Painter loses DT case resulting from Man In The Middle scam invoice, which Applicant had paid. Painter has to pay Applicant $5300.

Forums › Home Workshop DIY › Painter loses DT case resulting from Man In The Middle scam invoice, which Applicant had paid. Painter has to pay Applicant $5300.

1 | 2

caffynz

270 posts

Ultimate Geek

ID Verified

Subscriber

#3355473 20-Mar-2025 09:18

SaltyNZ:

timmmay:

I absolutely call to confirm account numbers for any payment over a few hundred dollars. I've heard of this scam happening in the past.

ANZ is rolling out payee verification in their app now. It will instantly tell you whether the name exactly or partially matches or not, although it will still allow you to go ahead even if there is no match.

ASB too.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3355474 20-Mar-2025 09:21

Yeah, but so far it virtually never matches for me. Business / account name is often quite different from the trading name. Over time businesses will probably start adding account name to invoices... but scammers can change that too. I'll keep calling the vendor for any large payments to confirm everything.

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3355475 20-Mar-2025 09:21

SaltyNZ:

ANZ is rolling out payee verification in their app now. It will instantly tell you whether the name exactly or partially matches or not, although it will still allow you to go ahead even if there is no match.

All the banks I've used to transfer money from recently have it already running: "Banks participating in the new confirmation of payee service are ANZ, ASB, Bank of China, BNZ, CCB, The Co-operative Bank, Heartland Bank, ICBC, Kiwibank, Rabobank, SBS Bank, TSB and Westpac."

This article from when it started rolling out back in Oct 24 said it'll be complete by Easter.

timmmay:

Yeah, but so far it virtually never matches for me. Business / account name is often quite different from the trading name. Over time businesses will probably start adding account name to invoices... but scammers can change that too. I'll keep calling the vendor for any large payments to confirm everything.

Interesting - I've never had much of a problem.

mattwnz

20141 posts

Uber Geek

#3355808 21-Mar-2025 02:29

timmmay:

Yeah, but so far it virtually never matches for me. Business / account name is often quite different from the trading name. Over time businesses will probably start adding account name to invoices... but scammers can change that too. I'll keep calling the vendor for any large payments to confirm everything.

I have had this problem once, and I think it is because the company, a plumber, had setup the bank account under a totally different name, or they had changed the name. So I confirmed with them that it was correct. Normally if it isn't 100% correct, it will display a warning that it only has a partial match. I think all banks are now doing it, and if there isn't one doing it they should probably be named so people know which banks aren't up to this standard.

networkn

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3355904 21-Mar-2025 09:52

I don't really understand peoples objection to this ruling. It's the only reasonable way.

The email sent was from the correct and legal address. It was compromised because the owner of the address gave up their credentials. There is no way to know this from the senders side unless they are particularly vigilant or something 'smells' off. Your average Joe likely wouldn't know how to identify this. They acted in good faith, and are out of pocket. It's the cost of the breach to the painter in this case. If they have Cyber Protection Insurance, they would likely assist him with the costs, though to get Cyber Insurance today you'd likely need to attest you have basic Cyber Security measures in place.

We are an TSP. One of the things that we teach (Via security awareness training as part of our security plans) is that all payment account change requests should be verified a second way (phone call etc), NOT by replying to the email (where you are likely communicating with the bad guy).

The Painter didn't take reasonable measures to secure his account, but in my experience, ultimately, even with MFA, it's possible to get Phished and give access regardless. Additional layers of protection are available (Detecting impossible travel), but I'd suggest that your average tradie knows nothing about it.

If this ruling gets appealed through the courts, I am more than 99% sure it would be upheld as it should be. The sender of the funds had no reasonable reason to believe it wasn't a legitimate transaction. The onus is on the account holder to secure their account.

Business Email/Credential Compromise makes up 99.3% of the entry point to cyber attacks.

The painter needs to get himself a good IT company who can properly mitigate this breach, which is far more than just changing his password. Logs should be obtained where possible, so it can be determined what the bad guys sent and did whilst in his account and so he can notify the privacy comissioner of a breach and notify those down and upstream of him of a potential breach of PII

rphenix

985 posts

Ultimate Geek

Lifetime subscriber

#3356012 21-Mar-2025 14:37

As bad as this is, there have been cases where a compromised email account led to even worse consequences—like mortgage fraud. Fraudsters have used stolen identity documents from old emails to secure mortgages, and some banks have even taken victims to court to try and enforce the fraudulent loans.

