Victim of APP Scam - All advice welcome!

Jimwalker

We've recently been victim to the sort of scam you never think you will fall for when having some building work done.   Any advice anyone can give on anyone to recover any amount would be welcome.
A builder visited to quote us for some building work.   He emailed a quote through to us.  Over the next day or two we reviewed and exchanged several emails on the scope of the work.  We arranged for a structural engineer to visit in a few weeks time.   
He emailed to say the structural engineer could visit Saturday - 2 weeks sooner than expected, and once the 50% deposit was paid we could get the ball rolling.    I asked for an invoice/contract and he sent through a pdf with bank details on. 
I proceeded to pay via Nationwide's app the bank details on the quote.     Nationwide warned the name on the account didn't match the details, so i emailed back to ask and because the company had changed to sole trader the name didn't match.   I had looked at Companies House prior so knew this to be true.    Ultimately I then sent the deposit and the following day when the builder knew he was none the wiser. 

I am a 38 year old IT Consultant keen to get my building works done, and rely heavily on email as my primary form of communication outside my household.   Having had real dialogues with the builder by email I believed i was liaising with the builder.  This was not a cold call, not an email out of the blue, but someone monitoring the builders email account.    The day after transferring the money and realising this was to the wrong account I immediately rang my bank who logged the case.   I logged it with Action Fraud, and with a quick Sort Code search found the receiving bank to be Bank of Scotland who I rang also as advised in the Which Consumer guide, my theory being the sooner it happens.  Bank of Scotland asked 'who told you to ring us?'.   Ultimately, despite me giving them the account number of a suspect bank account, they would take no action.

So from getting the quote by email on the Friday, having a good dialogue about the scope of the work, to receiving and paying the pdf invoice, it was less than 7 days.
In hindsight I could have picked up the phone and rang the builder to check the details, but that isn't a means of communication I generally use.   The emails were all believable, and had been in quick succession. 

I have logged this with Nationwide and Action Fraud.   Nationwide, without a single email or phone call have sent a standard 'not our fault  - we warned you letter'.
My question is, should I suffer because the builders email account was hacked?   Yes, in hindsight there is always more that can or could have been done.    Yes, Nationwide in the app do have a blurb to say check with the recipient, which I did...or at least thought I did.
Ultimately I've learned a big lesson in this, but it has left me feeling nervous about what will I fall fowl to next?   

dunstonh

Having had real dialogues with the builder by email I believed i was liaising with the builder.

And the scammer probably read all of them.  Indeed, its possible the scammer may have replied to some of them rather than the builder.

In hindsight I could have picked up the phone and rang the builder to check the details, but that isn't a means of communication I generally use.

Or you could have texted the builder or used secure email (encrypted).

My question is, should I suffer because the builders email account was hacked?  

Do you know it was the builder's email account that was "hacked"?   Emails pass through servers and any one of those could be intercepting emails.   However, it makes no difference.  The builder is not liable.

Yes, Nationwide in the app do have a blurb to say check with the recipient, which I did...or at least thought I did.

You ignored a clear warning that the bank details did not match and were not even a close match (there are wildcard filters in place where small differences would result in you being told the correct account name).

I had looked at Companies House prior so knew this to be true.   

How would you know it is true?   Companies house only shows LLP, Ltd and Plc.  it does not show sole traders.  it would also not tell you if someone has changed from limited to sole trader.  It would just tell you if the company is active or not.   

Ultimately I've learned a big lesson in this, but it has left me feeling nervous about what will I fall fowl to next?  

Best not to fall on birds      it is horrible that you have lost money.  However,your reliance on insecure communication methods to obtain bank details was very naive.  Especially for someone that works in IT and should know these things.  All you can do is remember that technology is not perfect and scammers are everywhere and when it comes to money, you should independently verify bank details via another source.

EssexExile

Jimwalker said:

My question is, should I suffer because the builders email account was hacked?

To be honest, if not you, then who else should suffer? Your builder has done nothing wrong, the banks have done nothing wrong. Let's hope they catch the scoundrels and get your money back but I wouldn't hold your breath.

Did the real builder really want 50% up front? I'd have baulked at that.

Zanderman

EssexExile said:

Jimwalker said:

My question is, should I suffer because the builders email account was hacked?

To be honest, if not you, then who else should suffer? Your builder has done nothing wrong, the banks have done nothing wrong. Let's hope they catch the scoundrels and get your money back but I wouldn't hold your breath.

Did the real builder really want 50% up front? I'd have baulked at that.

Yes, the 50% struck me as excessive.
The OP's problem is, unfortunately, all his own - as he didn't check the details he needed to check correctly or securely.
It's not an 'app' scam, it's just the classic, common-or-garden, been-around-for-years, pretending-to-be-the-supplier (esp the builder) scam.  
Very likely to have lost the cash, with no redress, sorry!.

happy_hazelnuts

companies house does not tell you changes to a sole trader it will only tell you if a company is active or dormant or dissolved.

