Another companies email got hacked and sent out false IBAN details

Big Lar

As the title suggests, I have been dealing with a Ltd. company and pay them by bank transfer.

Director sent an email to change IBAN which I did and I email them on proof of transfer of monies and they confirmed receipt.

Company then contacted me a few weeks later looking for payment, after a quick investigation on their side turns out that their email had been hacked and hackers had intercepted my mail confirming receipt. More or less told me it was my own fault.

I tried a credit recall which did not work, contacted Gardaí and I have been informed from the investigating officer that the company did admit to getting hacked, Gardaí have lodged incident with bank but hopes are fading.

I have all the emails from the company and all the email headers check out to be from legitimate company, any advices on where do I go from here ?

ItHurtsWhenIP

You can't do anything about that company, or any other company's set-up, but you can put in place a simple process to verify banking details to protect yourself in future. As you have discovered, the compromise occurred on that company's email, which is incredibly common these days. So never trust anything you see in an email.

When setting up a new payee and they send you their IBAN, make an outgoing call to the company on a trusted number, perhaps from their website or if it's a number you have already been using. Don't use a number that is quoted in the email or from a phone call you have received. You call them and speak to their accounts or admin person and get them to read their IBAN back to you. This will give you as much assurance as possible that all is well.

If you receive an email advising of a changed bank account, or a new invoice with different IBAN details, do the same check. Make an outgoing call to the company on a trusted number and get them to read back the new IBAN to you.

Finally, if you haven't already done so, be sure to protect your own email account(s) by turning on two-factor authentication, using an authenticator app (Google Authenticator or Micorsoft Authenticator). With that in place, you would not be at risk of falling victim to the same "hack".

The reason for the emphasis on outgoing call, is that phone numbers can easily be spoofed/impersonated. I would say that if you receive a call giving you instructions to do things like change banking details, then you need to first hang up and call them back on a trusted number so you can verify the instructions.

Here's a well known video that shows spoofing in action:

https://youtu.be/LYilP-1TwMg?si=UcKaeeRDsyQ64Ngr

Big Lar

https://www.boards.ie/discussion/comment/122034657#Comment_122034657

Thanks for the info, but would they not have a legal obligation to ensure the security of their email and that their directors take reasonable care ? GDPR, Companies act, that sort of thing. I don't mind getting a solicitor on this but where I am caught is getting the right solicitor that knows about the law.

KildareP

https://www.boards.ie/discussion/comment/122035715#Comment_122035715

What are you hoping for?

Yes there is a responsibility to secure your business communication means but no system is 100% bulletproof. Email is incredibly easy to spoof and manipulate just as all these spam calls with the caller ID showing as some poor completely unaware bod.

On the contrary, information security isn't just under the remit of IT, it involves anyone who deals with information and modern good accounting practise is as posted above - you verify changes of payment information via a second, trusted mechanism.

Blindly paying over sums of money to an unknown and unverified bank account based on a supposed legit email completely out the blue is not good accounting practise which is what it appears you did. It'd be no different to acting on a random phone call or handing cash out to some lad at your door demanding payment on their behalf.

You can argue the merits of who should have done what and who bears responsibility - if someone pulls out in front of my car and I make no attempt to avoid a collision that does not mean they are 100% at fault regardless.

You are both victims of fraud and both out of pocket, in effect. If not already, get the Gardai involved and go from there.

I'm not sure suing or getting solicitors involved is going to get you anywhere other than further out of pocket.

Big Lar

Email was not spoofed, company has freely admitted to being hacked.

I could contact the family solicitor but I am unsure that they would have the expertise or experience so I am really looking for someone to point me in the right direction.

ItHurtsWhenIP

From a GDPR perspective, the other company will probably have to have reported a data breach to the DPC, and if an investigation gets carried out, they will likely have some sanction imposed on them.

There was an email account compromise decision made back in 2020 where a healthcare company was fined €100,000 for a failure to have appropriate measures in place to protect their systems. Now in this case, there was very sensitive data exposed.

https://www.dataprotection.ie/sites/default/files/uploads/2023-01/VIEC%20IN-21-2-5_summary_EN_.pdf

Whether you like it or not, the data breach that occurred at this other company does not sound very significant. But an investigation would find that out exactly what personal data was at risk.

I would suggest the only legal matter you need to concern yourself with is whether that company will try to pursue you for payment on the invoice. I'm not a lawyer, but I would think their best option would be to not do so, as it was their failure to secure their systems that led you to make the payment. Technically @KildareP is correct, in that you should have also taken due care in verifying the change, but I don't believe that is a standard accounting practice yet (#accountants, please correct me if I'm wrong).

I don't think you should spend any time pursuing any sort of GDPR complaint. The amount of your personal data exposed by the "hack" is probably not significant.

Big Lar

The company wont pursue for the invoice as I haven't received the good.

Thanks for the answers anyways.

TheIrishGrover

As per @ItHurtsWhenIP post above, it's always best to be a bit paranoid when it comes to email/phone calls. Even if they weren't hacked, email spoofing is about the easiest method of getting customer details. Gone are the days of people falling for Nigerian Princes or Spanish Lotteries. Spoofing/phishing mails these days can be extremely convincing.

Always contact a company in situations like this via a number you trust (as stated, either in their site or previous communication from them as even the site may be compromised: a statement letter, phone number on credit card etc.)

my credit card company recently rang me about unusual transactions (which were actually fine) and I told them I would call them. They understood my concern about answering info on phone.

As for your situation, the company will possibly be fined (especially if it is deemed that the company was lax in security) but won't be forced to pay people back unfortunately. You would have to rely on getting money back from your card/bank and good call on going to the gardai as this would be required to initiate claimback.

In general, when it comes to money online, paranoia is good: enable Multi-factor authentication on your personal mail and card applications. If a company contracts you about payment issues/details, tell them you will call them via details you trust. They will understand and appreciate your diligence.

If you have been a victim, or feel you may have accidentally given details, report it immediately to the company and cops. I know people who felt embarrassed that they may have fallen for a scam and didn't tell people. These scams are very convincing and clever: Timing tax scams in spring when many people get their P60s and "Hey, wouldn't it be nice to claim this 3 grand tax back and pay for summer holiday for family" or DPD/An Post scams about parcels around Christmas.