FutureScot
Cyber

‘They were very clever the way they went about – it all seemed very feasible’

One of the development projects by Rousay Eglisay & Wyre Development Trust. Photograph: Rousay Eglisay & Wyre Development Trust

A charity that specialises in supporting development projects in some of Orkney’s remotest communities has been caught up in an online scam.

Rousay Eglisay & Wyre Development Trust was hit by fraudsters in September after a member of staff was duped by someone purporting to be from its bank, the Co-op.

The victim was presented with legitimate information that the fraudsters had managed to access from the organisation’s VAT payments to HMRC.

After pretending that the line was being affected by gremlins, the caller managed to persuade the staff member to log into a fake banking platform and verify their details.

“Unfortunately, that’s how they managed to get the credentials they needed to access our account,” says Stuart Williams, trust manager.

“They were very clever the way they went about it. It all seemed very feasible that they called up to say a VAT payment that had been rejected by HMRC. They knew exactly what sort of security protocols to go through, and with the call constantly dropping out, it seemed reasonable to go onto a live chat, online.

“That was on the Wednesday, and then on the Thursday morning I got a very panicky call from someone at our separate entity, Rewired, which is our turbine business. The turbine manager said that a large amount of money had gone out of our account.”

Williams said the payments had come out in four separate amounts from the trust itself, and the turbine business, amounting to nearly £120,000.

Although they were unable to retrieve those amounts, they could see that there were another two payments amounting to nearly £60,000 due to go out imminently.

“So, obviously we were able to contact the bank and put a freeze on those payments, which was quite difficult to do as they needed to speak to the member of staff affected, who wasn’t due to be working that day. 

“We literally had to go and find them. And then they spent all day on the phone to the bank, which was quite traumatising for them. It’s been an absolutely devastating experience for them, actually, and at one point I thought they might resign,” said Williams, left.

He added: “It was also very complicated, stressful and time-consuming, because once you report a fraudulent payment all sorts of new measures are put into place, meaning it makes it harder for you to access your accounts, and get to speak to the right people. It wasn’t a very smooth process.”

Williams had reported the fraud to Action Fraud, but only later discovered in conversation with Jude McCorry, chief executive of Cyber & Fraud Centre Scotland, that the helpline has no jurisdiction in Scotland. 

He says: “What we thought was a good thing to do was actually no use at all in the process. So, at that point we registered it with 101 here in Scotland, with the police.”

The investigation is ongoing. But tracing the perpetrators is notoriously difficult, with many gangs operating using decentralised networks, or from overseas. Williams said the fraudsters in this instance had “southern English accents”, and had come across as “extremely friendly, very credible”.

Ultimately, the Co-op bank refunded the charity its lost monies, which Williams says he was not expecting. “It’s part of the business guarantee if you haven’t acted fraudulently or criminally, they will refund [the money]. 

“So that’s one positive outcome, and it’s been a great relief to us all. And we weren’t confident that was going to happen, so I think we were all pleasantly surprised.”

The trust is now, ironically, less trusting. Williams says the member of staff affected has become “the most sceptical person in the world” as a result of the experience. 

He credits the police with supporting the employee as a victim, however, and not just treating it as a business crime. 

He reinforces the message that people need to be aware of the level of sophistication of the fraudsters, and that where he and his staff go to work on a daily basis, there are scammers out there who treat their work like a professional job. 

As a result, the trust is now on a “high risk register” with its bank – and there are now more onerous checks in place as part of a verification process on its accounts. 

“It’s unfortunate, but you’re never going to beat these people. You just have to take these measures, and you’ve got to be aware.”

Related posts

UK banks must demonstrate plans for shutdowns and cyber attacks

Will Peakin
July 5, 2018

Scottish skills programme looks for a new generation of cyber crime fighters

Will Peakin
November 9, 2017

Businesses have their ‘heads in the sand’ as survey shows over a quarter have suffered a cyber attack in last three years

Kevin O'Sullivan
August 10, 2021
Exit mobile version