Scam: AIBU to think we should not be fully liable?

[whatajobbeingsamumis30]

So this is super crap but basically we had a scam done on us, we used a roofing company and received an copy of an invoice previously received detailing different bank details (it was from an email slightly different company.com v companyltd.com) - we had a dialogue by email and then we paid. It came to light a few weeks later. This is for a few thousands pounds. The roofing company says we still owe them the money which I understand however this scam happened to another of their clients who picked up on it and didn't pay - should they not have warned us their network was now at risk? The police have said they will not investigate (why do I pay taxes?!?) and the bank we paid are taking no responsibly (surely they know who is the scammer). AIBU to think that we should not pay full balance to roofing company? It is because there system was not secure that this has happened?

I am sorry this happened to you. It happened to the treasurer of a local charity that my dh is involved in too.

However you do have to pay the roofer

There has been so much publicity about these scams that I would never transfer money electronically without ringing the company and checking the a/c details with them.

A friend of mine lost over £50,000 like this when paying a deposit on a house. You won't get it back sadly.
And yes, you need to pay your roofer. Otherwise they will be perfectly within their rights to take legal action, which potentially could cost you even more.

I think what OP is claiming is that if previous customers had the same scam, that either someone for the company is scamming money on the QT or that their information has been comprised which they haven't warned their customers of. Is that right OP?

My husband had this a while ago, before this kind of scam was well known.

We reported to Action Fraud, but didn't get our money back.

I now always check payment details by a second method (so if details are emailed I check using the usual phone number (not one within the payment details email). We do this at work too (law firm).

I work for a bank and deal with this often...it's incredibly common ATM and unfortunately in the vast majority of cases you won't get your money back.

The bank won't take responsibility as it's not their fault - if you voluntarily paid the money (as opposed to having your internet banking hacked or similar) then it's 'external' and not bank fraud. However, the banks fraud department can and should contact the receiving accounts bank to find out if any funds remain - and if they do, to instruct a block on the receiving account to retain funds whilst the receiving bank liaise with the police and action fraud...but in the rare cases where funds remain, this can take a long time.

It's not an easy job for the receiving bank to trace the fraudster as it's unlikely the account holder is genuine. In most cases, the bank details given are for a genuine persons account who has been hacked themselves by the same fraudster, who withdraws the funds from their account and disappears.

I'm honestly not a "cunt" as described above .... The most likely explanation by a very, very long way is inside job. Just really, what are thd chances of a random email about payment of a large sum being intercepted?!

I'm honestly not a "cunt" as described above .... The most likely explanation by a very, very long way is inside job. Just really, what are thd chances of a random email about payment of a large sum being intercepted?!

I agree you are most certainly NOT the C word. But in actual fact it's very unlikely it's an inside job, email interception is sadly an increasingly common phenomena, as many of the below comments confirm. It's been all over the news sadly.

SouthWinds: yes, this happened to other customers.

From some other posts, during the dialogue by email, we were also having conversations as we were negotiating the final bill (they broke our roof light by mistake and we provided it to fix so we had to confirm the cost).

I understand that we should pay the roofers for the work they have done, my point is, we received an exact copy of the invoice we had previously received with updated bank details, perhaps just luck, but we hadn't paid yet, was a few days later (therefore this was all in real time). It had all of our personal details and specifics about the job, this means that the company's network has been compromised especially given that it had happened to another customer. I would think that in this day and age, a limited company is responsible for having a secure network. This had already happened to them therefore they knew that there network was insecure therefore surely they should have told customers and secured there network. Perhaps the roofers should be chasing the police as it is their network that has been hacked, not ours?

I am absolutely disgusted that the cyber fraud do not warrant this a 'big' enough amount of money for them to investigate and also that the bank in question, with all of their checks, allows for this activity to be happening by not giving up the details of the individuals (we all know all the identity checks which are done for opening bank account).

I feel bad for the roofers and us, it is a crap situation, going forward I will be double checking all payments but I would not should this not have happened to me. Just to note - the roofers, apart from smashing a roof light, did an excellent job and were speedy in repairing what they had broke after we supplied the part. It is a real shame!!

Sky accidentally paid £3000 into my account - no fraud involved - and the advice I was given was that legally I had to give it back, even though they paid it willingly (just to the wrong person). I find it odd that if this was fraudulent, your bank won't cover it.

Fuckers.

