds should be sent, I need only use my bank account, with the solicitor's company name, to get the money in my account. So when a house buyer acting under this bogus instruction seeks to complete, the payment will be 'pushed' into my account by the home buyer, using my account number, and all the authorisation that would normally take place via any legitimate transfer of funds. ie it is an APP. Quote Link to comment Share on other sites More sharing options...
knock out johnny Posted November 7, 2017 Share Posted November 7, 2017 18 minutes ago, Sledgehead said: A better question is "how do they not work." Let's take an example. I have recently been involved in a personal injury case. I was encouraged by the solicitor to communicate via email. The solicitor in question also has a conveyancing operation. And just to prove this happens, here's such a firm (not the one I am involved with): http://www.lyonswilson-solicitors.co.uk/ (image attached) Now consider this. As a client of the solicitor, I was in possession of evidence - pictures, reports etc - which the solicitor was happy to receive as email attachments. They also accepted such evidence on usb sticks, posted to them. Both of these modes of communication are fraught with vulnerabilities, allowing code injection and arbitrary code execution. That means that, were I so minded, I could have invisibly pwned the client machine onto which these vectors were loaded. Moreover, that machine would be inside the company intranet, with access to the conveyancing dept. From there I could send emails from the client machine or better still, from a solicitor's machine in the conveyancing dept, to instruct clients to send monies for the purposes of conveyancing, to my own personal account. Moreover, as banks are not in the habit of using the name on an account to identify where funds should be sent, I need only use my bank account, with the solicitor's company name, to get the money in my account. So when a house buyer acting under this bogus instruction seeks to complete, the payment will be 'pushed' into my account by the home buyer, using my account number, and all the authorisation that would normally take place via any legitimate transfer of funds. ie it is an APP. Interesting - so if the fraud account number is sent from an ip address in the solicitors' office, surely the solicitor is at fault for not having a secure enough system as the client takes the solicitors' instruction via email in good faith Perhaps they should send payment emails from a standalone and 'sterile' pc which accepts no incoming email/no usb slots etc so cannot execute malicious email/allow snooping etc Quote Link to comment Share on other sites More sharing options...
TheCountOfNowhere Posted November 7, 2017 Share Posted November 7, 2017 Send a cheque. Sorted Quote Link to comment Share on other sites More sharing options...
janch Posted November 7, 2017 Share Posted November 7, 2017 I was warned about this by a solicitor recently and they sent their bank details by post and warned they would never send them by e-mail. Any money they needed they asked me to take directly to their office by cash or cheque and when there was a large amount I went into my bank to arrange the transfer. Most solicitors are aware of this scam which has been around for a while and are warning their clients. Quote Link to comment Share on other sites More sharing options...
Exiled Canadian Posted November 7, 2017 Share Posted November 7, 2017 We move lots of cash around by direct transfer. Our standard procedure is that any account number has to be confirmed by telephone call unless we have previously successfully transferred funds to the account. Quote Link to comment Share on other sites More sharing options...
Sledgehead Posted November 7, 2017 Share Posted November 7, 2017 (edited) 2 hours ago, knock out johnny said: Perhaps they should send payment emails from a standalone and 'sterile' pc which accepts no incoming email/no usb slots etc so cannot execute malicious email/allow snooping etc Well, firstly that would involve solicitors actually having a clue about such things. Why bother when you are on £365/hr for your bread and butter work? Secondly, how would the client distinguish between that machine and one held outside the solicitors? By far the more common version of this simply involves spoofing emails from the client's solicitor at "opportune" times (ie at completion). The source of the problem here is the client, who fails to realise that the email is not from the solicitor - ie a failure to authenticate the source. Moreover, the ability to time these fraudulent requests can come from a variety of sources:- the client machine (hacked with the hacker watching their emails) the owning of the solicitors machines by a hacker a tip-off from within the solicitor's office a tip-off from the estate agent The problem is there are so many points of vulnerability, even when (in the example I gave) you'd think there were none. But there is one abiding weakness that ll of these fall victim to: email. It's not secure, and yet we continue to treat it so, and are expected to do so. Edited November 7, 2017 by Sledgehead Quote Link to comment Share on other sites More sharing options...
Houdini Posted November 7, 2017 Share Posted November 7, 2017 2 hours ago, TheCountOfNowhere said: Send a cheque. Sorted Send a £1 initial payment. By a second method - either phone or in person check that the money has been received. Then send the rest of the money. It's simple really.... Quote Link to comment Share on other sites More sharing options...
sPinwheel Posted November 7, 2017 Share Posted November 7, 2017 5 minutes ago, Houdini said: Send a £1 initial payment. By a second method - either phone or in person check that the money has been received. Then send the rest of the money. Then realise you overpaid for the house. Quote Link to comment Share on other sites More sharing options...
