Security blog Krebs On Security has a cautionary blog post detailing the tail of Jon and Dorothy Little, who in November of 2016, at the closing on a house they were buying, found out that a phishing attack from a fraudster had tricked them into wiring their house funds to the wrong bank account.
The fraudster had inserted themselves into the middle of the purchasing chain by faking an email from the sellers’ attorneys. The phishing email had wiring instructions with a different bank account in it. So, trusting the email instructions they received, the hapless would-be home purchasers thought they were wiring funds to an escrow account setup by the sellers’ attorneys.
As the couple dutifully followed the wiring instructions, they believed that they were sending their hard earned cash to the sellers’ agent, but instead sent the money to a ‘money mule’ – a middle-man (or woman) recruited by the fraudster to receive the funds and send them on later.
Luckily for the Littles, the deception was found quickly and the FBI was contacted. The FBI was able to freeze the wire transfer when it hit TD Bank, which meant their funds were not going to be withdrawn and handed to the fraudster, but the funds were far from back where they belonged.
It was at this point that our poor victims learned about the US banking system and the term ‘fiduciary duty’, and how it was going to cause them a lot of problems during the next few months.
US Banks and financial institutions have a duty when following wiring instructions to honor the instructions given to them by their customers – which even applies when the instructions are wrong.
So – our poor couple found out that in order to get their funds back, their credit union had to provide the receiving bank an agreement to ‘hold harmless’ or agree not to legally pursue the bank for not completing the original fraudulent instruction – after all, it had come from their customer!
The problem here was that the credit union in which the Littles had invested virtually all of their money for more than 40 years decided it could not in good faith provide that hold harmless agreement to the receiving bank. They decided this because in doing so, they would have to stipulate that the credit union affirms the victim (the Littles) hadn’t willingly and knowing initiated the wire, when in fact they had. Even though their customer had been duped, the way it worked was they had to say it was pure fraud. The wire transfer, even though it was diverted, had been requested properly, and completed properly. It was not a case of the destination was changed, just it had been wrong in the first place.
To make a very long story shorter, the Littles did eventually get their funds back, but had to pull out of the original purchase as the return of their money was going to take months.
Here is a video titled ‘The Homeless Homebuyer’ that explains how it can happen:
How do you prevent this type of phishing scam?
First off: never wire funds purely based on an email received – never, ever, ever.
Secondly, agree in large and complex transactions (like realestate), who will be contacting who, and by what methods.
Lastly, trust by verify. And verify using a different method, like phone – that the destination account is correct.
We would suggest, that when receiving the wiring instructions, use the phone, contact your trusted professional on the other side of the transaction, even verify in person if possible. If you use the phone call them from a number you verified or have already in your phone-book, NOT the phone number in the email/PDF you received, remember that could also be faked!
Once you have verified the receiving bank account instructions, have another person verify that the transaction is how you see it. A bank account number at the same receiving bank might only differ by a few digits!
Finally, execute the transfer.
It couldn’t Happen to Us – could it?
Well, perhaps – this isn’t the first time this has happened by a long way. The FBI is keeping a running tally of the financial devastation visited on companies via this type of scam, known as CEO fraud scams. In June 2016, the FBI estimated that crooks had stolen nearly $3.1 billion from more than 22,000 victims of these wire fraud schemes.
Krebs on Security Article on Jon and Dorothy Little