Anonymous
Share this content
20

Emails hacked

Am I liable?

Didn't find your answer?

Search AccountingWEB

My email account was hacked on 15th July.

fraudsters from South Africa got into my office 365 account and sent out several emails and one client that I know about paid £30k to the fraudsters account. It wasn’t fees, they asked me a question about receiving money into a personal account rather than their business account, and I said to transfer it into their business account. The fraudsters intercepted my email chain and persuaded them to send it to my “trust account” which was of course fraudulent.

 

ive contacted...

the bank that had the money, hsbc in Sheffield 

the police

my pii insurers

my public liability insurers 

 

the client is holding me liable, on the basis that my account was hacked.

my password was high security, upper and lower case, numbers and a symbol 

 

any advice about bout what I should do?

Replies (20)

Please login or register to join the discussion.

avatar
By SXGuy
19th Jul 2019 07:16

Sounds to me like someone obtained your password somewhere else as opposed to decyphering it.

Thanks (0)
Psycho
By Wilson Philips
19th Jul 2019 08:23

Is the bogus email in your sent items?

if not, have you checked the headers on the email to check that it actually came from your account?

I ask because my wife had a similar case with a client receiving an email apparently from her asking an unpaid invoice to be paid to a different account. It turned out that it was the client’s email account that had been compromised.

Thanks (1)
Replying to Wilson Philips:
Caroline
By accountantccole
19th Jul 2019 08:20

I've seen similar - emails that looked like they were from my old firm but from email sub codes we didn't have.

Thanks (0)
Psycho
By Wilson Philips
19th Jul 2019 10:40

Another point - if your email password is strong it’s unlikely that anyone has specifically hacked your email account - more likely that your computer has been compromised by a keylogger or other trojan. I’d still think it more likely the attack was elsewhere.

But you say the hackers were from South Africa - how do you know? If they’ve been “identified” (and you can therefore prove you weren’t responsible) you shouldn’t be liable. Your client is just as responsible, having failed to check first before transferring money at “your” request.

Thanks (1)
By ireallyshouldknowthisbut
19th Jul 2019 09:33

I would certainly get your computers looked over by an IT expert to establish the facts, and see if you can obtain the emails your client received to establish if they did come from your account or not.

Then its lawyer/insurers time.

Clearly you lost the client, so just be polite to them, don't admit any liability, and say your insurers will sort it out, and bend over backwards on the exit.

Thanks (1)
avatar
By paul.benny
19th Jul 2019 09:33

I’m not clear from the OP what the stolen funds are. If they’re not fees, why would they be going to your bank? Is it possible that this is a scam to try and get you to pay up for a non-existent loss?

Thanks (1)
Img
By MissAccounting
19th Jul 2019 09:38

Something seems a bit off with this story if you ask me...

Thanks (1)
avatar
By johnhemming
19th Jul 2019 09:54

Its an interesting question because it goes into the question of liability for a situation in which
a) A client trusts something from a fraudster
b) Microsoft's email system is compromised
c) It is your client and your email account that was used or spoofed in some way.

I once had a discussion with the UK parliamentary authorities about the use of I think it was Microsoft's emails system pointing out that this put the UK parliamentary emails into the jurisdiction of the USA judicial system (particularly the FISA courts). Their response was that Microsoft's security was that much higher than they could achieve that this was a good idea.

I think the underlying question is one of accepting emails as giving sufficiently reliable information as to ensure that an email conversation alone (without a separate phone call or the like) is sufficient to indicate where funds should go.

In terms of the relationship with the client a lot depends upon how important the client is as it can be worth accepting responsibility for something that isn't really your fault in some circumstances. It also depends upon the insurance position.

If you get the original emails and email the original source to me (with all the headers) I would be happy to see what I can tell you about them. ([email protected])

Emails that use TLS (like https for email) normally have a tracking record. You can also find out which servers have passed the emails through.

Thanks (1)
avatar
By 356B
19th Jul 2019 11:14

This is the same as the "solicitors scam", and in each case the liability rests with the person making the payment. It's their money and their responsibility to ensure that the funds go to the correct recipient. For the price of a phone call...........

