The Daily Telegraph - Saturday - Money
‘My adviser’s email was hacked and I lost £15k’
Fraud victims are being tricked into sending thousands of pounds to criminals after the email accounts of financial institutions they trust are hacked. But working out who is liable in these cases can be hard. A popular method used by scammers is to send a last-minute email purporting to be from the recipient’s solicitor or financial adviser. The email will inform them of a change of bank account for a pending payment, but the new account will belong to the criminal.
Often an email address will be created that looks the same as the legitimate one but has a subtle difference, for example one number or letter is missing or changed. But even consumers who are wise to this can be caught out when a fraudster gains access to the actual account via a security breach.
Larry Hunter, 64, was preparing to transfer around £15,000 to his pension provider days before the end of the tax year in April when an email dropped into his inbox from his financial adviser at south London firm Creative Benefits. It informed him of a change of bank account details for the transaction.
Mr Hunter, who lives near Reading, checked the email address closely and saw it was the real address of his adviser. Satisfied, he sent the money.
It was only the next day when the adviser pressed him to make the payment that he realised something had gone wrong. He reported the incident to his bank, NatWest, and to the police. He said: “When I initially tried to make the transfer, quite rightly NatWest sent me a code to authorise it. I was busy that day and the code expired so it didn’t go through. Then I had an email saying the account details had changed. It came from my adviser, so I made the payment.
“In the meantime, my adviser had an email pretending to be from me with an email address that was slightly different to mine.” He said he had no ill will towards the individual adviser but thought the email address should have been spotted.
Neither bank has so far been able to help. Santander, the bank the money was transferred to, said it was unable to comment on individual accounts due to data protection rules but that it always tried to recover the money when a fraud was reported.
NatWest said it would not be refunding Mr Hunter as he “explicitly authorised the payment” using his own security credentials. A spokesman said: “We sympathise with Mr Hunter and appreciate that this has been a very distressing experience for him.”
But Mr Hunter feels it is Creative Benefits who should be held liable as, it appears, its emails were vulnerable to hacking.
He said: “They left the transfer to the last minute and they shouldn’t have done, which made the process rushed. He could have seen my email replies to the fraudsters using his account and he could have noticed the fake email address impersonating me.
“But the overarching accountability has to be with the firm for leaving its email systems open to fraudsters.”
Creative Benefits is regulated by the Financial Conduct Authority (FCA), the City watchdog. Peter Wright of Digital Law, a firm specialising in online law, said he believed the advisers could be in breach of regulations relating to cyber resilience and data security.
He said most advisers would have heavily encrypted email systems and that, ultimately, Mr Hunter could have a case for negligence.
He added: “In some professions there are minimum levels of security standards. Some organisations say ‘we appreciate the risk but this is cumbersome and our clients don’t want this’. I think many would disagree if they were a victim of fraud.
“You have to look at the proportionate risk. If I was advising multiple individuals on their money and dealing with sensitive information, I would feel my industry was particularly at risk.”
He said all incidents should be reported promptly to both the FCA and the Information Commissioner’s Office. Under new GDPR rules, firms can face massive fines for failing to disclose breaches within 72 hours.
Sally Webber, the chief executive of Creative Benefits, did not confirm whether the incident had been reported and said she could not comment on details until an investigation had been carried out.
She added: “Mr Hunter’s case is the subject of a thorough investigation which includes gathering evidence from third parties to whom he spoke.
“It is very frustrating for everyone, but above all Mr Hunter, that we have been waiting for important evidence from those external parties for some months, despite persistent reminders and we are still waiting now.”
She added: “We have complete sympathy for Mr Hunter for the worry and anxiety a matter like this causes and we are working with him to get to a conclusion as soon as possible. We are keeping him updated at every juncture so that he is fully informed.”
Savers into a modern workplace pension will be tens of thousands of pounds worse off in later life because employers have dramatically cut what they contribute.
Figures provided exclusively to Telegraph Money by the Pensions and Lifetime Savings Association (PLSA) reveal how much less employers pay into staff pension schemes today compared to in the past. Over 30 years, it means younger savers are on average £120,000 worse off than older peers who have benefited from more generous earlier pensions.
In a traditional defined benefit scheme, a median earner on £28,600 contributed an average 21pc of salary in 2016, according to the Office for National Statistics. However, the heavy lifting was done by the employer who put in 16pc, with the employee adding 5pc. In one year, they would have contributed £6,006: £1,430 from the employee, £4,576 from the employer.
But these schemes, which provide an income for life, are expensive for firms to offer as people live longer.
Increasingly, younger workers are put in defined contribution autoenrolment schemes, where the same average earner would get contributions of just 5pc on qualifying earnings of £22,568. In a reversal of fortunes, companies put in less than staff – 2pc versus 3pc. In one year, staff have just £1,128.36 going into a pension – £677.04 from them, £451.32 from their employer.
This is £4,877.64 less a year than an employee in an older-style defined benefit scheme – because employer contributions would be £4,124.68 less. Even once minimum autoenrolment contributions rise next year to 3pc from the employer and 5pc from the employee, staff will still be £4,200.56 a year worse off overall.
Nigel Peaple, director of policy and research at the PLSA, said employers must help redress the balance. “Autoenrolment has been a huge success but average workplace pension contributions must increase to 12pc of salary,” he said. “To be affordable, it should be split 50:50 between employers and savers. From April 2019, this would mean employees paying just 1pc more and employers paying 3pc more.”
Criminals target those who advise us on our money in a bid to steal it. But victims often have no recourse, finds Sam Meadows ‘The accountability has to be with the firm for leaving email open to fraudsters’