Funn3r Posted November 7, 2017 Share Posted November 7, 2017 16 minutes ago, Houdini said: Send a £1 initial payment. By a second method - either phone or in person check that the money has been received. Then send the rest of the money. It's simple really.... This is guaranteed to set off the fraud detectors at your bank. I did the exact same thing, sent 10 pounds to a new payment destination which arrived safely. Then I sent a much larger sum to the same account and my bank were on the phone within seconds asking if I meant to do this. They told me their systems specifically looked for this sequence of payments (amongst many other things I suppose.) Not that I am complaining. Everyone has heard internet stories about people being scammed well I actually know a guy who nearly got done over. Known him for years he doesn't seem particularly stupid but apparently fell for it when "technical support at his bank" or "Microsoft" or somebody phoned him and said his computer was malfunctioning. Not sure what happened but they got him to login to his internet banking - he then almost instantly got a genuine phone call from the bank asking if he intended to move a large sum out of his account. You can't believe it can you as I say he does not strike me as daft or gullible but they got him good and proper. Quote Link to comment Share on other sites More sharing options...
Errol Posted November 7, 2017 Share Posted November 7, 2017 5 minutes ago, Funn3r said: I actually know a guy who nearly got done over. Known him for years he doesn't seem particularly stupid but apparently fell for it when "technical support at his bank" or "Microsoft" or somebody phoned him and said his computer was malfunctioning. Not sure what happened but they got him to login to his internet banking - he then almost instantly got a genuine phone call from the bank asking if he intended to move a large sum out of his account. There's no helping some people. Quote Link to comment Share on other sites More sharing options...
Sledgehead Posted November 7, 2017 Share Posted November 7, 2017 37 minutes ago, Funn3r said: Everyone has heard internet stories about people being scammed well I actually know a guy who nearly got done over. Known him for years he doesn't seem particularly stupid but apparently fell for it when "technical support at his bank" or "Microsoft" or somebody phoned him and said his computer was malfunctioning. Not sure what happened but they got him to login to his internet banking - he then almost instantly got a genuine phone call from the bank asking if he intended to move a large sum out of his account. You can't believe it can you as I say he does not strike me as daft or gullible but they got him good and proper. Yep, parents told me of a couple of friends they met up with last week. The missus had a call, supposedly from their broadband provider: "We understand you have been experiencing problems with your broadband." As questions likely to be answered in the affirmative it's right up there with "we understand you don't trust politicians," but that didn't stop her believing she might not be talking to her real provider, thanks to her general naivety in such matters. And thanks to that naivety, it didn't take long before she'd enabled remote assistance. She only tumbled when her bank's webpage appeared before her. That was the point when powered down her PC without ceremony. A call to the bank and some frantic password changing finally brought relief from the feeling of impending loss. But nobody suggested she wipe her machine and fresh install the OS. Nobody wondered what might also have happened while the scammers had admin privileges. Nobody talked of trojans or key-loggers or screen grabbers. Quote Link to comment Share on other sites More sharing options...
Rare Bear Posted November 7, 2017 Share Posted November 7, 2017 53 minutes ago, Funn3r said: This is guaranteed to set off the fraud detectors at your bank. I did the exact same thing, sent 10 pounds to a new payment destination which arrived safely. Then I sent a much larger sum to the same account and my bank were on the phone within seconds asking if I meant to do this. They told me their systems specifically looked for this sequence of payments (amongst many other things I suppose.) Not that I am complaining. Everyone has heard internet stories about people being scammed well I actually know a guy who nearly got done over. Known him for years he doesn't seem particularly stupid but apparently fell for it when "technical support at his bank" or "Microsoft" or somebody phoned him and said his computer was malfunctioning. Not sure what happened but they got him to login to his internet banking - he then almost instantly got a genuine phone call from the bank asking if he intended to move a large sum out of his account. You can't believe it can you as I say he does not strike me as daft or gullible but they got him good and proper. The same thing happened me. I was buying a new to me car and I transferred £10 initially. When I knew that the tenner had got to the right account I transferr the first 10,000, that being the limit on my account for a single transfer. Nationwide wre on the phone in very short order to confirm that I had meant to do that, what was it for and had I actually seen the car. Fair play to them. Funny thing was that when I had sold my previous car the guy who bought it coule only £20,000 in one go and he wanted to take it away the next morning. so we went into his bank, got the £20,000 transferred and I got the rest in cash. I walked across the road to Nationwide to deposit the cash. The girl on the counter quizzed about where I had got the cash but there were no questions about the money that had jsut been transferred in. Quote Link to comment Share on other sites More sharing options...