Roger.Wilco

You have my sympathy.  Have been in a similar position - though, in my case I was not the person who fell for the scam - it was a financial professional I had engaged, but I was the one directly affected.  In my case I didn't lose any money but it has taken over 6 months to repair my financial structure and I may have to face the consequences for many years to come.  Cold comfort to you I realize.  The feeling of my stomach dropping when the implications sunk-in will be something I will never forget - so I can commiserate with you.

Jimwalker said:

I am a 38 year old IT Consultant ... rely heavily on email as my primary form of communication ...  I believed i was liaising with the builder.

  Knowledge & familiarity can breed complacency.  For example see all the senior Government science/medical advisors around the world losing their jobs for breaking lockdown - despite hours earlier explaining to their nations population the scientific and medical reasons for the lockdown.   The victims "Belief" is a core component of any confidence trick.

This was not a cold call, not an email out of the blue, but someone monitoring the builders email account.

  The small traders that are most vulnerable - as they are not as computer savvy nor as security conscious as larger organizations - but even large organizations have been taken to the cleaners even with their £million security budgets.

Bank of Scotland ... would take no action.

What I had to learn was that all banking procedures and processes etc... are to protect the bank not you the customer - no matter what the marketing the website or Government agencies say.  I was originally naive and though that - it was to protect both - but as far as the banks are concerned the customer is an enemy they tolerate in the pursuit of profit.

In hindsight I could have picked up the phone and rang the builder to check the details, but that isn't a means of communication I generally use.

   Think of this as a security problem - the key or verification MUST always use a different channel to the message.

The emails were all believable, and had been in quick succession.  ... was less than 7 days.

 Haste - is a means of someone rationalizing decisions like cutting corners - when they wouldn't do so normally.  This is a typical marketing tactic "i.e. 50% discount today only" and also used in hard-sell sales patters.

I have logged this with Nationwide and Action Fraud.

I was advised to do similar - but don't expect any action from Action Fraud.

My question is, should I suffer because the builders email account was hacked?

  From someone speaking from experience - unless you can PROVE that the builders email account WAS hacked - you can only rely on what the two banks MAY do to investigate and finally decide. As others have pointed out - it was you who clicked the OK button. As an aside - do you fully trust the builder not to be a part player?  Have you meet the builder in person and have spoken to references?  Because at the end of the day - it is your builders word - against yours.

Your case number with Action Fraud can be given to the banks - you can also demand to speak directly with the bank's fraud team - don't settle for the first line of phone support which will try to fob you off at every opportunity.

In my case I had the other party admit via phone (which I wished I had recorded) and via email what had happened.  They were also quite helpful at the beginning until I suspect their insurance company or lawyers got involved - whereby, I was blanked and left to fend for myself.  Cutting a long story short - it became "provide proof of damages and only then we'll negotiate".  The issue was hard solid proof when I was only collateral damage.

Ultimately I've learned a big lesson in this, but it has left me feeling nervous about what will I fall fowl to next?   

My situation has made me rethink everything associated with banks and how I use them.  I suggest you also do the same once the emotions have settled - to not fall fowl again - treat it rationally.

• Treat everyone including yourself with suspicion.  Trust but verify.
• Use diverse channels when transferring or verifying information.
• Realize that to the banks you are the enemy and work that way.
  
• Understand that psychological factors may result in less than ideal decisions - build personal processes / habits to mitigate.

An example may be:

• Get the builder to write his bank details on the back of his business card when in front of you.
• Send a small amount first and confirm that the builder has received before sending anything else.
• Break the transfer into smaller sums and transfer one-at-a-time - verifying each time - with proof.
  
• Don't be rushed into anything - have a cool-off period before you transfer.
• Write a checklist and print and hang on the wall and follow.  If checklists are good enough to stop pilots from crashing from missing steps - its good enough for me to stop me from doing likewise.

Stable door - horse...

Good luck!

colsten

OP, had you considered the possibility that the builder is the scammer?

Fighter1986

I will never pay for anything by bank transfer that I don't already have in my hands e.g. car keys.

I just bought a car on Saturday and did several verification checks along the way.

I verified the VIN matched on the chassis and V5
I made sure the seller could tell me a good bit about the cars' history while I held the history in my hands
I made sure the name given to me by the seller not only was verified by Nationwide's COP, but also was the same name on the V5.

Unfortunately, the only lesson to be learned here is caveat emptor. 

happy_hazelnuts

Problem is even if you have the cash in your account and they have paid  if the person was a fraudster they could still claim they were a victim of fraud and get the bank transfer reversed.

This is a problem when selling of course rather than buying.