Steal Away – a true story.

 

 

Emerald pool

 

I’d like to tell you a story.  Unfortunately it’s a true story, and it happened to me.  I’m passing it on you so that my experience may hopefully serve you.  I have changed some of the story a little, but the basics remain exactly as they happened.

Lights!

On 21st November last year I made initial inquiries as to the purchase of a fibre/yarn related product  through a very reputable maker.  This family company has been in business since the 1970’s, and supplies the product I was interested in to Europe, New Zealand, Australia, Canada and America. The product is highly regarded, and extremely reliable.  The woman I was writing to was very knowledgable, and I was very happy with what I learned.
We emailed back and forth and agreed on the style, and the price -$1200.

On 25th November I transferred the money to her account via bank transfer, and sent her a confirmation email.

One week later, I received an email from her, asking where the money was, as the product was ready to send.   I replied, showing details of the bank transfer.  2 days later another email from her asking where the money was. I tried to ring her, but the number she’d sent me must have been incorrect, and I couldn’t get through.

Once again, I copied the bank transfer information into the email.  I also asked her if the emails were going into her junk file.  Sure enough I received a response.  “Sorry, we checked the account and the money was there all the time.  We will send the product next week”.

On the 12th December I received another email “Could you please send the money, we have the product waiting to despatch to you”.   I tried a couple of times to ring the number on the website, but the number rang out.( At this point, I was starting to wonder if the lady had dementia or was unwell.  After all, the business was a family business, and had been going since the 70’s.)

I send a response back,copying and pasting all the email correspondence we’d had -just in case she really did have dementia and had forgotten everything.  In return, she said sorry,  that she had to wait for another extra part to be made – but because I had waited for so long she’d throw it in for nothing.  She would send it on the 18th and forward me a tracking number.

I still hadn’t received anything by 20th December, but I figured she’d closed for Christmas holidays.

On the 3rd January, I sent yet another email, outlining, once again, all correspondence, including the fact that I’d made payment more than a month before. When I came home from work the next day, there was an email from her- “please ring me urgently on this number”.

Camera!

We finally got to speak, and she told me that  from the email I’d sent the day before, she realised that her email account had been hacked.

The hackers had inserted their own account details when she’d sent the bank transfer information to me- way  back on the 25th November, leaving the rest of her email intact.  I’d paid into their account, not hers -I had never seen her account details at all.

What was more scary was that each time we emailed each other, they were changing the words, so I thought she had dementia, and she thought I was not going to pay.

Quite a scary case of stolen identity and internet theft.

money-bag-400290_960_720

 

Action!

I immediately went to my bank and told them the story, asking if the payment could be reversed.  They rang their head office, but the following day, I was told that “because I had done the transaction myself, (the bank hadn’t done it) there was nothing they could do, and I should speak to the police instead”
I went to the local  police station and reported the matter.  Unfortunately, they could do nothing and suggested that I should report to ACORN, the federal government  cybercrime arm.  I raised a report online, and was given a reference number, but no time frame as to when action would be taken.

As you can maybe imagine, I was a bit frustrated.  My thoughts were as follows. “I know the bank account  of the hackers, because I have the bank record of transaction.  Surely someone, somewhere can just freeze that account and investigate it”.

A friend suggested I ring my local MP’s office.

I can  only wish our State and Federal Government were as efficient as the office of my local Member of Parliament, as I was given some very good advice, and a couple of different avenues to try.

The avenue I took was to contact the Financial Ombudsman, who said I should email the bank and ask for a “Final Decision Letter”, outlining why they felt they could take no further action.
So on 12th January  I sent an email to my bank, mentioning that I had spoken to the Financial Ombudsman service and that he had suggested I ask for that letter.

About an hour after I sent that email, I received a phone call from a rather agitated person at the head office of the bank.  “Why are you so impatient, these things take time, you can’t just rush  inquiries like this, why did you contact the ombudsman, we are doing all we can”, and really getting quite angry.

So angry, in fact, that I had to raise my voice and interupt him “Just hang on a minute!Your staff told me that I had to go to the police, that you couldn’t do anymore.  What are you saying about an inquiry?”
“Yes well” he muttered, “they told you wrong, there is an inquiry, you only had to wait”.

To be honest, I was a bit ticked off.  I didn’t know they were still investigating; his staff had  told me there was nothing more they could do and they had received guidance from their head office – his department!.

I swallowed my annoyance, and told him how wonderful it was that they were taking action. He calmed down but still kept trying to insist that I’d jumped the gun.
So now, I will wait.  I do not know if I will ever get my money back, nor do I know if I will ever find out whether they (hackers) will be caught and charged.
But my bank is trying to help, I’ve reported it to ACORN, and I’ve learned a few things.