goldbug9999 Posted November 7, 2017 Share Posted November 7, 2017 Stupidity is the primary attack vector. I've got no time for people going on about keeping your OS updated with patches blah blah blah, it makes no ******ing difference, my win 7 machine has had no OS updates for 2 years or so. In order to launch an attack you have to 1) get network access 2) get physical access 3) get someone to run some compromised executable on the machine. 99.99% of attacks are variants of 3 and rely on stupidity. Quote Link to comment Share on other sites More sharing options...
knock out johnny Posted November 7, 2017 Share Posted November 7, 2017 15 minutes ago, Rare Bear said: Funny thing was that when I had sold my previous car the guy who bought it coule only £20,000 in one go and he wanted to take it away the next morning. so we went into his bank, got the £20,000 transferred and I got the rest in cash. I walked across the road to Nationwide to deposit the cash. The girl on the counter quizzed about where I had got the cash but there were no questions about the money that had jsut been transferred in. That reminds me when they ask at the bank counter why you're taking a chunk of cash out (e.g. £3000 - usually for a motorbike). I always take great delight to tell them I'm off whoring in Prague Quote Link to comment Share on other sites More sharing options...
longgone Posted November 7, 2017 Share Posted November 7, 2017 just buy some old hard drives on ebay i have used data recovery software and put everything back on and extracted passwords saved in chrome. people are stupid. Quote Link to comment Share on other sites More sharing options...
interestrateripoff Posted November 7, 2017 Share Posted November 7, 2017 7 hours ago, leonardratso said: Theres a fairly old device called a telephone that could be used to thwart such attacks. I use mine all the time. I also wouldnt send 300K in a wire transfer unless id sent a single quid first and then used the old device mentioned above to check it actually got there, sending no more until i was sure. Same here I only send a £1 less if possible and ask them to verify. People are over confident and even without the scam it's too easy to put in a wrong number. Quote Link to comment Share on other sites More sharing options...
winkie Posted November 7, 2017 Share Posted November 7, 2017 Nobody robs banks anymore, they don't have to...... Quote Link to comment Share on other sites More sharing options...
Funn3r Posted November 7, 2017 Share Posted November 7, 2017 2 hours ago, goldbug9999 said: Stupidity is the primary attack vector. .99.99% of attacks are variants of 3 and rely on stupidity I think that's a bit harsh. You are not necessarily stupid because you are unable to recognise an online scam. Some of them are extremely clever and unless you are a professional, actively collecting cybersecurity scalps, then you won't see them coming. Quote Link to comment Share on other sites More sharing options...
dgul Posted November 7, 2017 Share Posted November 7, 2017 29 minutes ago, Funn3r said: I think that's a bit harsh. You are not necessarily stupid because you are unable to recognise an online scam. Some of them are extremely clever and unless you are a professional, actively collecting cybersecurity scalps, then you won't see them coming. Yup. I've put myself onto scammers' 'mug lists' for professional reasons, and received (and gone along with) many calls. They are professionals, and extremely good at what they do. If you've received calls and worked it out, don't go thinking that you're clever and invulnerable to their techniques. They've just not chosen the correct approach yet. Quote Link to comment Share on other sites More sharing options...
Greg Bowman Posted November 7, 2017 Share Posted November 7, 2017 37 minutes ago, dgul said: Yup. I've put myself onto scammers' 'mug lists' for professional reasons, and received (and gone along with) many calls. They are professionals, and extremely good at what they do. If you've received calls and worked it out, don't go thinking that you're clever and invulnerable to their techniques. They've just not chosen the correct approach yet. That is a great post, in IT we used to say ‘if’ you are breached now the term is ‘when’ and what is your plan from that point Quote Link to comment Share on other sites More sharing options...
PaulParanoia Posted November 8, 2017 Share Posted November 8, 2017 18 hours ago, goldbug9999 said: Stupidity is the primary attack vector. I've got no time for people going on about keeping your OS updated with patches blah blah blah, it makes no ******ing difference, my win 7 machine has had no OS updates for 2 years or so. In order to launch an attack you have to 1) get network access 2) get physical access 3) get someone to run some compromised executable on the machine. 99.99% of attacks are variants of 3 and rely on stupidity. A Win 7 machine with no updates for 2 years is an extremely easy target for a script kiddie, let alone a professional hacker. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.