Cash transfer fraud targets travellers
A growing number of holidaymakers are being tricked by criminals into paying into fake accounts, warns Amelia Murray
Holidaymakers are the latest group of victims in the growing trend of “money transfer fraud”.
With this alarming type of fraud the victim – usually in the process of making a large transfer to another bank account – is tricked into sending the money to an account operated by a criminal.
The scam typically works in conjunction with an interception of emails or phone calls. It came to light several years ago when homebuyers and sellers were tricked into transferring large sums relating to property transactions to a fraudster’s account. The victims assumed they were dealing with their solicitors when, in fact, their emails had been intercepted and their solicitors impersonated by criminals.
Now the fraud is spreading to other transactions involving large sums being paid electronically from one account to another. One area where people are falling prey is holiday bookings.
Figures released this week show thousands of travellers are being targeted by fraudsters purporting to be legitimate flight and rental firms.
Almost 6,000 people lost a total of £7.2m in 2016, a 20pc increase from the year before, according to a report by the National Fraud Intelligence Bureau, which analyses fraud data for the City of London Police. The average loss was £1,200.
Tony Neate, of Get Safe Online, the government-backed cyber safety initiative, believes the true number of cases is likely to be double that because many victims are too embarrassed to report it.
As with “solicitor email interception”, fraudsters create copycat emails. Bogus adverts are also posted on social media sites which link to fake sites.
Mr Neate said the criminals are particularly successful in the summer months when holidays are more expensive. “When the cost is high you’re going to be more hungry for a deal. You won’t see a con, you’ll see a bargain,” he said.
Some criminals also hack into the systems of genuine firms and pose as the company over email. This is what William George believed happened last summer when he transferred £8,000 to a Portuguese rental firm for a luxury family villa in Cascais, Lisbon.
The day before Mr George, his wife Carolina and their three children Sebastian, 13, Nicholas, 10 and Victoria, five, were due to fly he made the sickening discovery that he had sent the money to a fraudster.
As in most cases of transfer fraud, banks offer no protection. They argue that the payments were made correctly according to their customer’s instructions, and so they have no liability. Your Money is campaigning for banks to take more responsibility on the grounds that they are often providing current accounts to the criminals involved.
Mr George found the property on Homeaway, the online holiday rentals marketplace, in July last year.
The family wanted to travel the next month and Mr George said he was surprised the six-bed villa with a private pool was still available at short notice. He contacted the firm for more details using the enquiries option on Homeaway which puts users in touch with owners or rental managers.
Mr George, who runs a summer language school in Cambridge, said he remembered being particularly busy at the time he began corresponding
with the firm over email. But he made sure to check the email address was legitimate.
He agreed to pay a 30pc deposit by international bank transfer. He wasn’t surprised at this request as he had been asked to do this on two other occasions when booking holiday villas. He was then asked to transfer the rest of the £8,000 before the arrival date.
The day before the holiday Mr George telephoned the rental firm in Portugal to make sure everything was ready for their arrival. But the company had no record of his booking.
“I felt sick to my stomach,” said Mr George. “I knew the holiday had been ruined and the money lost.”
The firm investigated and informed Mr George that it The Sunday Telegraph Sunday 29 May 2016 Money believed its
‘I was robbed of systems had been £137,000
– bank staff went home’ compromised. By the time the bank staff were back at work, there was no way to recover the It explained that stolen funds. Amelia Murray investigates
O
n first After the delay with her bank, Dr the fraudster had suspecting Wright faced further difficulty getting that she her case heard. had been When she tried to report the crime defrauded to the police, she was told she must of almost first go to national crime reporting £130,000, centre, Action Fraud. Ellen Wright’s However, Action Fraud told Dr first port of Wright that because there were
for inquiry been call was her bank. “insufficient viable lines
it would However, when she rep orted the for a successful investigation”
on to any law fraud at 6.40pm on a Friday evening, not be passing her case First Direct told her the fraud team enforcement agency.
believe had finished for the night. Dr Wright said: “I couldn’t
me my case A few days before, Dr Wright, it when Action Fraud told
I didn’t 56, thought she had made the final wasn’t worth investigating. £137,000 payment for a London flat kntohwedwahialyt Ttoeldego.raph Saturday 1 April 2017
take my she had bought for £148,000. “The police wouldn’t YOUR MONEY
Fraud and corresponding However, as in many cases of information without Action
wouldn’t conveyancing fraud reported by RBS, the fraudster’s bank
without the police Telegraph Money, Dr Wright had give me any details
Still waiting: Dr Wright is unsure been duped by an email from a getting involved.”
the criminal posing as her solicitor. The However, despite receiving
investigation, spoofed email explained a change letter dismissing further
Dr Wright’s in bank details and requested Dr Action Fraud did pass on
Police within Wright pay the remaining balance case to the Metropolitan
report. into the new account. four days of receiving the
said: with him from its How many Dr Wright was on a skiing An Action Fraud spokesman
sent to the holiday in Austria when she made “The crime report was
Bureau for the transaction by telephone. She National Fraud Intelligence
no viable returned four days later to the assessment, but there were
be passed to a devastating news that she had lost lines of inquiry for it to
investigation her savings and he r buy-to-let flat. police force for formal
of this.
criminals does She said: “If I’d been at home and and the victim was informed
passed to wasn’t rushing to meet the payment The report was, however,
Service for deadline, maybe I would have the Metropolitan Police genuine email spotted something.” victim care.”
