Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Authorised push payment. Any advice appreciated.

  • 09-01-2025 8:20pm
    #1
    Registered Users, Registered Users 2 Posts: 66 ✭✭


    We looked for a company to install solar panels on our house last summer. We went with a recommended local installer, and we were happy with the install.

    My wife received an invoice for the work from the company, and on the same day I received an identical cloned email seemingly from the installer of the solar panels. It transpired that this email was not sent from the legitimate business. The only difference in the content of the emails were the bank details where the money was to be transferred. We subsequently both also received further emails from this person imitating the legitimate business. Neither of us suspected anything unusual at this point, and unfortunately, we paid a large amount of money to this person online to their Revolut account. From research, it seems that this is referred to as an authorised push payment.

    While speaking to the installer the day after payment was authorised, it became apparent that we had paid a scammer. We immediately rang our bank(AIB) to request that the transaction be halted, and/or money returned from the scammers Revolut account(based in the UK). I also used the chat facility on Revolut to urge them to try to stop any withdrawals for the account I sent the money to, but they insisted they couldn’t do anything except ask me to contact my own bank to make the request to return the money. We also contacted the Gardaí on the same day to report the crime. AIB informed us that, due to the fact that I had authorised the payment, that there was very little that they could do. They informed us that they could make a single request to Revolut to return any money if it was still in the scammers account. After a number of days, if I hadn’t seen any money return to my account, then there was nothing else they could do.

    The installers insist their systems have not been hacked and that our personal email accounts must have been compromised in some way. We don’t know where the truth lies, but the installers understandably are looking for payment. We have also had issues with a certain part of the installation, that is not working correctly. The installers have tried to fix it, but don’t seem to be able to, and are not returning calls in recent weeks. Part of me wonders whether this is because they have not yet received payment.

    We are just left querying how likely it would be that a scammer would have the opportunity to clone the legitimate invoice on the same day as the original was sent to my wife and identified our email addresses without finding this information by accessing the businesses records. The gardaí indicated that in their experience, a scammer was far more likely to target a business that a persons private email accounts, as a method of extracting money, but we don’t know how to proceed from here.

    We contacted a solicitor who admitted not having much experience dealing with authorised push payments, but he felt that having paid the ‘invoice’ in good faith, that the onus would be on the business in how to proceed.

    We don’t really know how to progress.

    Any advice on the matter would be greatly appreciated.



«13

Comments

  • Registered Users, Registered Users 2 Posts: 421 ✭✭_BAA_RAM_EWE


    How did the company have both of your emails?



  • Registered Users, Registered Users 2 Posts: 7,266 ✭✭✭circadian


    I'm wondering how identical the invoice was, and if it was sent on the same day that suggests a breach on their part. What are the time differences between the mails? If you sent to Revolut, then is there a phone number associated?



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Thanks for the response. From the original pricing and specs of the job a couple of months before we agreed to proceed with the company. We gave both our phone numbers and email addresses as contacts.



  • Registered Users, Registered Users 2 Posts: 7,266 ✭✭✭circadian


    Surely you received the invoice upon completion of the work? Anything before then was a quote.

    Did you both get the email at the same time/close in time?



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Legitimate company invoice sent to my wife's email at 1 o clock. I received the cloned email 2 hours and 15 minutes later. The other peculiar part is that the legitimate email to my wife also includes my email address as one also receiving a copy, but I only ever received the cloned invoice. The invoices are identical word for word, company logo etc. The only difference was that it was sent from the name of the individual who installed the system as opposed to the company name, and then on the invoice the payment details were different. The phone number on the main invoice was the same as the legitimate one from the company director.



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 10,951 ✭✭✭✭28064212


    Look at it from the company's point of view: they sent you a legitimate invoice, and this invoice hasn't been paid. As far as they're concerned, they haven't done anything wrong, they just haven't been paid for work that they did. I'm not surprised they're not returning calls.