It's not the bank's fault, why should they cover anything? It's also possible that they hijacked a legitimate account to move the money through so never gave any of their details to the bank at all.

I'm all for banks taking responsibility when it's justified but they shouldn't be expected to pay out when it's nothing to do with them.

I'm still sympathetic to you OP, it's been expensive mistake, hopefully it will be a warning to others.

I agree that there's next to zero chance that this has anything to do with the roofers, I don't think people realise how common email interception fraud is. Where I work I know they regularly get emails trying it on, most are very easy to spot but some are pretty convincing, so much so that there are very strict rules about changing anyone's bank details. As far as I know none of the attempts have been successful but it could just be a matter what of time

I always transfer £100 to tradesman's accounts and wait until they confirm they have received it before transferring the rest. It is mainly to guard against me typing in the wrong number but would avoid this as well.

A woman local to us lost £77k like this when a scam email from what looked like her solicitor sent her alternative bank details to send the deposit to for a house purchase. She never got the money back.
You may just have to suck it up and put it down to bitter experience

SandyDenny: I do not think it is the banks fault but I do think when a crime has been committed they should be forthcoming with the individual account to the police as it is being used for fraudulent activity.

HeinzBeinzMeainz: that is just awful. I hate thieves.

Beanzmeanzheinz I mean

@helpfulperson I always transfer £100 to tradesman's accounts and wait until they confirm they have received it before transferring the rest. It is mainly to guard against me typing in the wrong number but would avoid this as well.

You're generous. I usually only send £1 as the test!

For what it's worth OP I agree with you. Just to confirm: at the point at which you made payment, the contractors knew about the security breach and hadn't notified you? What sort of time gap was there? if we're talking about a significant time (not just a few days/hours) then yes I'd argue they had a right to notify you and may have failed in their duty of care to you by not doing so.

If we're talking about a short period between them being notified and you paying it's a different case. They are (in my mind) allowed a period of time to run around going 'what on earth is going on'. However, if (for example) they had known for weeks or a month I'd be strongly arguing that they contributed to the loss.

That is qualified by me saying I haven't looked at the law on this really and so can't say for certain that they had any duty of care to report the security breach to you in the first place, but I'd certainly be arguing the point very strongly if it were me.

they had a duty* to notify you

Doesn't mean there has been a security breach of the roofers, and also someone said it's very very likely to be an inside job it's really not. I read about these every single day. They know how and who to prey on.

And to everyone saying "it's not the roofers' fault", the issue is that someone has to bear this loss (assuming that the money isn't recouped from the criminal, which it won't be). The roofers (potentially) had the power to stop the loss being incurred in the first place.

It sounds far more likely to be a data loss at the roofers end despite what other posters say. You received two invoices, identical apart from the bank details.

If your email was hacked, it would mean someone got extremely lucky, found an invoice and managed to download it, alter it, and resend from a spoofed email address before you noticed.

Far more likely that someone has got hold of the roofers' template and has knowledge of the invoices sent out.

I am assuming that, when you say invoice, it was sent as a letterheaded pdf rather than an email saying 'you owe £x'.

You could try going to the information commissioner reporting a data breach - they scammer had to get your name, address, email and amount owing from somewhere.

Email 'interception' in transit is actually quite hard - compromise of the sending/receiving PC or a company email server is one route. Most of these scams work as a mass mailing and a recipient 'bites' because they happen to receive a mail at the time they are expecting a mail.

These are more successful when the 'company' referenced in the email has many customers Eg a utility or council. More recently there have been mails pretending to come from a scanner - targeting people who have scanners that send a scan by email.

If the recipient Pc is compromised it demands quite a lot of time from the scammer, who has to monitor traffic to determine when a scam would best work - unlikely because of the effort involved - compromised Pc more likely to be used for sending scam or scraping bank details eyc

If the roofing Co mail server/office Pc is compromised then a target attack is more likely as they could identify people who might not be surprised to receive an invoice - but this wouldn't be likely to be a long running scam - almost opportunistic - also there would be no need to have /use a slightly different company name

If it was an inside job then it ought to be apparent as soon as more than a few customers are hit - unless its a large national firm

So my assumption would be its a mass mailing sent to many tens of thousands of people.

I totally agree with Frankiestien above -" So my assumption would be its a mass mailing sent to many tens of thousands of people."

I get emails asking me to pay fencing companies, accountants etc that I've never dealt with. They rely on catching someone at the right time, that's all.