Email from legal executive Shaz vanHaaren (left) of TW & Associates in Hamilton confirming the purchase of a property in Cambridge, and a fake email (right) asking the firm's clients to pay $270,000 to a fake trust account. Composite photo / NZME
Email from legal executive Shaz vanHaaren (left) of TW & Associates in Hamilton confirming the purchase of a property in Cambridge, and a fake email (right) asking the firm's clients to pay $270,000 to a fake trust account. Composite photo / NZME
A Waikato couple narrowly avoided losing $270,000 after their lawyer’s email was hacked by UK scammers.
The compromised email from Truman Wee & Associates requested payment to a fraudulent account, but a bank teller’s suspicion prevented the transfer.
Police confirmed the same account successfully scammed two other victims out of at least $250,000.
A Waikato couple who had just purchased a new house narrowly avoided losing $270,000 to scammers after their lawyer’s email account was hacked.
An email account at Cambridge firm Truman Wee & Associates was compromised over the Christmas break by cyber criminals in the United Kingdom, who impersonated a legal executive and sent the home buyers bogus invoice details for a supposed trust account.
Police have confirmed the bank account was used to successfully scam two other victims out of at least $250,000, with the money being siphoned overseas.
The Waikato couple signed a sale and purchase contract for a $1 million-plus property in December and engaged TW Associates to handle the conveyancing.
Due to the holidays, they were unable to settle until January 20.
On December 30, they received an email, purportedly from the firm’s practice manager Shaz vanHaaren, wishing them a happy holiday.
Complete with vanHaaren’s signature and the company’s Christmas greeting, the email noted the couple’s settlement date and asked how much they planned to loan from the bank to finance the purchase.
“Please get back to us with exact figure so we can know the shortfall and provide you with our trust account,” the email said.
The email included an email chain with the firm from earlier that month congratulating them on their success and supplying a copy of the original purchase contract.
The next day, the couple replied to the email, confirming they planned to borrow $850,000.
Email from legal executive Shaz vanHaaren (left) of TW & Associates in Hamilton confirming the purchase of a property in Cambridge, and a fake email (right) asking the firm's clients to pay $270,000 to a fake trust account. Composite photo / NZME
A week later on January 6, another email arrived from the law firm, apparently providing invoice details for the company’s trust account and requesting payment of the $270,000 shortfall ahead of settlement.
“Kindly remit funds as soon as possible to our trust account as above.”
The email was signed “yours faithfully, Shaz vanHaaren”.
The couple thought it was strange the law firm needed the money two weeks ahead of settlement but the man headed to his local ANZ branch to arrange transfer as instructed to another ANZ account.
The teller had to increase the man’s transfer limit to allow the payment to proceed but grew suspicious when he showed her the email, telling him the account was an international money transfer account “facilitated” by ANZ.
Spooked, the man immediately contacted his partner, who rang vanHaaren, who was on holiday overseas.
She confirmed she had not sent the invoice and that one of the email accounts appeared to have been hacked.
“I was like, ‘Oh my god’,” the man told the Herald.
“It was just luck really that I didn’t end up doing it. We would have been screwed.”
The couple immediately contacted police and Cert NZ.
An email from police said the bank account had now been shut down “but not before they received $250k”.
“That same bank account has been used in a couple of other, similar fraud offences that were successful. The trail on those offences leads to an overseas account.”
Given the scammers were based offshore, there was nothing more police could do, the email said.
The man was still shocked at how close they came to losing their life savings, not being able to settle on the purchase, and losing their dream home.
‘It was almost impressive’
VanHaaren told the Herald the hackers had gained access to her company email account and timed the attack during the holiday period when emails were unlikely to be monitored.
“The wording was not mine. It was not an email I would have sent.
“It’s horrible. The clients were really panicked.”
The hackers appeared to have reviewed earlier emails as they knew how much the couple had paid as a deposit, meaning they could then calculate the correct shortfall.
VanHaaren said the infiltration was extremely sophisticated. The hackers had deleted all footprints of the incursion from her sent and deleted folders, and the fraudulent emails were nearly impossible to detect.
“It was almost impressive. They’ve done such a phenomenal job. it’s really scary.
“[The couple] were just very very lucky and we were also very lucky.”
The company’s IT expert immediately reset necessary passcodes and thought the hackers were based in the UK.
The law firm did not believe any other clients had been targeted but admitted it was impossible to be sure.
“We will never be able to be certain because they are just so sophisticated.
“The blame can’t be left at our feet because we didn’t even know. We had no idea what was happening until she called and we would have been none the wiser.”
VanHaaren said law firms, like other businesses, often received phishing emails, but there were usually “markers that let you know it’s a scam”.
It's thought the cyber criminals responsible for the attack are based in the UK.
Police said they received a report from the couple at the start of the year of “unusual activity” relating to a bank transfer.
While no money was lost, “fraudulent activity” appeared to have taken place.
Two other successful frauds had been linked to the same bank account.
“Inquiries into one of the three instances led overseas, which unfortunately left police with few further lines of inquiry to take, given the complexities of such matters.”
ANZ said it waspleased the couple did not lose money, but would not comment further while the matter remained under investigation.
Pressed on whether the account in question – which begins with an O4 prefix commonly used by ANZ – was an ANZ account, a spokeswoman said it was an “agency account” with another financial provider.
She said “agency banking relationships” were standard practice, where international financial institutions could open NZ bank accounts to access local payment systems.
These financial institutions must comply with NZ laws and regulations, including appropriate checks when on-boarding customers and operating accounts.
National Cyber Security Centre (NCSC) Threat and Incident Response Team lead Tom Roberts said the couple did the right thing by verifying the situation with the bank and law firm, and reporting the incident to authorities.
“The NCSC regularly receives reports of incidents of business email compromise where online attackers take control of an email account to impersonate trusted organisations and businesses and target their customers by sending out phishing emails.
“We urge all businesses to access the resources on our website Own Your Online and to talk to their employees and customers about the risks posed by phishing.”
