By Praveen Kannan and Anna Strokolyst The Hotspot Shield team believes the internet should be open and secure …
Mireille Appert, 67, inherited her uncle’s home in Queensland, Australia. At first, she used her inheritance as a vacation home, but after a few years, it became too costly to manage from her home base in the United States. So, she decided to sell.
On July 1, 2018, her house sold for $148,554. Appert enlisted the help of a local law firm, KF Solicitors, to help with the sale. As anyone who has sold a home can attest, what follows is an avalanche of emails requesting various legal documents, bank account details, signatures, IDs, and so on.
Somehow, amidst the chaos, a cunning email scammer had inserted themselves into the email thread, stole the $148,554, and disappeared without a trace.
How it happened
Alexandre Matti, Appert’s son, is helping the U.S. Secret Service with an investigation. After six months, the short answer is that they still don’t know who was responsible or precisely how it happened.
What we do know is that the email scammer fooled Appert into sending an electronically signed PDF with her bank details. The scammer also convinced the law firm to deposit the money from the sale into a “corporate” account that they controlled called Kristal Contractors LLC.
What tends to happen in these cases, which are becoming increasingly common, is the scammers use social engineering or malware to steal legitimate email accounts from business associates at third-party companies. They then impersonate these people, insert themselves into email chains, and forge documents to intercept payments (in this case, instruct the law firm to send the payment to ‘Kristal Contractors LLC’, a company they claimed was associated with Appert).
The scam is realized once a wire transfer confirmation is sent, yet the seller never receives the money. By this point, the scammer is usually long gone.
Appert says that, in her case, she was asked numerous times to send over her bank details. She didn’t think anything was off, however, other than a lack of communication between all parties. Then, when the wire transfer was made, she wasn’t given the opportunity to see the confirmation note and confirm that the bank account number was hers. By the time she found out, it was too late to stop the wire transfer. The money was gone.
“Your office got paid, the real estate agent got paid, the buyer has a house, and I’m here without any help and with no money,” Appert wrote to the law firm, obtained by the Daily Mail. “I sold a house, I didn’t get paid, and I feel like nobody cares. It’s because you sent the money to that company that my bank can’t do anything for me because I’m not connected to this account or company.”
Appert says that nobody from KF Solicitors called to confirm her banking details before sending out the transfer. The law firm took the scammer at face value—the email address was from a legitimate third party company who handle money transfers from property sales, the person at the company was real, and the scammer had all of Appert’s details. Nothing seemed amiss.
Can you stop it from happening to you?
BEC scams, like what we assume happened here, cause $3.7 billion in damages per year in the United States. To prevent them, we need improved security on email servers, employees need educating on the dangers of phishing scams, and there needs to be better oversight on payments—looking for red flags, ensuring the account details match, and so on. But to some degree, you’re at the mercy of the people you’re working with.
In Appert’s case, people missed the signs, policies were lax, and before anyone noticed, the money was gone. Appert, in all likelihood, will not see a dime from the sale of her home in Australia.
“The worst and most difficult [thing] right now for her is knowing that she should have approximately $150,000 in her bank account,” said Matti, Appert’s son. “But instead, she tries to deal every day with debt collectors and financial struggle.”