    You appear to be claiming that the company has done something wrong, but you're going to have a problem demonstrating that they was negligent and/or compromised. Email isn't secure. To use an analogy from the postal system, email is basically a postcard: anything written on it can be read at any point between the company and you. Trying to prove (even to the level required in a civil suit) that it was the company at fault is likely going to be extremely difficult.

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    That is correct. The work was complete when we got the the invoice. Subsequently a part is not working and the company have tried to fix it. This hasn't worked yet, but I was happy to pay at the time we received the invoice because the system was working at that time.



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    I totally understand it from the company's point of view. My heart sank when we realised what happened. I could be 100 percent responsible of course but I just wondered about the likelihood of there perhaps being a breach on their end.



  • Registered Users, Registered Users 2 Posts: 162 ✭✭paulpd


    Sounds like it could be a fraud on behalf of an employee who included their bank details.



  • Registered Users, Registered Users 2 Posts: 10,951 ✭✭✭✭28064212


    Oh it's entirely possible the breach was at their end. Your problem would be proving that

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Perhaps. My only thought was would it not be very unlikely that we would get the legitimate one and the cloned one so close together if the scammer didn't know when the invoice was going to be sent. I presume they wouldn't just keep checking our emails(if we were hacked) to see when one of us eventually got an invoice for work and then began to clone all the information.



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Sorry, I didn't use the quote function properly!

    From the original pricing and specs of the job a couple of months before we agreed to proceed with the company. We gave both our phone numbers and email addresses as contacts.



  • Registered Users, Registered Users 2 Posts: 9,608 ✭✭✭Tow


    name of the individual who installed the system

    Was this installer's name on any other email? Sounds like the installer might have sent a clone of the company invoice, with payment to their own account. They would be in a position to do so.

    When is the money (including lost growth) Michael Noonan took in the Pension Levy going to be paid back?



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    The installers own name was on the original email quote we received before we agreed to proceed with the company. I would still have had that email. From speaking to the installer numerous times, I wouldn't have had any reasons to doubt him.



  • Registered Users, Registered Users 2 Posts: 9,608 ✭✭✭Tow


    It is possible your email account is compromised. They could retrieve the email before you, delete it and send a replacement.

    What type of email system are you using?

    Is there anything interesting in the email's headers, modern email clients hide this information from users.

    When is the money (including lost growth) Michael Noonan took in the Pension Levy going to be paid back?



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Thanks for your suggestion. I use outlook, and I have not noticed anything out of the ordinary as regards my account apart from this incident. I tried to find the headers information but I don't seem to be able to spot it. I initially just presumed that one of our accounts were compromised, but the timing of it nags away at me. I just find it unlikely that someone in a 2hr and 15 minute window managed to know when to access my email and then identify that an invoice was sent, then clone the original one and adjust the payment details before deleting the original one. It could be wishful thinking on my part.



  • Registered Users, Registered Users 2 Posts: 1,830 ✭✭✭Lenar3556


    How much is involved?
    I think it more likely that whatever has occurred is on the business side rather than yours. Can you contact Microsoft and start investigating why the original email may not have reached you, and any evidence of your account being compromised?

    How long is your contact not returning calls.



  • Registered Users, Registered Users 2 Posts: 424 ✭✭DFB-D


    I think most likely the suppliers email was hacked.

    Most self hosted emails (assuming this is the case) can be hacked pretty easily as I understand it. It is possible that they had full access to read and send emails from the account. The fact that they didn't see your follow up correspondence after that and assuming the reply address was the same email from which you received the original email, is a major flag.

    Also, any email header can be spoofed, but obviously this won't allow them to read any replies you had made. While it is possible they had access to your account, it would be unusual for a hacker to focus on personal accounts for a scam like this, too much work for no gain.

    You should also report this to the data protection commission as well as the guards, there are harsh penalties for the breach but unfortunately the supplier should have had safeguards in place to prevent this from happening and it is very common. Really self hosted emails are too risky for businesses sending invoices by email.

    Some sage advice:

    Never pay an invoice without speaking to someone using the original contact number to confirm the account number for a bank transfer. Automatically distrust emails from small companies using their own emails (e.g. John@examplesolar.ie), they are constantly being breached without their knowledge.