Points to ponder.

  • I paid by bank transfer because I deliberately keep a low credit card limit (and thus limit what pay. Both I, and the lady running the business, preferred bank transfer. I do NOT intend to increase my credit card limit just because of this issue.  What would you do?
  • I was asked why I don’t have a telephone number on my website.  The idea has merit, but I am unable to take personal calls or respond to messages whilst  working my other jobs. Initially, I added phone details to the site, but received a large number of unusual messages. (The word Platypus does not only refer to an Australian mammal,  so I found out).  Email, therefore, is my preferred method of correspondence.  What’s your preferred method of correspondence?
  • I have set up the font in my email to a slightly unusual one.  If someone wants to change a sentence within, they will have to do a bit of extra work, eithermatch my font, or to change the whole of the email.  Would you notice a change in font part-way through an email? 
  • The lady I bought the product off suggested changing the colour of the font each email, when dealing with money.
  • I  can’t help wondering if the words ‘Financial Ombudsman’ were actually what got some response from the bank.   Have you had a similar experience?
  • I found that the office of my local Member of Parliament were extremely helpful.  I could only wish politicians at all levels were the same. I would suggest now, to anyone who is unsure of next steps in cases like this to talk to your local MP.
  • Will I change who I bank with?  Would you?

Please feel free to add any comments or ideas in the comments field at the bottom of the page.

It seems to me that the hackers made an awful lot of work for themselves.  They had to check every email sent between us, (and I was the only customer affected) and they had to change the wording in the email, yet still keep on subject,(and the subject matter is a little unique). Not only that, the account that I paid the money into (the hackers account) was a genuine Westpac account.  To open this account, they would have needed identity, including address, drivers licence etc.  Totally traceable.

If I had the knowledge to become a hacker, I reckon I’d try to find an easier way!!

And finally

I still wanted the machine I’d ordered, so I paid the lady (and she got the money this time) and I got my machine.  Over the next month or so, I will hone my skills, and then……..

That will be another story!

The team at Platypus Yarn value our readers. Please feel free to comment, we gratefully accept all feedback, good and bad.

14 comments

  1. I have felt for you every step of this dreadful saga, I can only quess who the company was and kept thinking if this is so how could this be happening.
    A friend had her handbag stolen, everything was reported immediately yet the culprit kept spending. Identity of the thief even known yet bank and police still taking their time and her identity has led to other problems.
    All your questions, I do not know. Rude folk are in all institutions, maybe if it was them being personally affected they would have taken the same action as you.
    Hope there is a happy ending.

    1. Thank you Karen. It is this same delay (that your friend experienced) that had me so puzzled.
      And yes, I am sure that if they were able to walk a little bit in the shoes of the people on the other side of the counter, big institutions may be more helpful.

  2. What a ride, and what a learning curve. I will admit to liking Paypal when dealing
    with unknown vendors. I know some people have had a bad experience with them but I like the fact that you have x number of days to dispute a transaction. I don’t connect my bank account, it is just a debit card, that I deliberately leave a very low balance on.

    1. Bernie, I too, use paypal for some transactions. Unfortunately it wasn’t an option. I think they are addressing that now, making paypal a payment option.

    2. Oh PayPal! Don’t start me! I used it to buy stuff online, never sold & there were apparently a couple of transactions on my a/c where people had paid me $35 or so & I’d never sent goods. Probably because I wasn’t selling anything…. They put me down as a fraudulent person, blocked my a/c. Do you think I could get to an actual person to talk to to sort it out. Almost impossible. When after wks of effort I got to talk to someone, they just called me a liar & kept me locked out. The whole world operates on PayPal. It makes it extremely difficult to buy things without an account. This was 5 yrs ago & im still ticked off…!!

      1. I feel for you Carleen. One of the thing that frustrates me is never getting someone to talk to in things like this. It’s always FAQ’s on the site, or fill in the details in this box, but never a real person to speak to, or to correspond with. When I reported this incident to ACORN, I had no chance to actually describe what had really happened. When there is no human contact, too much can go wrong.

  3. Thanks for sharing this story. Quite worrying. It’s either luck on the part of the hacker to guess the password, or it was an inside job, which, in the business’ case, I hope it wasn’t. Hackers create ‘bots’ that can guess millions of different passwords in a short time, so all they need to do is pick on any ecommerce business and off they go! Always worth changing passwords to non word combinations of letters, numbers and punctuation. Keep it written down and hidden in a safe place if you must.
    I hope this is resolved in your favour and you get your purchase. Thanks for making people aware of this awful, devious type of crime.