Thanks (4)
avatar
By Lisa R
19th Jul 2019 11:52

We have a contact who sells our products and we sometimes sell his, we often email each other with invoices for the relevant fees and sometimes pay 50% each on other joint ventures. I recently received an email from him with an attached invoice asking to pay another company for consultancy fees, it was addressed to me by name as he would've done and quite chatty so someone had seen conversations between us. After getting two of our IT guys to check it over, there was no sign anywhere that it had come from any email account other than his own. But of course no sign of it in his sent folder!

Thanks (1)
Replying to Lisa R:
avatar
By Vaughan Blake1
19th Jul 2019 13:06

These are getting scary. As a treasurer to a smallish trust, I have twice received emails allegedly from the chairman instructing me to urgently pay invoices. The email advises that she would be in a meeting and cannot take my call, but to make the payments ASAP. The tone of the email was exactly the same as she would have used.

The scam followed shortly after I had sent an email to the chairman asking her if it was OK to pay a solicitor's fee.

Thanks (2)
avatar
By SXGuy
19th Jul 2019 17:49

Your client needs to view the source of the email and check the message headers. It may appear to be from you but the message header will show it originated from a different mail exchange. That will prove its not your issue.

Thanks (1)
avatar
By David Gordon FCCA
23rd Jul 2019 11:17

This is a real ongoing risk.
members of the SPA will recall that the issue of PI insurance re digital matters was raised at the last and previous AGM.
In this case the horse has already bolted. So, it should be up to the PI insurers to advise.
I cover this likelihood in my
1)"Letter of engagement with terms of trade"
2) My discussions with my office insurer.
It is not an "If" it is a when. I lost £1,750 last February. We do not know how they did it, but "They" did it.
It is similar to burglars. None of us have funds sufficient for installing top security. Nevertheless we can make it too bothersome for all but the most determined villain to persist.
I do not use the Cloud, and I turn my 4 PC & server system off out of working hours.
Perhaps this is because I have senior IT professionals for caring close relatives.

Thanks (1)
avatar
By paulwakefield1
23rd Jul 2019 11:27

I've seen similar where the agent for a regular supplier notified a change of bank details. The email was part of a genuine email trail and so looked completely convincing (headers, the lot). It cost the agent's insurer quite a lot I think.

(Client has since changed their procedures and no-one is ever paid without verbal confirmation of the bank details from a known contact). I have advised all clients to do the same.

Thanks (1)
avatar
By johnjenkins
23rd Jul 2019 11:36

Unfortunately these days hackers can clone your phone and take snapshots of anything, especially bank apps. This could be an N24 or N26 fraud (the sort code that the money goes to is in South Africa. Hackers will also have the facility to make their phone call or e-mail look like it's come from a bank or other company.
the good news is that banks have recently decided that if it is a genuine scam and you have done your best, including early reporting, then they will reimburse.

Thanks (1)
avatar
By johnjenkins
23rd Jul 2019 11:37

One more thing. If you have internet, then the junction outside the house can be compromised.

Thanks (1)
Replying to johnjenkins:
avatar
By johnhemming
23rd Jul 2019 15:25

Which is why you need fully certificated tls for http (web) and smtp (email)

Thanks (1)
avatar
By [email protected]
23rd Jul 2019 12:12

Oh Dear - the old "pay this into another account" scam is all too common. Often in the form of "urgent payment...", "secret project..."

These people are sophisticated fraudsters and your email may not have been compromised at all.

Also changing the bank details is a common form of fraud

The client should have confirmed the bank account for the sake of a phone call!

As others have suggested - obtain a copy of the original email they acted upon and give all info to the banks, police etc. Unfortunately the chances of actually getting the money back at this stage are slim at best.

Thanks (1)
avatar
By NathanaelRicketts
24th Jul 2019 16:31

You could also enable Multi Factor Authentication for Microsoft 365 to further secure your account and look into getting a password manager such as LastPass or RoboForm.

Hopefully @johnhemmings was able to identify that the email your client received was spoofed rather than being sent from your account.

Thanks (0)
Elliott Chandler Picture
By elliottchandler
24th Jul 2019 20:34

I see this on a regular basis. With Office 365 often just relying on a password for protection. Someone has already mentioned multi factor authentication. Other measures can be implemented such as a DMARC to prevent email impersonation and with DKIM emails cannot be interfered with.
Under GDPR there is a great emphasis on the data processor to put all necessary measures in place so it really is about doing more and more.

Thanks (0)
Share this content