Email hacking fraud hits home renovators: ‘I paid £10,800 to a bogus builder’

First came “solicitor fraud”, where conmen intercepted emails between property buyers and conveyancers and diverted huge sums to the wrong accounts.

Now this form of life-destroying crime has widened out to embrace other, big-ticket transactions, including home renovations and building work.

The mechanism is the same: fraudsters impersonate one or other party involved in the transaction and request that the payments are sent to an account controlled by criminals. And because victims of such scams tend to pay by bank transfer, which offers no protection if things go wrong, the banks are able to wash their hands of responsibility.

Having highlighted many cases of the solicitor-related frauds, Telegraph Money is now receiving numerous emails from readers, such as Arthur Mullinger, pictured above, who have discovered they have paid thousands of pounds to a criminal instead of the tradesman working on their home.

‘A fraudster stole £19,821, and Lloyds wouldn’t even make a phone call’
‘I lost £7,858 because TSB failed to check a fraudster’s address’
Fraudsters are able to target building firms, and other companies, who may not have secure systems and could be using the same password for multiple online accounts, said Owen Quinn, a cyber security researcher at Equiniti, the technology and financial services firm.

Criminals find builders’ email addresses online, and run these through freely available software online in order to see if there are any known passwords associated with those accounts.

If they obtain the correct passwords, fraudsters can then access the email accounts and send emails purporting to be from the builder or contractor.

By reading through previous email exchanges they can quickly understand transactions and find ways to trick customers into making payments to designated accounts. Emails can also be deleted.

While builder invoice fraud may not involve sums as large as those associated with property sales, losses may still be life-changing.

‘Criminals posed as my subcontractor and my builder’

Fraudsters tricked lawyer Mr Mullinger into paying £10,800 into their Lloyds account after posing as the tradesman working on his third floor extension.

Mr Mullinger, 64, said he had been expecting an invoice and said he had no reason to believe that fraudsters had taken over his subcontractor’s account. He was in France at the time and made the payment on July 10 by bank transfer into the criminal’s Lloyds account.

The fraudsters struck again the next day, this time posing as Mr Mullinger’s subcontractor, and requested another £11,000 be paid into a Barclays account.

Mr Mullinger said he wasn’t suspicious but as the invoice came out of the blue, he decided to hold off on the payment until he returned home on July 13 and spoke to the the builder.

They discovered the builder’s email account had been hacked. Mr Mullinger alerted his bank, Barclays, about the attempted fraud.

Later that day, when Mr Mullinger met the subcontractor who said he had yet to be paid, the rest of the scam was uncovered.

Mr Mullinger contacted Barclays again and it said it would contact Lloyds to see if there were any funds remaining. He said he also hoped that Barclays would investigate the second account.

However, Barclays told Mr Mullinger that as no funds had been transferred, the investigation would be limited.

In a letter seen by Telegraph Money, the bank said that it could do nothing more than “apply necessary cautions and review the account”. Barclays also said in the letter it only share information with the police if it was asked to.

Mr Mullinger said: “The fraudster’s not just some person who’s sat there and struck lucky. They’re probably setting up hundreds of accounts which are getting past the banks’ checks.

“I would’ve thought Barclays would have wanted to show me it had done all it could to prevent the fraud and to stop it happening again.”

A spokesman confirmed the bank took steps to ensure there were no loss of funds by any intended victim and information has been shared with UK Finance, which represents 300 financial firms, in order to prevent accounts being opened with the same identity.

‘A bogus builder emailed me telling me the bank details had changed’

Another reader, Tom Rogers, was tricked by a similar scam.

Mr Rogers, from Maidstone, Kent, believes fraudsters had been intercepting emails between him and the builder in charge of his extension for a while before they made their move.

It was not until the final payment of £5,872 was due when he received an email telling him the bank details had changed.

Mr Rogers, 41, said he was busy at the time and thought nothing of it. He made the transfer to the new Santander account on July 9.

He texted the builder two minutes later to let him know where he had paid the money but he did not respond until that evening. It was then that the ruse was uncovered.

Mr Rogers, who works for a fresh produce supplier, reported it to his bank, Lloyds, immediately.

He also contacted Santander to alert it to its criminal customer. The bank refused to take any details and told him it would need to be contacted by his bank.

Mr Rogers, who had a crime reference number at the point, told Telegraph Money he questioned Santander.

He said: “I remember saying: ‘Just to be clear, you are not interested in knowing that an account at your bank is being used fraudulently?”. The Santander call handler said no details could be taken.

“It just goes to show the banks don’t care”, said Mr Rogers.

No refund

In both of these cases the banks refused to reimburse the funds that had already left the fraudsters’ accounts. In the case of Mr Mullinger and Mr Rogers, this was the entire sum.

However, after pressure from this newspaper, Lloyds investigated Mr Rogers’ case and found that it had delayed retrieving the money. It has agreed to reimburse Mr Rogers £5,872 (the full amount he transferred) plus £300 compensation.

Santander also apologised and offered £100 goodwill. It said it was “regrettable” that it “simply referred Mr Rogers back to his own bank” without taking any detail which might have been helpful to its fraud department. It apologised to Mr Rogers and has offered £100, with no admission of liability.

However, Mr Mullinger’s bank Barclays said because the payment was authorised it would not offer a refund. The bank said it contacted Lloyds as soon as it was alerted but could not recover any funds.


Leave a Reply