In 2014, when Mireille Appert’s uncle died, he left her his house.
After four years of managing the house in Queensland, Australia from her own home in the US, she couldn’t afford it anymore.
As her uncle knew, she loves Australia, she told the Chronicle, but not the fees and the expensive intercontinental slogging:
I wasn’t able to afford a vacation home in Australia anymore. Flights, maintenance, rates, electricity. A lot of fees to pay, for not being able to enjoy my house as much as I wanted.
So Appert, 67, decided to sell. She got a local law firm, KF Solicitors, to help with the $148,554.11 sale. That was on 1 July 2018.
What followed was a flurry of back and forth emailing of legal documents, including Appert’s bank account details, which she says she sent… three times.
Six months later, she still hasn’t seen a dime of that money.
Unfortunately, somebody else has: it looks like it wound up in the pocket of an email fraudster who inserted themselves into the exchange and tricked Appert into sending an electronically signed PDF with her bank details. The scammer(s) apparently also convinced the solicitors to deposit Appert’s money into a purported “corporate” bank account that they controlled.
Appert’s son, Alexandre Matti, told news outlets that the US Secret Service is investigating and that he believes the wire transfer was the work of “Nigerian scammers”. But given that email scammers are found all over the globe, we’ll assume that the fraudster could have been anywhere.
At any rate, the fraudster was good at their job. Still, they made the kind of punctuation/usage mistake that might have raised an eyebrow if the recipient were (rightly) on guard or even a touch paranoid about such a large transfer. Namely, in an 18 July email asking for information needed to make the money transfer, they wrote that…
The sellers [sic] authority just needs to be emailed back to us and not posted.
Why the need for it to be emailed, instead of being “posted?” Well, as it turns out, all the better to electronically rip you off, my dear.
KF Solicitors had already emailed all the necessary paperwork, and on 8 July, Appert had printed it out, signed it in front of a notary public, and sent the law firm a copy of the documents.
On 10 July, KF Solicitors confirmed that all the paperwork was in order. On that same day, Matti flew from the US to give KF Solicitors more paperwork it needed to seal the deal.
But then, on 16 July, Appert got yet another email, requesting her bank details. That’s the email that was missing the possessive apostrophe that would have better approached standard business English. Unfortunately, Appert went ahead and sent the bank details on the 19th.
On the 22nd, she once more sent the same electronically signed PDF with her bank details and banking information. This time, she got a confirmation: her details had been received, it said, and a transfer would be arranged after the settlement.
Then, on the 31st, KF Solicitors emailed her, asking for her bank details. Appert replied, saying that she’d already sent the details, twice. Then, she sent her bank details a third time.
Over the next few weeks, the bank would attempt to deposit the funds into her account at least twice. The money kept bouncing back, though, the solicitors told her. On 10 August, Appert got an email with an allegedly fake wire confirmation and the wrong bank account number. KF Solicitors told Matti that they never sent confirmation of the wired funds, but that they had sent the money to an outfit called Kristal Contractors LLC.
Who in the world was Kristal Contractors?
When Appert called KF Solicitors, they told her that her money had been sent “to the corporate account.” Appert told the Daily Mail that she thinks the fraudsters sent an email to the solicitors instructing them to send her money to their “corporate name”.
Appert knew that she’d been conned. She called US police on 11 August, telling them that besides bank details, the scammers also now had a copy of her passport. On the 14th, Appert’s bank told her that the money had been siphoned out of her account on the 6th.
And on the 27th, KF Solicitors mailed her a copy of the first wire transfer. It had Appert’s name on it, but the bank account wasn’t hers.
Appert has been left broke, and, as she told the Chronicle, she feels like nobody cares. She had received a copy of the first wire transfer, which had bounced, on 27 August. If she’d gotten that confirmation of a wire transfer with the wrong account number earlier in the month, “none of this would have happened,” she said.
From a letter she wrote to the law firm:
Your office got paid, the real estate agent got paid, the buyer has a house, and I’m here without any help and with no money. I sold a house, I didn’t get paid, and I feel like nobody cares.
As it is, she said, nobody from KF Solicitors had called to confirm her banking details:
It’s because you sent the money to that company that my bank can’t do anything for me because I’m not connected to this account or company.
For its part, KF Solicitors allegedly tried to put a hold on the wire transfer.
Matti told news outlets that his mother should have money in her account by now, but instead she’s financially strapped:
The worst and most difficult [thing] right now for her is knowing that she should have approximately $150,000 in her bank account, but instead, she tries to deal every day with debt collectors and financial struggle.
Was it BEC?
There aren’t a lot of details about this case beyond what Appert relates. But more than anything, it sounds like business email compromise (BEC): a crime that’s a bit like phishing but without the fake website. Fraudsters contact employees, generally at small companies, often through spoofed email addresses but also by phone, and then impersonate trustworthy business contacts, be they suppliers or customers. In this case, the “corporate account” with Kristal Contractors LLC was likely the purportedly trustworthy business party.
As we noted in June, when the FBI arrested 74 in a global BEC takedown, victims tend to be small companies without many financial checks. Also, they can be individuals conducting high-value transactions – for example, people like Appert who are buying or selling houses.
Then, the fraudsters use access to email accounts to gather intelligence such as information about billing and invoices so they can forge documents convincingly enough to fool employees who send transfer payments.
BEC is highly profitable, and it’s growing more so. Between 2013 and 2015, losses to email scams reported to the FBI’s Internet Crime Complaint Center (IC3) totaled $1.2 billion. That right there is nothing to cough at, but three years later it had more than tripled, ballooning to $3.7 billion… and that only takes into account losses reported in the US.
Did Appert get swindled by Nigerian scammers? Maybe. Then again, they could have been Nigerian, Canadian, Polish or Mauritian – all countries represented in that BEC takedown from June. After all, these scams tend to rely on networks of money mules, and those members of the criminal supply chain can be anywhere.
Maybe it doesn’t matter to Appert whether it was a Nigerian prince or a BEC network that swindled her $150K. Her money is probably gone for good.
But it should matter to anybody working at a business responsible for securing transfers of large sums of money. The defense? Better protection of email servers, better training so employees don’t get phished, beefed-up protocols for checking payments, and, of course, as much help as possible from law enforcement in cracking whoever’s behind these lucrative scams.
Source : Naked Security