PDF invoice interception scam. BE AWARE

RKNeleh

On the 9th March 2023 I received a company invoice from a trusted source, using the email address I knew to be theirs, for work I knew had been done, from the company I knew to have done the work, owned by a guy I had chatted with on site.

With no reason to be suspicious, I paid the invoice. 

It turns out the invoice had been intercepted, and the company bank details changed. The inserted details are sort number was 23 69 72 Account number 23472502

I think I'm pretty scam aware, I don't answer the phone to unknown or withheld numbers. I know the WhatsApp 'Mum, I've lost my phone...' is a fraud scam, and I never respond when DHL or Rayal Mail texts or email to ask for more details. 

I'd never heard about a pdf interception scam. My bank, santander, do not mention this in the 'Are you sure' questions, and it is not referenced in their scam awareness information or links.

😡 BOOM!! They got me. 

wmb194

RKNeleh said:

On the 9th March 2023 I received a company invoice from a trusted source, using the email address I knew to be theirs, for work I knew had been done, from the company I knew to have done the work, owned by a guy I had chatted with on site.

With no reason to be suspicious, I paid the invoice. 

It turns out the invoice had been intercepted, and the company bank details changed. The inserted details are sort number was 23 69 72 Account number 23472502

I think I'm pretty scam aware, I don't answer the phone to unknown or withheld numbers. I know the WhatsApp 'Mum, I've lost my phone...' is a fraud scam, and I never respond when DHL or Rayal Mail texts or email to ask for more details. 

I'd never heard about a pdf interception scam. My bank, santander, do not mention this in the 'Are you sure' questions, and it is not referenced in their scam awareness information or links.

😡 BOOM!! They got me. 

Yes, this has been around for quite some time. You'll find quite a few articles about it on This is Money from over the years. You also need to watch out for e.g., dealing with solicitors around house purchases.

The introduction of confirmation of payee i.e. an account name check should have reduced the prevalence somewhat but it doesn't work at the moment with all sort codes. The one ypu've stated is apparently for 'PrePay Technologies' and I'm guessing that will be one of them.

eskbanker

RKNeleh said:

I think I'm pretty scam aware, I don't answer the phone to unknown or withheld numbers. I know the WhatsApp 'Mum, I've lost my phone...' is a fraud scam, and I never respond when DHL or Rayal Mail texts or email to ask for more details. 

I'd never heard about a pdf interception scam. My bank, santander, do not mention this in the 'Are you sure' questions, and it is not referenced in their scam awareness information or links.

😡 BOOM!! They got me. 

Santander do refer to 'invoice or mandate scams' at https://www.santander.co.uk/personal/support/fraud-and-security/spotting-fraud-or-scams#sp-18605

fraudsters can intercept emails, text and social media messages, and send fake requests that look genuine. They want to trick you into paying the fraudulent account rather than the genuine company’s account

and more generically this is typically referred to as 'man in the middle', 'payment diversion' or 'business email compromise' fraud rather than 'pdf interception' as such:

https://en.wikipedia.org/wiki/Man-in-the-middle_attack
https://www.actionfraud.police.uk/a-z-of-fraud/payment-diversion-fraud

TadleyBaggie

It's an "email" interception, the PDF was just an attachment to the email.

sausage_time

I always ask a new payee to confirm their bank details by something other than the original e-mail (phone call, text, in person).

Confirmation of payee is a huge step forward of course, but I still see some banks not supporting it.

jouef

RKNeleh said:

On the 9th March 2023 I received a company invoice from a trusted source, using the email address I knew to be theirs, for work I knew had been done, from the company I knew to have done the work, owned by a guy I had chatted with on site …

How was this done? Were the fake bank details given in an attachment or in the body of the email? Was the email address identical to the known one, or did it have a slight change, eg spelling, or .com instead of .co.uk, or a character substituted by a similar but ‘special’ character (eg ł instead of l)? Was it an email provider (eg Hotmail, Proton, Gmail etc) after the @ or a company domain name?

Zanderman

jouef said:

RKNeleh said:

On the 9th March 2023 I received a company invoice from a trusted source, using the email address I knew to be theirs, for work I knew had been done, from the company I knew to have done the work, owned by a guy I had chatted with on site …

How was this done? Were the fake bank details given in an attachment or in the body of the email? Was the email address identical to the known one, or did it have a slight change, eg spelling, or .com instead of .co.uk, or a character substituted by a similar but ‘special’ character (eg ł instead of l)? Was it an email provider (eg Hotmail, Proton, Gmail etc) after the @ or a company domain name?

The scam described by the OP is fairly common and well-known; an interception scam. The OP answers most of your questions - the email was correct, the bank details were in an attached pdf. Nothing particularly new there. See the links in eskbanker's reply above to see more on this sort of scam.

TheBanker

This is a very common scam. Often targets people buying houses - they intercept the solicitor's email asking for the deposit to be transferred and get it paid to another account.

Always check the account details by another method (phone call to a known and trusted number, not the one on the invoice).

I am sorry you have been scammed but thank you for posting as it may help others avoid the same situation. 

jouef

Zanderman said:

The scam described by the OP is fairly common and well-known; an interception scam. The OP answers most of your questions - the email was correct, the bank details were in an attached pdf. Nothing particularly new there. See the links in eskbanker's reply above to see more on this sort of scam.

Although not well-known to the OP. Even their bank’s support page left them none the wiser. They do not specify where the bank details were. They just imply it with the title ‘PDF interception’ (as others say, actually email interception). Spoofing or impersonation are also common, where the address looks correct but isn’t or the header doesn’t tally. A company owned by a guy on site and a private customer - sounds like one or other had been phished. Knowing the details helps us all learn what to look out for.

kaMelo

All valid points but the principle remains the same.

Never pay anything into an account unless you have been given the account details from a trusted source, verbally over the phone or by letter in the post. Text, email, WhatsApp etc are not secure enough to trust.