Skip to content
Naked Security Naked Security

Email crooks swindle woman out of $150K from home sale

She sent her bank account details three times, she said. Unfortunately, they wound up in crooks' hands, and her money wound up in their pockets.

In 2014, when Mireille Appert’s uncle died, he left her his house.

After four years of managing the house in Queensland, Australia from her own home in the US, she couldn’t afford it anymore.

As her uncle knew, she loves Australia, she told the Chronicle, but not the fees and the expensive intercontinental slogging:

I wasn’t able to afford a vacation home in Australia anymore. Flights, maintenance, rates, electricity. A lot of fees to pay, for not being able to enjoy my house as much as I wanted.

So Appert, 67, decided to sell. She got a local law firm, KF Solicitors, to help with the $148,554.11 sale. That was on 1 July 2018.

What followed was a flurry of back and forth emailing of legal documents, including Appert’s bank account details, which she says she sent… three times.

Six months later, she still hasn’t seen a dime of that money.

Unfortunately, somebody else has: it looks like it wound up in the pocket of an email fraudster who inserted themselves into the exchange and tricked Appert into sending an electronically signed PDF with her bank details. The scammer(s) apparently also convinced the solicitors to deposit Appert’s money into a purported “corporate” bank account that they controlled.

Appert’s son, Alexandre Matti, told news outlets that the US Secret Service is investigating and that he believes the wire transfer was the work of “Nigerian scammers”. But given that email scammers are found all over the globe, we’ll assume that the fraudster could have been anywhere.

At any rate, the fraudster was good at their job. Still, they made the kind of suggestion that might have raised an eyebrow, considering the size of the transfer. Namely, in an 18 July email asking for information needed to make the money transfer, they wrote:

The sellers [sic] authority just needs to be emailed back to us and not posted.

Why the need for it to be emailed, instead of being posted? Well, as it turns out, all the better to electronically rip you off, my dear.

KF Solicitors had already emailed all the necessary paperwork, and on 8 July, Appert had printed it out, signed it in front of a notary public, and sent the law firm a copy of the documents.

On 10 July, KF Solicitors confirmed that all the paperwork was in order. On that same day, Matti flew from the US to give KF Solicitors more paperwork it needed to seal the deal.

But then, on 16 July, Appert got yet another email, requesting her bank details. Unfortunately, Appert went ahead and sent the bank details on the 19th.

On the 22nd, she once more sent the same electronically signed PDF with her bank details and banking information. This time, she got a confirmation: her details had been received, it said, and a transfer would be arranged after the settlement.

Then, on the 31st, KF Solicitors emailed her, asking for her bank details. Appert replied, saying that she’d already sent the details, twice. Then, she sent her bank details a third time.

Over the next few weeks, the bank would attempt to deposit the funds into her account at least twice. The money kept bouncing back, though, the solicitors told her. On 10 August, Appert got an email with an allegedly fake wire confirmation and the wrong bank account number. KF Solicitors told Matti that they never sent confirmation of the wired funds, but that they had sent the money to an outfit called Kristal Contractors LLC.

Who in the world was Kristal Contractors?

When Appert called KF Solicitors, they told her that her money had been sent “to the corporate account.” Appert told the Daily Mail that she thinks the fraudsters sent an email to the solicitors instructing them to send her money to their “corporate name”.

Appert knew that she’d been conned. She called US police on 11 August, telling them that besides bank details, the scammers also now had a copy of her passport. On the 14th, Appert’s bank told her that the money had been siphoned out of her account on the 6th.

And on the 27th, KF Solicitors mailed her a copy of the first wire transfer. It had Appert’s name on it, but the bank account wasn’t hers.

Appert has been left broke, and, as she told the Chronicle, she feels like nobody cares. She had received a copy of the first wire transfer, which had bounced, on 27 August. If she’d gotten that confirmation of a wire transfer with the wrong account number earlier in the month, “none of this would have happened,” she said.