This should be a wake-up call for people to secure their email accounts properly—at the very least, use MFA yet too many look at it is a major inconvenience.

networkn

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3356076 21-Mar-2025 15:35

rphenix:

As bad as this is, there have been cases where a compromised email account led to even worse consequences—like mortgage fraud. Fraudsters have used stolen identity documents from old emails to secure mortgages, and some banks have even taken victims to court to try and enforce the fraudulent loans.

This should be a wake-up call for people to secure their email accounts properly—at the very least, use MFA yet too many look at it is a major inconvenience.

Yeah this is common. BEC seems simple but is actually complex. The consequences are far reaching. If you have ever emailed passwords or had them emailed to you, they are in the hands of the bad guys potentially, personal medical records or employment matters too. We have seen a number of post breach extortion attempts, additional attention spent by the bad guys trying to get in etc. A doctor we know was compromised, his patients were contacted and attempts made to extort.

MFA what you care about. One commonly missed, is the IRD. A friend of mine had a refund filed under her login for a sizeable refund. IRD made her pay it back.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#3356154 21-Mar-2025 22:35

Lias: The painter did not take reasonable care to secure their email and the scam email was sent from their account, not spoofed.

It seems eminently reasonable that they should reimburse the client.

The painter is a tradie, not an IT expert. He probably took as much care as anyone else around him to protect his account. I'm not saying the decision was incorrect, but that it seems unfair to blame the victim for his account getting compromised. Do you know anyone, who isn't a hardcore geek, who uses 2FA on their email?

lxsw20

3552 posts

Uber Geek

Subscriber

#3356156 21-Mar-2025 22:40

Is it victim blaming if you don't pay your GST because your not an accounting expert? If you don't know you find someone who does know.

I'm pretty sure 365 pretty much forces you to use MFA now, so yes most businesses that are not stuck in the 90s use MFA.

Handle9

11386 posts

Uber Geek

Trusted

Lifetime subscriber

#3356157 21-Mar-2025 22:45

neb:

Lias: The painter did not take reasonable care to secure their email and the scam email was sent from their account, not spoofed.

It seems eminently reasonable that they should reimburse the client.

The painter is a tradie, not an IT expert. He probably took as much care as anyone else around him to protect his account. I'm not saying the decision was incorrect, but that it seems unfair to blame the victim for his account getting compromised. Do you know anyone, who isn't a hardcore geek, who uses 2FA on their email?

A tradesman who is not a security expert would still be expected to secure the job site and his van to prevent theft. This is the same thing.

networkn

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3356509 23-Mar-2025 13:10

neb:

The painter is a tradie, not an IT expert. He probably took as much care as anyone else around him to protect his account. I'm not saying the decision was incorrect, but that it seems unfair to blame the victim for his account getting compromised. Do you know anyone, who isn't a hardcore geek, who uses 2FA on their email?

So who should wear the cost of the loss? The fault lies with the tradesperson. I don't think there can be any dispute of it. The sparky probably tells his clients to use a qualified sparky for electrical work, surely you also use qualified people AS a trades person, such as a plumber, IT professional or accountant. Whilst you might get away with doing some of those things on your own and not have issues, if you miss something, the consequences could be horrendous, like burning your house down, owing the tax department massive sums, or having your PII stolen and funds removed.

I am of the belief, that one of the most valueable things that could be taught in school is basic cyber security awareness. We live in a massively connected world, bad guys have pivoted from robbing banks at gunpoint, to this, as it's less risky and usually, more profitable.

People must adapt and ignorance, unfortunately, isn't an excuse.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3356879 24-Mar-2025 12:51

neb:

The painter is a tradie, not an IT expert. He probably took as much care as anyone else around him to protect his account. I'm not saying the decision was incorrect, but that it seems unfair to blame the victim for his account getting compromised. Do you know anyone, who isn't a hardcore geek, who uses 2FA on their email?

He's running a business, he has a duty of care. If he wants to bury his head in the sand and not understand IT security or pay someone who does to do it on his behalf, he should be an employee of somewhere that does rather than running his own business.

And yes, I do know plenty of people outside IT who use 2FA.. To be fair they mostly consist of people who've learnt the hard way by being compromised at some point.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

networkn

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3356881 24-Mar-2025 12:57

Lias:

And yes, I do know plenty of people outside IT who use 2FA.. To be fair they mostly consist of people who've learnt the hard way by being compromised at some point.

It's unfortunate that it usually takes an unpleasant experience to get people to pay attention.

Ge0rge

2052 posts

Uber Geek

Trusted

Lifetime subscriber

#3356884 24-Mar-2025 13:41

Annoying when the financial institutions don't.

1 | 2