Funds Transfer Scam: who is responsible?

Been reading a few articles (both real estate transactions and general purchase/supply of goods) type of transactions,

where a scammer hacks into the emails and pretends to be the seller/agent and asks for deposits/proceeds to the scammers account,

so who's "fault" is it?

the agent/seller for allowing their emails getting hacked or the buyer for transferring it to the wrong account?

and who does the bank chase for not settling a sale?

 

what do you mean by fault?

If someone transfers money it is their responsibility to check where it is going. they might have recourse against the bank and/or agent, but they may not.

what do you mean by bank chasing?

 

If Im buying a property, and im dealing with the agent to transfer deposit, and I get an email from the agent saying "these are our account details" however its been hacked by a scammer, and I transfer the deposit to the scammers account,

is it my fault for transferring it to the wrong account, or is it the agents fault for letting their emails get hacked?

 

Yes you fault as your money is lost. You would then have to try to recover your money from the agent, which may be a difficult thing to do.

 

You should check with the payee by phone to confirm details.

 

Definitely something i have been doing more these days.

Go back a few years and i wouldnt have even thought about it

 

Agent would laugh...it would be funny..,

 

Normally the fraud occurs when the fraudsters get you(or a business) to change the account numbers and pretend to be someone else, at which stage you ring the real estate , speak to accounts and confirm the change of bank details.(but dont ring the number straight of the email asking you to change account numbers.)
Most account departments now have procedures in place to also verbally follow up on changes to account numbers

 

Yesterday I received an email, supposedly from Telstra, with a link to my bill. It was a phishing email. Had I clicked the link, it may have installed some spyware on my computer and recorded my internet banking details amongst other things. Do you really think Telstra would compensate me if a scammer emptied my bank accounts?


You don't need to 'hack' someone's email account to make it look like an email came from them. It's not difficult to send someone an email with false sender information on it, the agents account doesn't need to be compromised at all.

Therefore the agent has no way of preventing the problem, so how could they be held responsible?

 

This came up with a PEXA issue or there were 2 very similar issues.

Let me grab link PEXA beefs up security controls after home sale fraud

 

A scam is called a scam because it uses confidence tricks to access information to fraud. It does not mean the party named or used as the front is involved or liable.

Most are quite obvious. eg On Saturday I got a robo message from NBN about my debt. NBN is a whole sale service. I cant have a NBN account even if I wanted one. Therefore I cant owe them. Hang up.

 

How would the scammer know who to email?

This is clearly not the scenario described in the OP in which a scammer could access recent email comms and reply to existing email chains to appear much more legitimate than a random email that shows up in your inbox from a company you've never heard of (to transfer a deposit for a house you know nothing about ).

I think it's a really interesting question.. e.g. what level of responsibility does a business/agency have in securing their communication systems?

Someone mentioned phoning them, what if the agent had their SIM jacked in conjunction with the email account?

 

Perhaps the scamer is an enterprising intern working for the sellers solicitor. Similar scenarios have actually occurred with this sort of context.

Having your internet services hacked doesn't make you responsible or liable for a crime. Email is not a secure system even though many people assume it's safe. The same goes for your telephone and postal mail.

I've personally used a 'packet sniffer' to intercept internet traffic and emails are sent without any encryption or protection. It's really easy if you're in the right place at the right time. Think about this the next time you use public Wifi.

It's also worth keeping in mind that very few businesses actually host their own IT systems. A lot of business email is hosted by Google or Microsoft.

 

Which means any breached accounts are more likely a result of negligence (i.e. poor password management) rather than an email system being hacked per se.

I don't know where the law stands, but if I was put in the position of having paid a deposit into a scam account supplied by the real estate agent's email account, I wouldn't be moving on without seeing what legal avenues there were to pursue the agency for the loss (assuming it wasn't recovered by the police).

 

In one case that we heard of ,I think the people that ran the scam knew that a particular person had a property with a specific agent .
The person that actually owned the property lived overseas and the fraudsters impersonated him and set up an "updated" email address and from that point managed to get the property sold and the money placed into their own accounts

 

Often this is an office365 breach, the hacker sets up mail redirects and deletes in rules to monitor traffic and then place themselves in communications at the right time. The initial entry point may be spyware / keylogger.

I don’t see a court finding in favor of a payer over an SME who has been hacked provided a reasonable level of preacaution has been taken. At the end of the day the onus is on the payer to satisfy themselves they are paying the correct account.

 

"Harlo....I am from dee Testra Tecknikal Deepartment and we have notted a prorblem wit yur intanet. Orl yu need to doo is downloowd dis code into yur kompoota. Arr yu sittin in front of yur Kompoota?"

Datto : Have you got your keyboard in front of you?

"Yees"

Datta: Then bend over and shove it up ...........clunk

 

I know someone who fell for the Telstra Technical Dept scam two years before they acted. They waited, watched and read. Then acted when it was timely. After the fraud occurred Police analysed the PC and confirmed all blame sat with the person who had no Norton, didnt even change passwords for email or device. And used same login/password for almost everything !! The bank password was protected from key logging but as it was same one as the email it was compromised.

 

How can police confirm a civil matter like this?

 

I've seen case law on this, but can't find it right now. The onus is on the buyer to ensure they're depositing to the correct account - unless there's evidence the email actually originated from the RE agent and they included the incorrect account details (which I'm assuming isn't the case). If the real estate agent was hacked, they're the victim of a crime, not the perpetrator of it, and there's a common law principle that victims of crime aren't punished for being victims of crime. (In the absence of some overriding principle, such as a statutory duty to have a certain level of software security, and evidence that that duty was breached, and I haven't seen either such a duty or its breach identified here.)

I'd definitely feel a lot of sympathy for such a buyer, but that doesn't make it the agent's responsibility.

Just a reminder that we have to always be alert to how things can go wrong, and double-check that everything's right before transferring large sums of money.