A reader contacted Pricewatch last week with a story that has seen someone – either herself or a business she was dealing with – losing more than €10,000 at the stroke of a keyboard.
“Our story begins with looking for a company to install solar panels on our house last summer,” her mail begins.
“We spent a lot of time researching the different companies, what they offered and what sort of system we needed. We decided to go with a business who had completed similar work for friends of ours.”
The installation happened last summer “and we were generally happy with the installers and the work they had done”.
Couple scammed with solar panels fake invoice: ‘Unfortunately we paid over €10,000’
‘Crazy’ Boots pricing discrepancies between Ireland and UK leaves reader shocked
Aer Lingus passenger abandoned at Charles de Gaulle and then ignored
A Dunnes parcel goes missing, a customer loses €672, and the retailer won’t repay her
Our reader then received an invoice for the work from the company. She notes that her husband was supposed to be CCed on the same email but, for reasons she can’t explain, he wasn’t.
Almost simultaneously, however, her husband did get what looked like an identical email seemingly from [company] seeking the same amount of money so he paid what was owed.
“It transpired that this email was not sent from the legitimate business,” she writes.
“The only difference in the content of the emails were the bank details where the money was to be transferred. We subsequently both also received further emails from this person imitating the legitimate business. Neither of us suspected anything unusual at this point, and unfortunately, we paid over €10,000.”
Within a day they were talking to the company and it became clear that they had paid a scammer, she continues
They contacted their bank, the bank where the money had been wrongly sent, and An Garda Síochána but have received little by way of assurance and certainly no comeback.
The bottom line was – she says – that their bank told them that as they had authorised the payment, that there was very little that could be done.
“A number of months have now passed, and we are not sure how to proceed. The installers insist their systems have not been hacked and that our personal email accounts must have been compromised in some way. We don’t know where the truth lies, but the installers understandably are looking for payment. This whole episode has been extremely stressful and we don’t really know how to progress.”
[ Q&A: How to spot the invoice scam and what to do if your firm is targetedOpens in new window ]
This sounds like a version of the fake invoice scam. Such scams can see people – and businesses – losing thousands of euro very quickly. Typically criminals send emails to businesses and individuals purporting to be a legitimate supplier. The emails contain a request for the firm to change the bank account details on record for the supplier to a new bank account.
The new account is controlled by the criminals. Nothing might happen for weeks or even months and, in many instances, the business does not know it is a victim of this scam until the legitimate supplier sends a reminder invoice seeking payment.
This story is somewhat different in that our reader was targeted directly by the criminals, who had all the details of work carried out, the business who did the job and the agreed price. They were also able to mock up a legitimate-looking invoice.
We contacted Paul C Dwyer, the chief executive of Cyber Risk International and the director of the International Cyber Threat Task Force.
He says he hears stories like this almost every single week – with people sometimes losing substantially more than our reader. He suggests that – based on his experience – it is most likely the company’s systems that were compromised and he points out that for a relatively small sum like this, the legal route will most likely not work for either party as solicitors’ fees would quickly swallow up the €10,000.
He says it is not good enough that the solar panel company says it is not its fault
Businesses have, he says, a “duty of care” to protect their customers and they should all take steps to ensure their domain name can’t be faked to make it easier to clone an email address.
“To set it up takes five minutes and costs nothing, so it should be done by all businesses,” he says.
He says the criminals were targeting fairly small sums of money knowing the banks and the authorities would do very little to get it back. “If people were being robbed of 10 grand on the street we would be up in arms but because it happens online almost nothing gets done,” he says. “The fact is criminals are reaching into our digital wallets and taking this money all the time and with almost impunity.”
He says that even if the email address was not cloned and the second invoice came from a Gmail account, the company might struggle to get the money back as the criminals were able to replicate the invoice and knew the exact amount to ask for.
He says it is not good enough that the solar panel company says it is not its fault. “They would need an assessment done of their systems to see if there is malware on it. And that is the case in the vast majority of cases I see. It is possible the criminals had access to this customer’s system but they would have had to do some digging to find out the details of the invoice and how much was owed and when it was due. They don’t put in that much effort; they are machines with a rinse and repeat model.”
As to what people might do to protect themselves, he notes that we are all potentially vulnerable as it is easier for criminals to target business-to-consumer companies rather than business-to-business operations.
“When it is B2B, companies have to verify a change of a bank account and a changed Iban number will be a red flag but the consumer doesn’t actually have the time or energy or inclination or resources to know what to do in cases like this. It is easy pickings for the criminals. If I got an invoice and I was dealing with a builder or something at home and I was expecting it I would probably just send the money. A lot of tradespeople have ugly-looking invoices and email addresses and don’t have an internet presence so we tend to just go along with it. That is where the danger lies.”