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Over 10,000 euro. The price was competitive with quotes from a number of suppliers.

    That's a good suggestion. I'll try to see if Microsoft can shed any light on the missing email part. I'm guessing that would most likely indicate a breach on my account.

    The installer has failed to return 6 phone calls, each on separate days since the end of November.



  • Registered Users, Registered Users 2 Posts: 129 ✭✭mikehammer..


    This has happened before has it not

    I seem to recall a very similar case



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Paying without ringing to check the details was in hindsight a critical error. I has no reason to suspect any problem. I told my wife I had received the invoice, and she said she had too, so we both just presumed it was the same one.

    I had further contact at the time with the scammer in a couple of emails to confirm that payment was made, but again nothing from the language used made me doubt its legitimacy. Thanks for the advice about the data commissioner. I'll do some research on that element too.



  • Registered Users, Registered Users 2 Posts: 129 ✭✭mikehammer..


    I think the similar case involved a solicitor who had been compromised

    Similar type issue arose a payment to a separate person



  • Registered Users, Registered Users 2 Posts: 19,041 ✭✭✭✭kippy


    You'll get no help from Microsoft.

    The sum involved here is pretty hefty. This is essentially a form of invoice fraud and it's more common than people think.

    Have you followed up with the Gardai since, has the company contacted the Gardai?

    https://www.garda.ie/en/crime/fraud/my-company-has-been-targeted-by-an-invoice-redirect-ceo-fraud-what-should-i-do-.html#:~:text=Redirect%20%2F%20CEO%20Fraud.-,What%20should%20I%20do%3F,stop%20the%20transactions%20being%20completed.

    Most of this type of thing tends to be B2B attempts and many businesses have processing place (or should have) to ensure that the payment details/change of payment details are authorised when dealing with other businesses (

    https://www.ipoi.gov.ie/en/news-events/news-categories-/announcements/misleading-invoices.html )

    And indeed there have been a number of arrests over the past few years here:

    https://www.breakingnews.ie/ireland/three-arrested-in-multimillion-invoice-fraud-probe-1047942.html

    Now, just looking at this part of your post:

    My wife received an invoice for the work from the company, and on the same day I received an identical cloned email seemingly from the installer of the solar panels. It transpired that this email was not sent from the legitimate business. The only difference in the content of the emails were the bank details where the money was to be transferred. We subsequently both also received further emails from this person imitating the legitimate business. Neither of us suspected anything unusual at this point, and unfortunately, we paid a large amount of money to this person online to their Revolut account. From research, it seems that this is referred to as an authorised push payment."

    Did you discuss with your wife why you might have gotten two seperate invoices for the same job or question why payment to a business was to their Revolut Account?

    Anyway, no matter who is at faul here - this is obviously a significant issue.

    Have you read this report:

    https://data.oireachtas.ie/ie/oireachtas/committee/dail/33/joint_committee_on_finance_public_expenditure_and_reform_and_taoiseach/reports/2024/2024-10-23_report-on-authorised-push-payment-fraud_en.pdf

    It may give some advice on how to proceed.



  • Registered Users, Registered Users 2 Posts: 8,320 ✭✭✭Oscar_Madison


    It sounds like they’re playing “who blinks first”- ie waiting on you to pay up - in the short-term, you have legitimate right to withhold funds until the work is completed to the required standard - maybe use this time to seek out a solicitor versed in this “modern” type of fraud - it’s a lot more common than what’s publicised- a lot more- so you’re not the first or last.
    I do hope you get satisfaction and you’re not out of pocket- where I’ve seen refunds, it’s where a 3rd party intervenes with the persons bank and the bank pay up “as a good will gesture”- but not guaranteed even then - this fraud is becoming common but has been around for a long time - it’s usually large organisations (invoice redirection fraud) but obviously now becoming more mainstream - if bank /revolute won’t refund maybe company will agree to reduce invoice and admit certain liability? You really need to determine did the invoice fraud happen your end or theirs? They are unlikely to admit anything their end so maybe a computer specialist might provide a view on it? Obviously that will cost money too but if you can show it wasn’t your systems doing, it kindof places the ball back in the company’s court somewhat



  • Registered Users, Registered Users 2 Posts: 2,837 ✭✭✭wandererz


    Interested to find out if it was an IE IBAN number on the Revolut account?



