Do you really know where that invoice has come from?

Listen to today's Consumerwatch topic below, and then read the details under the podcast. 

She’d signed an agreement to buy a house and was expecting a call from the conveyancing attorneys to be appointed by the sellers, so she could pay the R450,000 deposit into their trust account, pending transfer of the property.

Then the call came, from that conveyancing firm, but the conversation didn’t go as she was expecting… “She said she had emailed the paperwork to my work email address which was the correct email address, but I didn’t receive that mail at all, so the fraudsters must have intercepted that one.

"And then the woman in the conveyancer’s office received an email from a Gmail address, in my name - not my actual address -  with the exact details of the property, payment structure; everything there, signed by myself, asking her to please resend all the paperwork to my personal email address. So she did that, but afterwards, she phoned me to say that as a precaution, she'd added a password onto the correspondence and she wanted to give me the password so I could open it.

“And that’s how we found out about the hacking.”

That conveyancing practice’s employee was right to be cautious - this scam is so prevalent among conveyancers that in July 2016, the Attorneys Insurance Indemnity Fund (AIIF) - a non-profit company established by the Attorneys Fidelity Fund (AFF) to provide a level of professional indemnity insurance to all practicing attorneys in South Africa - excluded cybercrime from the cover.

Conveyancers have been warned of the scam and advised on the precautions to take, many times on many platforms by professional bodies.

And yet in the year after the AFF excluded cybercrime from cover,  more than 50 cybercrime-related claims were submitted, with a total value of more than R25-million. All were rejected.

Read: Is a “no refund” policy on deposits legal?

Conveyancing attorneys are a favourite target for the fraudsters because large sums of money move into and out of their accounts - the property buyers put the money in, and then when the transfer goes through, they transfer the proceeds of the sale to the sellers.

And both the buyers and the sellers are falling victim to the scam. Having hacked into the conveyancing attorney’s account, the fraudsters intercept emails and attempt to trick the buyers, such as Colette, into paying their money into their account, and on the other hand, trick the attorneys into paying the proceeds not to the sellers but into their bank account.

Thankfully, in Colette’s case, that call she received from the conveyancing attorney on a Friday morning earlier this month saved her.

Because when she received an email from “the conveyancers” on Monday, it didn’t ring true.

“It came from their exact address, but it was a very formal email asking me when I would be paying the deposit and asking whether they needed to confirm the banking account details. On Friday the real conveyancer and I had already confirmed the details about five times and we were on a first name basis, so I knew something was off.

“I phoned the offices again and found out the email hadn’t come from my contact, even though it had come from her mailbox. And then they investigated and found that their server had been hacked…”

If not the call from the conveyancer - the real one - a few days earlier, Colette would have paid her R450,000 into the fraudster’s bank account.

You may be reading this thinking that you have nothing to worry because you’re not about to buy or sell any kind of property, but anyone who has or could do an EFT - using bank details contained in an invoice which has been emailed to you - is at considerable risk of paying their money to fraudsters instead.

The scammers get the email addresses of all sorts of companies which routinely email invoices to their customers for payment. They then hack that email account, intercept an invoice-containing email to the client, change the bank details to their bank account, and then email the client, who unwittingly pays the fraudster and not the company they owe the money to.

When Colette was speaking about her lucky escape, a colleague told her how he fell for the scam when he asked a company for a quote to pave his driveway. When he emailed back to ask for a cheaper quote, enter the fraudsters….

On the genuine paving company’s email address, they responded to him, saying, ‘Not a problem, we can reduce our price by so much, but if you then agree to pay a 70% deposit instead of 50% deposit..’ And of course they inserted their own bank details.

“The paid them R22,000, and it was only when he called the paving company a few weeks later to ask when they intended to start his job, did he realise he’d been caught,” Colette said.

Many ask why the banks can’t “get the money back” for victims of this scam. Well, the only way you can get any information from a bank about a beneficiary account holder is to obtain a subpoena, in terms of the Criminal Procedure Act, ordering the bank to release the information on the account.

But there’s really no point in doing that because the fraudster would have opened the account with a fraudulent ID and proof of address.

What we can do is be wise to the scam, spread the word, and be vigilant.

When you receive an invoice via email, call the company on an independently-sourced contact number - not the one on the potentially compromised invoice - in order to check the banking details. If that means waiting until the next day or Monday morning, it’s worth it.

And companies:

Get a professional company to set up and configure your router. DIY is risky.

Let current and new clients know that your banking details will never change, and advise them to phone and double-check the details before paying.

Consider leaving your banking details off invoices and asking clients to call you for that information instead.

For more info and consumer advice, follow Wendy Knowler on Facebook here, or visit her website.