From a letter she wrote to the law firm:

Your office got paid, the real estate agent got paid, the buyer has a house, and I’m here without any help and with no money. I sold a house, I didn’t get paid, and I feel like nobody cares.

As it is, she said, nobody from KF Solicitors had called to confirm her banking details:

It’s because you sent the money to that company that my bank can’t do anything for me because I’m not connected to this account or company.

For its part, KF Solicitors allegedly tried to put a hold on the wire transfer.

Matti told news outlets that his mother should have money in her account by now, but instead she’s financially strapped:

The worst and most difficult [thing] right now for her is knowing that she should have approximately $150,000 in her bank account, but instead, she tries to deal every day with debt collectors and financial struggle.

Was it BEC?

There aren’t a lot of details about this case beyond what Appert relates. But more than anything, it sounds like business email compromise (BEC): a crime that’s a bit like phishing but without the fake website. Fraudsters contact employees, generally at small companies, often through spoofed email addresses but also by phone, and then impersonate trustworthy business contacts, be they suppliers or customers. In this case, the “corporate account” with Kristal Contractors LLC was likely the purportedly trustworthy business party.

As we noted in June, when the FBI arrested 74 in a global BEC takedown, victims tend to be small companies without many financial checks. Also, they can be individuals conducting high-value transactions – for example, people like Appert who are buying or selling houses.

The scammers succeed by compromising legitimate email accounts through social engineering or malware that steals account credentials.

Then, the fraudsters use access to email accounts to gather intelligence such as information about billing and invoices so they can forge documents convincingly enough to fool employees who send transfer payments.

BEC is highly profitable, and it’s growing more so. Between 2013 and 2015, losses to email scams reported to the FBI’s Internet Crime Complaint Center (IC3) totaled $1.2 billion. That right there is nothing to cough at, but three years later it had more than tripled, ballooning to $3.7 billion… and that only takes into account losses reported in the US.

Did Appert get swindled by Nigerian scammers? Maybe. Then again, they could have been Nigerian, Canadian, Polish or Mauritian – all countries represented in that BEC takedown from June. After all, these scams tend to rely on networks of money mules, and those members of the criminal supply chain can be anywhere.

Maybe it doesn’t matter to Appert whether it was a Nigerian prince or a BEC network that swindled her $150K. Her money is probably gone for good.

But it should matter to anybody working at a business responsible for securing transfers of large sums of money. The defense? Better protection of email servers, better training so employees don’t get phished, beefed-up protocols for checking payments, and, of course, as much help as possible from law enforcement in cracking whoever’s behind these lucrative scams.

6 Comments

Never transfer a large amount of money without doing a small transaction first. Then get confirmation from the recipient of the funds – speak to them , don’t rely on an email !

Better not use email at all for conveying financial information such as account numbers. But if you must, start by sending a single $1, £1, etc. and checking its receipt by any means other than email.

That’s so sad.
Never, ever, put FI account info in an Email. (if its hacked later, your data is still there) If the corresponding company doesn’t have a verifiable encrypted portal, don’t do digital.

“… they made the kind of punctuation/usage mistake that might have raised an eyebrow …”

A single missing apostrophe? Somebody’s obviously never corresponded with *real* solicitors! :)

I tweaked the text a bit to avoid giving the impression that we think the missing apostrophe ought to have been warning enough on its own… as the following sentence suggests, there’s also the fact that the email suddenly insisted that the document should *not* be snail-mailed. (The crooks wouldn’t have been able to intercept a document sent via Australia Post.)

The poor English is indeed a bit of a hint – the missing apostrophe and the curious use of “just” – but there’s more to it than that. It’s the overall flavour of the request that might raise those eyebrows.

As we’ve often said, grammatical correctness and correct spelling aren’t enough on their own to give a message a clean bill of health, but the presence of *any* imprecision, misspelling, unusual usage, unreasonableness or peculiarity is a good reason to ramp up your caution. Stop. Think. Connect.

Which methods, in place of email, would you recommend for securely sharing important documents? Uploading them to a cloud service like Dropbox or Google Drive and then share the link via Whatsapp?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?