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Lots to go on here. Thank you. I have read a lot about authorised push payments since this incident. Although there seem to be guidelines,banking rules etc. in place in the UK, there doesen't really seem to be the same help here. Even a simple Google search doesn't show many solicitors who have much experience in this area. Obviously no agency, bank etc wants to have a situation where there is effectively a blank cheque for any victim of fraud, and the onus is still yourself to be mindful of any online payment.

    The garda I spoke to had dealt with similar cases and in his experience he said that there was very little hope to recover any of the money, and that it usually results in a compromise payment having to be agreed between the company and the client.

    On the day we agreed to make the payment, we both took for granted that we had received the same invoice. It was only after understanding we had been scammed, that we compared ghe invoices- obviously an error in hindsight.



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Thanks for your input. I do feel there is an element of letting me stew while I haven't paid the company. I see how this looks from their point of view, and understand why they are reluctant to give support for a service that hasn't been paid for, even if it is not currently working correctly.

    Trying to determine who was hacked seems to be the crux of the matter, but proving it is problematic. I would be interested in finding out if a service is available to see if my own account was hacked though.



  • Moderators, Category Moderators, Arts Moderators, Sports Moderators Posts: 51,234 CMod ✭✭✭✭magicbastarder


    the idea that your account was compromised, that someone was watching it, saw the invoice come in, grabbed it and turned it around as a fake within two hours (having deleted the original mail to you) would beg the question - how did they know to watch your account for this?



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    That's what I feel too. The timing is too coincidental. I think it'd be implausible really, but the company maintain they have not been hacked.



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    ⁸.



  • Registered Users, Registered Users 2 Posts: 2,837 ✭✭✭wandererz


    If it's a small to medium sized company, chances are that they are using an online system for invoice generation, billing, accounting etc.

    It could be that system which is compromised. It could even be someone working for that company elsewhere in the world who is monitoring what invoices are being sent out and to whom and adjusting them accordingly.

    Anything is possible.

    Again, it would be interesting to see what country the IBAN belongs to.

    I assume you have provided the IBAN details to Revoluts fraud department as well?



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    It was a UK Revolut Iban. In hindsight, that should have aroused more suspicion from me



  • Registered Users, Registered Users 2 Posts: 129 ✭✭mikehammer..


    Id be going old school methods if possible from what i'm hearing about revolut and bank transfers

    The Co's want bank transfer anyhow as theyre non retakeable



  • Registered Users, Registered Users 2 Posts: 19,129 ✭✭✭✭Del2005


    Their data breach while it could of lead to them getting your email address had nothing to do with the fraud. At most they are guilty of miss handling data, which is a serious offence, but the fraud is entirely on you.



  • Moderators, Category Moderators, Arts Moderators, Sports Moderators Posts: 51,234 CMod ✭✭✭✭magicbastarder


    bit late now - but when i'm transferring large amounts of money like this, i always transfer a token amount and then verbally confirm with the recipient that they got it before repeating with the full amount.



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 310 ✭✭DoraDelite


    It's entirely possible that the company were hacked. I work in an area of IT security where I sometimes need to analyse header of emails to determine their origin, whether they're spoofed or not etc. I'd be happy to try and help you on this via PM if you want?



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    It wouldn't be a particularly big company. They have done work recommended by other people locally.

    The day after I made the payment I outlined all the account details to Revolut through their chat facility and explicitly said that the fraudulent payment had been made received by that account. They maintained that they could do nothing except contact my bank and ask them to make the request to withdraw the payment. All of this extra time would have allowed the scammer more opportunity to remove the funds. It was infuriating.



