Couple robbed of R250,000 by hackers while trying to buy a house

A couple who were buying their first home in Knysna had their R250,000 deposit stolen when a hacker scammed them into depositing the money into the wrong bank account.

The scammer spoofed the e-mail address of the conveyancer, Deon Boshoff Attorney, and asked the buyer, Shandin Thompson, to deposit the money into their “trust account”.

E-mails from Thompson showed he found it curious that the lawyer was pushing for the deposit to be paid, as they had arranged an extension on the payment date with the attorney.

Not wanting to lose the deal on the home, Thompson and his wife arranged to pay the deposit a few days earlier than they had negotiated.

Gmail didn’t flag the spoofed e-mails, and the banks didn’t flag the R250,000 transfer to the scammer’s account.

The fact that the money had been paid into the wrong account wasn’t discovered for weeks.

While an investigation has been opened, Thompson has not been able to recover his money, nor has he been offered compensation by the banks or transferring attorney.

Old scam, new tricks

Real estate scams such as this are nothing new.

Fraudsters stole R900,000 from a man in November using a similar scam, with at least 11 similar cases under investigation in Cape Town.

The e-mails between Thompson and the scammer show that they routed replies to a Gmail address they controlled using the standard “reply-to” field.

Although the “reply-to” information is a detail many gloss over, Thompson said he did notice it, but didn’t think much of it as many people route their e-mails through online mail services.

A look at the mail headers shows that the scammers sent their e-mails via a virtual private server on the name-servers.gr domain, on Lancom Limited’s network in Greece.

Received-SPF: neutral (google.com: 185.25.22.46 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=185.25.22.46;

Authentication-Results: mx.google.com; spf=neutral (google.com: 185.25.22.46 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]

After making the payment, Thompson sent an e-mail with the proof of payment to Deon Boshoff Attorney, including the reply-to address the scammers had injected into the conversation.

When it was discovered the money was missing, Thompson found out that the scammer had spoofed his address and sent a follow-up mail asking the attorney to disregard the proof of payment.

This raises a number of questions regarding how the scam remained undiscovered for so long.

Verification failure

In their weekly reports to the estate agent, the attorneys checked that the deposit had been paid to the agent.

Queried about why this was done when the last communication Thompson appeared to send was to disregard the proof of payment, the attorney, Deon Boshoff, said it was because the deposit was not meant to be paid to him.

“According to the deed of sale and confirmed by correspondence, the deposit was supposed to be paid to the estate agent,” said Boshoff.

“The purchaser undertook to make payment by 9 October. The agent knew about this arrangement and was expecting the payment.”

Boshoff said he assumed the payment was made accordingly, and when neither Thompson nor the agent advised him otherwise, his weekly report dated 13 October stated that the deposit must be in the agent’s possession.

“I was not advised to the contrary and, in similar weekly reports, the fact that I believed that they were in receipt of the deposit was recorded.”

Boshoff stated that their service provider said no security breach on their network or e-mail servers had been detected.

Why didn’t the bank flag the suspicious account?

Thompson made the payment from an FNB account to a Nedbank account.

Both banks were asked why the account names provided were not verified against the actual name on the account, and why their systems hadn’t flagged the transaction as suspicious.

FNB said its online banking platform has a facility that clients can use to verify banking details before concluding a transaction.

“It remains the responsibility of the client to ensure they pay the correct recipient. FNB has limited investigative power over this matter as the money was paid into an account held with another bank.”

Nedbank said that fraud detection parameters are continuously reviewed and that no system is 100% accurate at detecting fraudulent payments.

“When we do become aware of fraud, we immediately take action,” said Nedbank.

It said it is not technically feasible to verify payments on the basis of both the account number and name, due to the different ways in which an account holder’s name may be styled or spelled.

“Many legitimate transactions would therefore also fail such a validation check.”

Getting their money back

Nedbank said the first thing a victim should do is report the matter to the police.

“Where bank clients believe they have lost money through the fault of their banks, they may lodge a claim against their bank.”

“If they are not satisfied with the outcome of this process, they may also take the matter to the Ombudsman for Banking Services.”

Nedbank said it also cooperates with the South African Banking Risk Information Centre and SAPS.

It stated there has been an increase in criminals hacking into e-mail accounts and sending out fraudulent banking details, and clients should never follow payment instructions only on the basis of an e-mail.

Follow up the instructions through an independent channel such as a telephone call, said Nedbank.

More on information security

Use this tool to check how strong your password is

SA banks face increasing risk of cybercrime

South African hotel targeted in credit card cyber attack

Scam on OLX costs Free State farmer R21,000

Cape Town man robbed of R900,000 after hackers breach estate agent email account