Scumbag scammers targeting missus Conveyancing firm, need help!

Associate
Joined
13 Jan 2009
Posts
52
Hi all,

Hi I am looking to pick the brains of the knowledgeable folks on these boards. The missus has a conveyancing firm and some of her clients have been targeted by scammers who are intercepting email chains between the missus conveyancing firm and her clients.

The scammers are sending the client fake emails purporting to be from her firm and trying to get clients to make payments to their bank instead.

Her firm uses a hosted outfit so security is all done at the hosted side and they say all their side is bulletproof. The hosted side have confirmed the scam emails have not come from the firms domain and they have SPF and DKIM configured on the hosting Domain and Exchange server.

The scammers are sending emails from addresses that are very slightly different from the firms emails and some clients are not picking this difference up. It’s a classic APP scam and we have warnings etc all over letters and emails to the clients.

I have contacted the registrar owner for the Domain of the most commonly used fake email but they don't give a toss.

As this has happened a number of times now she needs to get a cyber security firm to investigate. The regulators are saying that somehow the firms emails must be being intercepted and we are now under pressure to investigate this.

Does anyone have any theories about how the scammers are intercepting these email chains or can advise of any cyber security firms who would could investigate this?

Grateful for any help, we are desperate!
 
If they've got hold of legitimate emails, I'd be straight away looking at changing email passwords. And check for any forwarding rules set up on the mailbox/client. I've seen passwords get breached and forwarding rules put on users mailboxes to send messages out to scammers who then pretend to be the legit sender.

Normally the passwords are either rubbish, or someone has re-used their details from another site etc which has been compromised or fallen for a phishing attempt.
 
The most likely vector is the company's in-house IT - that gives them access to pretty much everything and is likely a softer target.
 
If it's only happening to one client then it's more likely that someone in accounts at that company got breached, and a list of suppliers sending invoices was collated along with the names of the people sending those invoices, and who they tend to be sent to.

Importantly - if someone that you do business with gets an email pretending to come from you with fake payment details on, that doesn't mean they don't still owe you the money. This also isn't 100% an IT problem - several of the companies we work with put lines in their email signatures that they would never send a notification of a change of bank details through email - it would either be attached to an invoice or it would be sent via letter, and encourage people to pick up the phone if they are concerned.
 
We had, near enough, the same situation a few months back, although luckily it was a single client rather than multiple.
We ended up doing a complete across-the-board credential change but it became apparent fairly quickly during the top-to-bottom audit of our network that it was the client at fault rather than us, ie - their systems getting breached, intercepted emails from our staff and then the scammer(s) sending the client emails.
They were obviously alerted with our findings but they came back with a generic "it wasn't us" response and shrugged off any further interactions :rolleyes:

Likewise, they were sending 'bank account change' emails from an email address that was formatted the same as ours albeit from a domain (registered only a few days before the initial scam email was sent) that was similar all but one character.
However, there were plenty of obvious mistakes in the email and a lot of contradicting information, especially around the bank we were supposedly changing to, so it was fairly obvious it wasn't official once you read through it a few times.

But as precaution, we did end up alerting all of our clients of the scam, highlighting what to look out for and reiterating how official company policies and data would be sent to them (letters not emails).

And we did try and deal with the scammers domain name to prevent further scam emails. But even after supplying all the information we knew and obtaining an incident number, Nominet (was a .uk domain), the registrar (Google), the scammers email provider (Google), the bank (Metro) and (last resort) Action Fraud, all didn't give two hoots to the scam nor domain and all responded with 'computer says no' and tried to pass the buck.

@damodude - Unfortunately i can't help with third-party security firms but as others have said, you at least want to implement a strong password policy and get all credentials changed asap as precaution. And keep any information (scammer emails etc) and correspondences you have with clients/third-parties as it may be useful with whoever investigates/audits your IT.

But good luck and i'd be interested in hearing if anyone knows of an official and proper solution for dealing with the domain names that get used as even now, the domain our scammers used is still live (MX records) :mad:
 
With regards to a third party security company to look into this, a decent place to start looking would be something like the list of companies with CREST accreditation in the area of cyber security incident response:

https://service-selection-platform....d_companies/cyber_security_incident_response/

Probably cost a few quid to get someone in, but if there’s revenue at stake, or worse regulators involved with the threat of potential fines, could be worth the outlay...
 
The missus has a conveyancing firm and some of her clients have been targeted by scammers who are intercepting email chains between the missus conveyancing firm and her clients.

The single point of commonality here is the op's wife with multiple clients, it therefore stands to reason if multiple clients have been contacted and the email provider is claiming they haven't been compromised and have logs to confirm, then before going back to them you need to be looking at her IT as that's the likely vector. If it was just a single client, then yes, it could be client side, but not when it's multiple clients. Either that or op sucks at providing facts ;)
 
Her firm uses a hosted outfit

Assuming the in house systems arent compromised (most likely) then for it to be going to multiple clients, the second most likely issue will be the hosted outfit.

A local solicitor got me in to look at spam being sent from his email, nothing wrong his PC, turns out the hosted website and email service had open relaying enabled and using an open source SMTP server where the default password hadnt been changed.

Picked up 10 new clients that day ;)
 
Back
Top Bottom