Invoice fraud: the latest tactic of gangs out to hijack your holiday

theguardian.com:

I t was to be a poignant break for Tim Moore and his extended family. They planned to scatter his mother’s ashes on the Caribbean island of Montserrat, where she had lived for 18 years. Moore contacted a local holiday lettings agent and selected a villa to rent for the 12-day stay. But as soon as the price was agreed, a hacker intercepted the email exchange with the agent, and tricked Moore into paying $5,000 (£4,040) to a rogue account. The money was never seen again, and Moore had to stump up a second time to secure the villa through the agent.

March is the month when thousands rush to book summer holidays abroad before the best deals are bagged. It’s also the season of scams designed to siphon off travellers’ savings. Some, like fake villa websites and implausibly cheap flight offers, are well publicised and relatively easy to spot.

The email scam that caught Moore is little known, highly sophisticated and almost impossible for an unsuspecting lay person to detect. In 2021, £56.7m was lost to this kind of invoice fraud, according to the trade association, UK Finance.

The scam usually targets companies such as conveyancing solicitors and building firms, who receive large one-off payments from their customers. Criminals hack into the business email accounts, and monitor messages to see when a payment is due.

At the critical moment, when the customer is expecting to pay up, they insert themselves into the email thread with an identical, or near identical, email address, and provide their own bank details, often with an pre-emptive excuse as to why they differ from the firm’s invoice. Their emails, and the customer responses, are swiftly deleted so the legitimate firm can’t see them.

Increasingly, gangs are also hijacking the