It is the worst case of email intercept fraud that Money has ever featured. An Essex couple have lost £120,000 after sending the money to what they thought was their solicitor’s bank account, but which instead went to an account in Kent that was systematically emptied of £20,000 in cash every day for the next six days.
Peter and Alice Scott (not their real names), who live near Chelmsford, say they are “simply staggered” at the lack of response by the banks and the police after they unwittingly became the latest victims of email hacking fraudsters who have been targeting solicitors across the UK.
The couple’s story will serve as a warning to anyone about to send a large sum of money to a solicitor. It also exposes systemic flaws in the banking system that make it easy for fraudsters to operate unchecked and banks’ indifference to customers who have lost life-changing sums of money.
The extraordinary story started in late August when Peter telephoned his family’s long-used firm of solicitors, Steed & Steed, based in Braintree, Essex. He rang because he was due to pay his grandmother’s inheritance tax bill to HM Revenue & Customs and needed the law firm’s bank details. Later that morning, an email duly arrived with the firm’s account and sort code detailed in a Word file attachment. This was the first contact he had had with anyone at the law firm, he says.
Three days later, Peter went to the Braintree branch of Lloyds bank where he instructed staff to make a Chaps electronic payment for £120,000 to Steed & Steed, handing over the account details he had been sent in the email and his debit card. Eight hours later he received a text message from Lloyds to say the funds had been transferred to the receiving account.
“When I got home I emailed Steed & Steed to confirm I had made the payment and later received a reply from it confirming the funds had been received. A week later my wife asked me why we had not yet received a receipt from the solicitor so I called the firm and, to my shock, I was told it had not received the funds. At first I thought it was an error and went straight to the Lloyds branch,” he says.
Within a few hours the true horror of what had happened emerged. The email from Steed & Steed had been hacked and what Peter had been sent was the fraudster’s account details, to which he had sent the £120,000.
Through his contacts he was able to establish that the account the money had been sent to was a NatWest business account in the name of Graceak Ltd. He was also able to establish that all of his £120,000 had gone from that account, as £20,000 had been withdrawn over six days. The company has since been dissolved, according to Companies House.
“The Lloyds bank manager called the fraud team and later apologised for what had happened,” Peter says. “I felt it was a bit of an ‘Oh well, I’m really sorry, but there’s nothing we can do’. He advised me to call Action Fraud and the police. I left the branch feeling physically sick.”
Since then he says he has been staggered at the lack of interest in the theft of what is a considerable amount of money.
“We feel let down by everyone involved. We have heard nothing from the police or Action Fraud even though we have the name and address of the woman who ran the company account to which my money was paid. Action Fraud told me there was no guarantee that the police would even look at my case, and if they did it may take up to eight weeks to start their investigation. I could not believe my ears.”
Peter says Lloyds, which took eight hours to make the payment, did not carry out any checks to ensure the name of the firm to which the payment was to be made matched the account numbers, even though staff would have been aware that fraud in this area is rife. Lloyds did not appear to notice that it was paying Steed & Steed £120,000 in a NatWest account in Kent. He says he has since learned that the Steed & Steed account was held at that very branch in Braintree. The bank has declined all liability and told the couple they must to go to the Financial Ombudsman Service (FOS). They have been forced to borrow the £120,000 to make the original HMRC payment.
When staff at FOS look at this case, which could take months, they are likely to examine Lloyds’ liability to the couple. UK Payments, the body that oversees banking payments, pointed us to the regulations that govern this area. These state that a bank has to “have made clear to their customer how a Chaps payment will be processed” and that the bank “will make a payment solely on the basis of a unique identifier and will not execute it on the basis of the intended recipient’s name”.
Meanwhile, the security or otherwise of Steed & Steed’s email system is also likely to be investigated. In December 2016, regulatory body the Solicitors Regulation Authority warned that email hacks of conveyancing transactions had become the most common cybercrime in the legal sector. Firms are duty bound to inform the SRA if a client’s money is lost in this way.
Steed & Steed declined to tell Money what steps it had in place to prevent email fraud. It said it would be “inappropriate for us to provide any comment due to reasons of confidentiality and the fact that this matter is under police investigation”.
Lloyds similarly said it would not be commenting while the FOS investigation is ongoing.
NatWest said it had tried to help recover the couple’s funds but that none had remained when Lloyds advised it of this case.
Richard Emery, an independent bank security expert who has helped previous victims featured in Money, has offered to look at the case. Money will be passing on his details to the Scotts.
The Scotts’ story is a timely reminder to never trust an email containing bank or other payment request details and to always phone the person you want to pay to check the information before you send a significant sum.
In recent years Money has featured many cases of email interception fraud and the sums lost have been eye-watering. In January, Howard Mollett lost £67,000 after hackers gained access to his solicitor’s email account. As a result, he sent his house purchase deposit to an account used by fraudsters. Last year, a north London couple lost £25,000 after conmen intercepted emails between them and their builder. They thought they had sent him a deposit allowing him to buy materials. Instead, the money was lost.
In each case the fraudsters exploited a little-known but significant flaw in the banking system – the name on a bank account does not have to match an online or Chaps payment request.
A person can put Mickey Mouse in a transfer mandate and the money will be paid to the account with that sort code and account number, irrespective of whether the name matches or not. Campaigners have described this flaw as a “fraudster’s dream”. Despite the fact that bank fraud is out of control, the Financial Conduct Authority, which oversees banks, has shown little interest in forcing them to match payment requests to account names. Experts say such a move would halt most of these frauds overnight.
Over a year ago, the consumer body Which? lodged a “supercomplaint” with financial regulators demanding banks do more to protect customers tricked into transferring money. So far no concrete measurers have emerged and consumers’ losses grow every week.