Operation Operation While she was abroad, emails were Detectives from the Met’s ’s
and fraud sent by her solicitor firm, Beverly Falcon, the cyber crime
Barclays serve? Morris and Co in Blackheath, south
DAVIDROSE,JEFFGILBERTFORTHETELEGRAPH London, to let Dr Wright know the money had not been received. However, these were intercepted.
ih lf d th address using real templates the company CONTINUED FROM PAGE 1 funds. In some cases the original
account is opened by a student or Mr Eggleston, who runs an temporary British
resident who is accountancy business, said his later – perhaps
when they are leaving assistant would have had no reason the country –
persuaded to “sell” the to be suspicious of the email as he account to a fraudster
for cash. often made such requests. Your Money
asked Barclays why its He said the fraudster appeared to systems did not raise
a query over such have timed the attack for when he a large payment sent out to its
being made into the was away on business. account and withdrawn
again in such a “I don’t know how long they had short period. It
declined to answer. been watching communications As is the usual
course in such between myself and my assistant,” disputes, Barclays
suggested that said Mr Eggleston. “It was timed for Mr Eggleston’s
bank should have when I had money in my account questioned the
transaction. It has from the sale of a property. They refused to reimburse
any of the money. may have had access to my digital A spokesman
said: “This scam is customers. The only calendar to see I was out of the office.” a tragic case of
criminal theft by a It was only on closer inspection fraudster impersonating that Mr Eggleston they saw underneath the in an email to an employee.
We displayed name that the email acted swiftly to
recover any funds address was not his own. In an that remained
in Barclays accounts effort to uncover the criminal he at the time this
was reported by Mr sent another email back requesting Eggleston’s bank.
We hope that the alternative accounts to receive other polic e urgently
investigate this matter payments. Mr Eggleston was shocked and bring the
criminal to justice.” difference was the bank to find the two accounts provided Barclays added
that non-customers were also with Barclays. could report fraud
using social media He said: “Barclays has allowed channels such as
Twitter, or via several these criminals to open and run these phone numbers
found on its website. accounts. There are at least three in this case: how many more criminals ‘We lost £20,000 when we paid is it providing services to?” into a fraudster’s TSB account’ Mr Eggl eston reported the crime Five victims who
were defrauded on to his own bank, C Hoare & Co, ebay have collectively
lost almost account details. while a colleague contacted Action £20,000, which
was all paid into the Fraud, the national cybercrime same TSB account
between January 13 reporting service. and February
4. He also tried to contact Barclays In each case, they
thought they but was told that as he was not a were buying high-value
items such customer a report could not be made. as camera lenses
and Apple laptops “I couldn’t even get past the first priced between
£2,600 and £7,776. p age of security because I didn’t have The fraudster
was happy to a Barclays account,” he said. communicate The Georges decided
over email and by Using his contacts, Mr Eggleston telephone and, according
to one managed to get the email address of a victim, Sean Krikor,
who attempted senior member of staff at Barclays to to buy an Apple
Macbook Pro for report the crime. £2,700, he seemed
to “know what he However he said he found lk to “be positive and make the most of the holiday” and flew to Portugal as planned.
While out there they met the rental company and reported the crime to the local police. They also alerted the relevant authorities back in Britain.
The police case has been closed and Mr George’s bank, Lloyds, says the money is irrecoverable.
Mr George said: “It seems like anyone can just open a bank account, rob
someone and then
*** 3
disappear.”
The disaster could have been averted had Mr George paid
Sean Krikor, who was duped into paying £2,700 for a computer.
Below left, Andy
through Homeaway’s
Eggleston
authorises a payment, the customer is liable.
While some push payment fraud is compiled within the remote banking losses, it is not currently reported separately. We are now working with our members to be
system, which has its
able to provide enhanced data on push payment scams.” She said banks used a range of sophisticated security features to identify suspicious activity and continually invested in new detection and verification tools to stop fraudsters.
Hannah Nixon, managing director of the Payment Systems Regulator,
own “confidence
admitted to the lack of clear data and said: “We need a concerted and coordinated industry-wide approach to better protect consumers.”
guarantee” scheme. This means customers will get their money back if things go wrong.
His error was to pay directly. Homeaway said it is constantly investing to improve its security standards and continues to establish new ways to detect risks and warn users.
‘The day before we were due to fly I knew we’d lost £8,000 and the holiday’