  • Registered Users, Registered Users 2 Posts: 129 ✭✭mikehammer..




  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero




  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    I acknowledge that I paid the money willingly, so from that point of view it is absolutely my responsibility. That's my fear.

    That I could have predicted the invoice I received was likely to be different to the one my wife received would not be realistic. We spoke to confirm we both received the invoice. My mistake was not checking that the payment details were the same. I would not have automatically presumed that one of the emails was fraudulent.



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero




  • Moderators, Category Moderators, Arts Moderators, Sports Moderators Posts: 51,234 CMod ✭✭✭✭magicbastarder


    reading back through your posts - you mention that the original mail to your wife has you CCed on it, but you did not get the original mail? that could point back towards your account being compromised. which is not to say that the company was not compromised. someone could have access to the company's info and thus possibly have a list of email addresses of people who are expecting to be invoiced, and hacked the email accounts of those customers.



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Yes, I never received the legitimate invoice despite being Cc'd. I'd agree that to me, that would indicate an issue on my side. The fraudulent emails then continued to be received by both myself and my wife. Initially she confirmed with the scammer, that she had received the invoice through her email. Subsequently, when it came to payment, I was then in contact with them to confirm payment.



  • Registered Users, Registered Users 2 Posts: 2,837 ✭✭✭wandererz


    For small payments (less than €100) I could (in theory) tap my Sumup machine or the app on my phone against someone's pocket/wallet and get a small amount. Same as if you were paying for something at a shop.

    For larger transactions, especially if it was a push transaction, the bank will argue that you logged in, you authenticated with your username/password & pin code and possibly a card reader so it must have been you.

    They did their duty of care as much as possible and in the same or similar way to other institutions and according to best practice, so it's not their problem.

    Unfortunately, you may not get very far with this.

    If and when you can get in touch with the company (keeping in mind builders holidays over Xmas / New Year) explain the problem, show them proof. Suggest that it could have been a compromise on their side for the scammer to know all this information.

    The company will still need to be paid, so suggest a payment plan if possible.



  • Registered Users, Registered Users 2 Posts: 27,029 ✭✭✭✭noodler


    If the company's email has been breached/hacked whatever then they definitely know it (how likely is it you are the first?).

    I think I'd hold tight OP.

    The very fact they've been radio silent for weeks rather than hounding you for payment is curious.

    Christ though, I'll never make another bank transfer again.



  • Registered Users, Registered Users 2 Posts: 9,543 ✭✭✭893bet


    Did you receive it and did they have access to delete that mail from your account in order to then replace it with the fraudulent one?



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    Thanks. Yeah, I don't feel as though the bank are culpable. The only query might be around if they delayed taking prompt action to try to have the payment blocked. Would I be entitled to know exactly when they initiated the process to block the payment? Bear in mind I rang them on a Saturday morning. Information online indicated that payment to the UK FROM the AIB app could take up to 48 hours, but it must have gone through quicker, or else the process to block the payment takes longer than a couple of days. Either way, you are told to wait to see if money returns to your account. If it hasn't, then there is nothing else they can do.



  • Registered Users, Registered Users 2 Posts: 7,742 ✭✭✭The Continental Op


    OP if you paid to a "UK" bank do you have any form of protection from the UK's new banking regulations?

    https://www.bbc.com/news/articles/cy94vz4zd7zo

    Wake me up when it's all over.



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    I expected that I had, and that I had subsequently paid the scammers fraudulent one instead, but looking back through my emails I didn't have the legitimate invoice email. Whether a scammer had access to my emails, in order to delete the legitimate one, and replace it with a fraudulent one is unknown really.



  • Registered Users, Registered Users 2 Posts: 66 ✭✭magnetic zero


    That is something I hadn't considered. Maybe the fact I made the payment from an Irish account might be an issue there. Also, as this payment was before these rules were implemented I presume that's another problem for me. Thanks for the suggestion though.

    Edit. Those rules are what I was referring to earlier when I read that people in the UK were protected from this type of scam to a much larger degree.



  • Advertisement
Advertisement