The Daily Telegraph - Saturday - Money
‘Cyber hackers impersonated my nephew to steal £100k’
QTwo years ago, a monstrous fraud was perpetrated via me and my wife on a trust that we manage on behalf of my late brother- in- law, distributing funds to his adult son. A sum of £100,000 was spirited away, it is believed, to Nigeria, of which nothing has been recovered.
Our nephew was experiencing significant stress-related mental health problems, which had affected his finances. It seemed likely that he would need to sell his house unless he received a cash injection, so we decided to unlock some money from the trust.
We were corresponding with our nephew over email and unbeknown to us, cyber fraudsters had hacked into one of our computers. They were diverting all our emails to another account without our knowledge; returning the relevant ones to us (having been altered) and later even initiating emails created by them, but written in our style.
They managed to intercept all traffic between us, our nephew and the company managing the trust, JM Finn. Using an email account that was very slightly different from our nephew’s, they first managed to trick us into transferring £90,000 from the trust into a foreign exchange account, which appeared to have been in our nephew’s name. They then tricked JM Finn into transferring another £10,000 into the same account, before the alarm was raised a few days later.
We brought in security experts to discover how the crime was committed, and to beef up our protection. We had endless discussions with several police forces and raised official complaints against JM Finn, its bank and currency platform Verto FX.
JM Finn admitted it was responsible for the smaller, second loss of £10,000 and it reimbursed the trust with this amount. However, it refused to refund the rest as it said it was not at fault. We also complained to Verto FX and took our case to the Financial Ombudsman, but after nearly six months the Ombudsman said it could not help because we were not “eligible complainants”, as we had no direct relationship with Verto FX.
In February last year we asked our lawyers to review the whole case to see if there remained any route untested. We also approached our local MP, who helped us write to the Financial Conduct Authority. The FCA replied to our MP recommending that we make a complaint against JM Finn, which it regulates. Accordingly, we wrote to JM Finn’s chief executive, who investigated but decided no further compensation was going to be paid as JM Finn had taken all measures correctly.
– Anon
AYou and your wife were handpicked by your late brother to be the trustees of his estate. This was owing to your absolute reliability and trustworthiness as family members, rather than any specific financial training. You take this responsibility as trustees extremely seriously and you were both left feeling utterly awful after this evil cyber fraud, which was silently perpetrated over the course of many weeks without either of you suspecting.
By your own admission, neither of you are particularly tech-savvy people, and it’s only because you’ve employed cyber experts to assess the situation retrospectively that you now understand that the criminals may have gained access to your computer by tricking you into downloading spyware on to your computer, possibly from an email.
Once they had access to your emails the fraudster was able to learn of the impending £90,000 transfer from the trust and intercept conversations at opportune moments, using an email address that was identical to your nephew’s other than the domain, which was virginmedia.com instead of hotmail. com. This truly is the sort of scam that anyone could fall for, as it’s so hard to spot. Then, sending an email from your real email address, the fraudster struck again, tricking JM Finn into sending a further £10,000 to the fraudulent Verto FX account.
The JM Finn trust arrangement had been in place for 30 years and it was set up in such a way that its beneficiaries could only receive funds with trustees’ authorisation. As trustees it was also down to you to provide the bank account details for your nephew’s account, which you thought you had received via email. But what you – and JM Finn – didn’t know was that these bank details were actually the fraudster’s. When you relayed these details on to JM Finn, I asked you what security had been in place to check the money was going to the right place?
You said JM Finn called you and simply asked “are you sure you have the right details?”, to which you responded “yes”. Then it processed the transfer. Considering you, an untrained layperson, were the gatekeeper of a £90,000 transfer, this level of security was, in my opinion, far too lax. It is certainly well below the standard at high street banks, which have been forced to tighten up their procedures in recent years amid a tidal wave of fraud.
In my view, what JM Finn should have asked you instead were two very specific questions: “have you verbally confirmed the bank details with the beneficiary?” You would have answered “no”, in which case you should have been asked to do so, but you should also have been asked: “have you checked the email address from which the bank details came is definitely correct?” In other industries where large customer- executed bank transfers are commonplace, such as conveyancing, such specific questions are commonplace. Given the trust’s set-up, I felt JM Finn should have been more switched on to this type of fraud, and known the right questions to ask you to pre-emptively weed it out.
I’ve caught banks out before for failing to ask the right questions on security calls, after which they have quite rightly admitted fault and coughed up.
Therefore, I was hoping JM Finn, as a respectable FCA-regulated asset manager might do the same, once I’d shown it how it could and should have done better. But no such luck. It was not prepared to accept that it had failed in any way, shape or form. From the first conversation I had with JM Finn it felt like it was on the defensive, repeatedly reverting back to the line “we correctly followed our procedures”. When I tried to explain that it was precisely its procedures that were the problem, it disagreed. Getting nowhere with its journalist-facing team and, frankly, feeling appalled at its attitude and lack of interest in improving security to prevent future fraud among its customers, I demanded a meeting with its chief executive. I’m pleased to say this did materialise.
While he managed to persuade me that the company was taking your case seriously and taking steps to tighten up fraud prevention for clients, he stood firm on not compensating the trust beyond the £10,000 it had already paid out because “processes were correctly followed”. When I approached Verto FX, it said: “Upon being notified of suspected push payment fraud by the originating bank account, we immediately conducted our own investigation and attempted to reclaim the funds. This was unfortunately unsuccessful.
“We have co-operated fully with the Financial Ombudsman’s investigation. We have deep sympathy for the victims in this case, however, we do believe that we acted properly and fully in adherence to the required regulations and procedures.”
A JM Finn spokesman said: “Sadly, financial crime is becoming increasingly common and, on this occasion, a beneficiary of a trust that we managed had their email account hacked, resulting in them sending us incorrect payee bank details. During our call back to the trustee, he again verbally confirmed the same account details, which we then paid to in good faith.
“On learning that the trustee provided incorrect details, we worked with our bank and the recipient bank to attempt [to] trace the funds but unfortunately were unable to do so.”
Your case is a terrifying lesson for other trustees who are gatekeeping large transfers from trusts run by professional fund managers, without financial or cyber-security training. Companies like JM Finn claim the security of their clients’ money is their top priority, but when push comes to shove, questions still remain as to whose financial interests come first.