Case studies - email hacking

8 min read

In this digital age, clients are increasingly choosing convenience by submitting transfer and withdrawal instructions via email. Our two case studies below, a result of identity theft via email hacking, highlight the need to ensure any instructions you receive are really from your client.

Fraudster accesses pension funds via bogus emails from the ‘client’

Case study 1

A pension client of a Brisbane-based adviser became a target for identity theft.

The fraudster was able to gain access to the client’s pension funds via a series of bogus emails to the adviser, which the adviser acted on in good faith.

Tuesday 11 August

The adviser received an email from the ‘client’ requesting an urgent withdrawal of $90,000 as his daughter needed money. He wanted these funds deposited to an overseas bank account.

The adviser replied right away, stating the maximum he could withdraw was $47,500 and that he’d need to complete a Pension Payment Request form (sent as an attachment in the reply).

Thursday 13 August

Two days later, the email response stated the ‘client’ had raised $42,500 but still needed urgent payment of $47,500. He’d attached the Pension Payment Request form, completed and signed (by someone the adviser thought was the client).

Under normal circumstances, the adviser would phone the client to confirm this withdrawal; but the email also asked the adviser not to phone the client as he was attending a funeral and it was an extremely emotional time for him.

Friday 14 August

Respecting what he thought were the client’s wishes not to be contacted by phone, the adviser went ahead and processed the withdrawal request.

Wednesday 19 August

As the real client was retired, he regularly checked his account transactions and balance online. He saw the change to his bank details and withdrawal transaction and rang the adviser immediately.

The client explained to the adviser that his email account had recently been hacked. He wasn’t the person who’d requested the withdrawal.

In this case, it was too late. The $47,500 had already been paid over to the fraudster’s offshore bank account.

Preventing this type of fraud

This is one of the most common ways fraudsters use to obtain funds from financial accounts. They hack into people’s email accounts and use them to send bogus emails.

Always be suspicious if you receive an email requesting a large withdrawal amount to be paid to a new or overseas bank account,  especially if you’re asked not to contact the client directly, or only by email.

A quick call to your client (using contact details you have on file, not those provided in the email) to confirm before acting on this type of request will alert you to the fact that you are dealing with a fraudster.

Fraudster tries to access Dubai-based client’s super funds after email hacked

Case study 2

​A Sydney-based adviser has a client who lives overseas in Dubai. She’s used to receiving and acting on instructions from this particular client via email.

Unbeknown to the adviser, her client’s email account had been hacked. The fraudster carefully planned activities to access the client’s hard-earned super funds via a series of emails.

We suspect the fraudster, with access to the email account, had read the client’s emails and found enough information about the client and her family to convince the adviser the emails were from her client.

Tuesday 9 June

The adviser received an email requesting the client’s email address be changed to remove a single letter ‘g’.

Tuesday 23 June

The adviser received an email from the ‘new’ email address, asking for the current balance of her client’s super account.

Thursday 2 July

The fraudster sent a further email asking for $260,000 to be deposited urgently to an overseas bank account to fund an investment property. The adviser acted on this instruction in good faith.

“The emails seemed perfectly genuine. They had snippets of information about the client’s family. And it seemed reasonable that this client might want funds to buy an investment property overseas – and that they’d need the funds deposited to an overseas account.”

Friday 3 July and during the following week

As the withdrawal amount was large and it was to be paid into an overseas bank account (which is a known highly-used fraud scenario), the platform attempted to call the client directly to confirm the instructions prior to making the payment.

The client was not reachable via phone at the time and as such the platform was unable to confirm the withdrawal instructions. The delay prompted the fraudster to send some further emails to the adviser.

 “My client kept sending emails, harassing me for the funds, so I continued to escalate the urgency for the payment with the platform.”

The platform’s Payments Team Manager explained they couldn’t pay out until they’d spoken to the client directly to confirm the payment. They had to follow correct procedures. They asked the adviser to help them make contact with the client.

Tuesday 14 July

The adviser finally made contact using the alternative phone number provided in the emails. The person on the other end of the phone spoke with a strong European accent. She knew then it wasn’t her client.

Our clients trust us to be guardians of their investments, so we do everything we can to protect their funds. $260,000 is a lot of money to be paid out to the wrong person and it’s difficult to get the funds back, especially if the funds have been transferred overseas.

Preventing this type of fraud

This is one of the most common ways fraudsters use to obtain funds from financial accounts. They hack into people’s email accounts and use them to send bogus emails.

Always be suspicious if you receive an email requesting a large withdrawal amount be paid to a new or overseas bank account – especially if you’ve recently been asked to change the client’s contact details by a single digit or character. This ploy is used to prevent you making contact by phone, email or text message to the client’s mobile.

A quick call to your client (using the original contact details you have on file) to confirm before acting on this type of request will alert you to the fact you are dealing with a fraudster.

Technology & Operations
As technology is increasingly used for financial transactions, our industry is being targeted by fraud. Detecting and preventing fraud is something we need to work together on to achieve.
5:37 min video