As always scammers are staying one step ahead of bank security processes. The following happened to a friend last week, be warned, it’s simple and very clever...
My friend runs a small consultancy business and has been trading for more than ten years. Two weeks ago he received a call from an old client he had not worked for in a few years. The call was from the client’s Accounts department.
The caller was very apologetic and explained that she had made a silly mistake when paying a supplier and in a hurry had made the transfer to my friend by mistake. She blamed it on being busy and clicking the wrong payee in the online banking dropdown.
Anyway, to save her from being fired would my friend please return the money? Smelling a rat my friend’s guard went up but he was reassured when the caller advised him to actually call his bank and check that funds really had been deposited AND that the funds had cleared before he returned the payment. The caller even asked my friend to ask his bank if the payment could simply be reversed.
My friend called his bank to check and sure enough the payment had been made and the funds had cleared. The bank confirmed that if the credit had been made in error it should be returned and my friend would never be at risk of losing money since the payment had cleared and could never be recalled. Unfortunately the bank couldn’t do it but my friend was reassured that it was safe for him to return it himself.
My friend was content and so later that afternoon made a transfer to the client’s account to return the £4,700 paid in error. My friend heard nothing more until last Friday when the fraud team called him!
Turns out my friend hadn’t lost any money, the payment in had cleared and the payment out had gone leaving his account with the same balance it started with. The problem was his old client had lost more than £25k in the space of 48 hours!
Someone had managed to access the client’s online banking. The scammer knew that they wouldn’t be able to transfer money out to a “new” account without the bank sending the legitimate account owner a One Time Passcode to confirm the transfers. The scammer instead made a series of payments out of the account to existing payees knowing these would go through fine. Once the payments had all gone out the scammer then made contact with each of the companies who had received a transfer (including my friend) and got the transfer returned TO THE SCAMMER’S OWN ACCOUNT! The scammer knew the bank wouldn’t return the funds automatically so the sort code and account number of the scammer’s account was given over the phone to each recipient.
So, my friend (along with every other transfer recipient) helped move the money along to the scammer and didn’t lose a penny themselves in the process.
Word of warning then, it might be worth setting up alerts to your phone or email for any large transaction from your accounts. This poor company knew nothing until someone in the Accounts team checked the account and saw a load of transactions to old clients.