    1. Thanks Dayle. Both myself, and the other lady, had kept our site generated passwords, thinking they were safest too -upper case, lower case, numbers, etc.
      We both immediately changed our passwords, and I will be changing regularly. Unfortunately, I do have to write it down, I have trouble remembering a 4-digit pin, let alone a secure password.
      If this article alerts even one person to a potential hack, then I am happy.

  4. Wow, what a total nightmare for you!

    I really don’t have any advice, having no experience in this sort of situation, but I do want to thank you for sharing all of this information, it’s really invaluable and gives us all something to think about. Are we careful enough online? It would be great to feel we can just trust people but the reality is we can’t.
    I really hope you get your money back. It’s interesting how helpful your bank became when you dropped the “financial ombudsman” into the mix!

    1. Kelly, I have to agree with you.
      How come action was taken when I mentioned Ombudsman. If they really were investigating it before then, then why tell me differently.
      It was the first time I have ever had this type of thing happen, and that was why I was thinking along the lines of dementia, the thought of her email being hacked had not even occurred to me.
      We live and learn!

  5. Ombudsman. That’s what did it. After 12 months of being messed around by Telstra a call to the ombudsman got the ball rolling in 12 hours. When we sold our house and the arrogant little shit at the bank deliberately didn’t pass on the details of where to deposit our money because we had gone over his head to the manager, leading to our money being stolen by the bank for 3 days, after settlement. Calls to the bank, complaints department, mortgage department led to stonewalling. Ombudsman. The next lady I dealt with vowed to track down our money and made 20 odd phone calls until she called back a couple of hours later to say it was now in our bank. Ombudsman is as magical a word as abracadabra when it comes to dealing with anyone like that. On the counterside, over a decade ago I had a Westpac credit card and their finance dept called to tell me they believed my card details had been stolen when I purchased something online. I asked for the persons name and called back to verify they were the bank and yes details were stolen. The company I purchased from had been hacked, the card was cancelled and transactions reversed. Yet NAB who I am with now, a disputed transaction took 6 weeks to be reversed even though I provided proof. They really all think they are a law unto themselves. Great that you finally got it all sorted out.

  6. Wow, what a traumatic experience, I am glad that action is being taken but I agree that the Ombudsman word made it happen !
    I had a website that happily went along happily for a number of years and then last year it got hacked. They deleted notification of sales to me, removed the bank deposit details and replaced the paypal account details with their own. It wasn’t till I received an email from the client who I had dealt with before that I looked into it and found the order on the site but no payment – the customer sent me sent me a copy of their paypal receipt and I saw the wrong paypal account and went “eek”! I called my web designer and paid for her to remove the hack and get it back on track. Fortunately I was able to get on to Paypal and spoke with a person within a few minutes, explaining the details. He told me it would be alright, my customer would get their money back but it would take about a week. And it did. In the meantime I sent the item in good faith and the customer paid me when they received their refund.
    Then two weeks later it happened again! The hackers (based in Poland) had embedded code so deeply into the back end of the site that it just kept resetting to their details (and they had numerous paypal accounts so that changed too!). Once again I spoke to Paypal, there were a few back and forths with the customer having to dispute the amount and then my verbal confirmation of the problem and yet again I sent the goods on in good faith. Fortunately Paypal was faster and refunded within 3 days.
    By this time I felt really bad too as it wasn’t really Paypal’s fault either although I’d recommend Paypal not allow gmail paypal accounts! The web designer felt bad as she hadn’t been able to fix it and gave me a brand new website (although it took a couple of months).
    It was very stressful though and I felt powerless to stop it. I’m sure the customers thought I was quite rude initially too since I completely ignored their orders (since I didn’t receive notification of the sale), thankfully it all worked out in the end and I’m grateful that Paypal helped so much too.
    Its definitely something to be wary of and keep an eye on now that we all deal so much with things online.

    1. Annette, such a similar story. And the person who runs the business I was dealing with said that they felt (and very rightly so) violated, and quite traumatised. Because we are the very very edge of the cutting edge technology, in that we only use the parts that we need too, we are all quite vulnerable.
      I compare this with my mobile phone. I use it as a phone/message sender/receiver, and that’s it. I think I utilise about 5% of the capability of the device. Those who use their phone for instagram, facebook. internet etc etc, are still only using maybe 20 to 30% of the capacity. So how do we know what somebody else is doing in the background? We don’t! Scary stuff if we dwell on it too much.

Leave a Reply

Your email address will not be published. Required fields are marked *