It was to be a poignant break for Tim Moore and his extended family. They planned to scatter his mother’s ashes on the Caribbean island of Montserrat, where she had lived for 18 years. Moore contacted a local holiday lettings agent and selected a villa to rent for the 12-day stay. But as soon as the price was agreed, a hacker intercepted the email exchange with the agent, and tricked Moore into paying $5,000 (£4,040) to a rogue account. The money was never seen again, and Moore had to stump up a second time to secure the villa through the agent.
March is the month when thousands rush to book summer holidays abroad before the best deals are bagged. It’s also the season of scams designed to siphon off travellers’ savings. Some, like fake villa websites and implausibly cheap flight offers, are well publicised and relatively easy to spot.
The email scam that caught Moore is little known, highly sophisticated and almost impossible for an unsuspecting lay person to detect. In 2021, £56.7m was lost to this kind of invoice fraud, according to the trade association, UK Finance.
The scam usually targets companies such as conveyancing solicitors and building firms, who receive large one-off payments from their customers. Criminals hack into the business email accounts, and monitor messages to see when a payment is due.
At the critical moment, when the customer is expecting to pay up, they insert themselves into the email thread with an identical, or near identical, email address, and provide their own bank details, often with an pre-emptive excuse as to why they differ from the firm’s invoice. Their emails, and the customer responses, are swiftly deleted so the legitimate firm can’t see them.
Increasingly, gangs are also hijacking the email accounts of luxury travel companies to intercept customer payments. Campaign group Which? says tactics vary from hacking into an email account to spoofing a legitimate email address.
“Sadly, we’ve seen cases like these in all manner of transactions, from people paying for services like building work, through to rental payments and home purchases,” says Jenny Ross, editor of Which? Money. “If an email account has been hacked it can be difficult to spot, particularly if the scammer is closely imitating the writing style of the legitimate communications you’ve received.”
People who get caught out like Moore are unlikely to get their money back. The UK refund scheme, which requires signatory banks to reimburse blameless scam victims, does not cover payments made to overseas accounts.
Moore, a travel writer and author, had chosen the lettings agent – which manages villa rentals on behalf of American owners – on the recommendation of friends on the island and had checked out its online profile.
He interrogated the agent about the spec and price of the accommodation in a lengthy email exchange. When the hacker inserted himself into the conversation, just as Moore had requested the total cost and bank details, his messages came from the agent’s email address and were written in an identical style and tone.
The fact that the beneficiary was the American bank rang no alarm bells, since the owner of the villa lived in the US.
The only clue that all was not as it seemed was when the scammer, still messaging from the agent’s email account, suddenly offered Moore a $400 discount if he paid the full cost of the booking upfront, instead of the $2,000 deposit previously agreed. Moore agreed and received a formal confirmation of his booking from the scam account.
“The offered saving presented an opportunity to cut down the cost of what was by far the most expensive foreign trip any of us have ever been on,” he says.
It was two weeks later doubts crept in. He noticed that the villa was still being marketed for the dates he had booked. When he contacted the owner, he discovered no money had been received, and that the agent had received no further communication from him after stating the rental price.
It was then he found that the emails from the scammer had been sent from a different IP address to that of the agent and he realised he had been defrauded. His bank, Starling, declined to refund him because the payment was made to a US bank, JP Morgan Chase. “Unfortunately, this falls outside of the contingent reimbursement model (CRM) code for reimbursing scam victims,” it says. “Starling made every effort to recover the funds from the beneficiary’s bank. The beneficiary’s bank has not responded.”
JP Morgan Chase says: “When we were contacted about recovering the funds, we investigated and found that there were no funds left to return and that the account was closed.”
If Moore had been tricked into paying a UK account, he would have stood a good chance of recovering his money. Starling is signed up to the CRM code, which requires customers to be refunded if they had reasonable grounds to believe they were paying a legitimate person, and did not ignore effective warnings from their bank.
In a shake-up of the rules, the Payment Systems Regulator (PSR), which oversees UK payment systems, plans to hold the beneficiary bank jointly liable in future. The idea is to encourage all banks to work together on better fraud prevention.
However, UK authorities have no jurisdiction outside the UK and the PSR is therefore unable to extend the CRM to cover financial firms based overseas.
The only option is a track-and-trace service operated by the Swift global payments initiative, which allows the victim’s bank to stop and recall an international money transfer from the scammer’s bank. The trouble is, by the time the victim realises they have been defrauded, the funds have usually vanished and overseas banks often fail to respond.
Another option is to lodge a claim with the Financial Ombudsman Service. It can’t force an overseas bank to return the money, but it can look at whether the customer’s own bank took appropriate steps to warn the customer of possible fraud when the payment was made, and whether it made prompt and reasonable efforts to reclaim the funds.