EXCLUSIVE: Businessman who lost £90,000 in brazen email hack says police contacted him just ONCE in five months… to offer him therapy to cope
- Roger Walker lost £90,000 in November 2018 when hackers used his email address to authorise large payments into their account
- He reported it immediately to the police but heard nothing for five months
- Police offered him support to cope with the impact of the crime but this left him fuming as he had not been contacted by officers investigating the incident
- He also slammed HSBC and Barclays for not doing enough to protect him
A businessman who lost £90,000 in a brazen email hack said that police contacted him just once in five months – to offer him therapy to cope.
Roger Walker, 55, who runs a snowsports holiday agency in Twyford, Hampshire, alerted the police when his computer was hacked in November last year.
Criminals infiltrated his Outlook email system, using his address to authorise three large payments to their accounts.
Although he reported it immediately, officers did not interview him, visit his office or ask for copies of the emails or hard drives.
The only communication he received was a letter in December 2018 offering to help him ‘cope and recover from the impact of crime’.
Mr Walker told MailOnline: ‘It seems like they have money for therapists but not for proper police. I don’t need therapy. I just want my money back.’
Roger Walker, 55, pictured, at the offices of Ski 2, the company he runs in Twyford, Hampshire
Mr Walker, second-from-left, with his family on a skiing holiday
The Italian offices of Ski 2 which are run by Mr Walker’s business partner, Simon Brown, centre
A fleet of Ski 2 vehicles in Italy. One scam payment was purportedly to the company insurers
The email sent by hackers from Mr Walker’s account using the same tone and language as him
The fake invoice created by the hackers which was modelled on an invoice from the same firm
After being contacted by MailOnline, the police apologised. Hertsmere Chief Inspector Clare Smith said:
‘We completely understand why the victim is frustrated at the timeframe of the investigation and apologise for not contacting him sooner.’
Mr Walker, a father-of-two, responded: ‘It’s all very well to apologise, but the trail has gone cold now and there’s no chance of finding the criminals.
‘I still haven’t met a policeman face-to-face. There has been no visit from IT forensic experts. The money’s gone.’
His bank, Barclays, and the fraudsters’ bank, HSBC, have been ‘no help at all’, Mr Walker said.
Barclays did not alert him that huge payments were going out to strange accounts, even though the account name did not match the one used by his book-keeper.
HSBC, he added, has refused to release details of the fraudsters, citing ‘data protection concerns’.
‘The fraudsters’ accounts must have been opened in person, yet HSBC refused to release CCTV of the criminals,’ Mr Walker said.
‘They even told me that they couldn’t give me the names of the hackers because of data protection concerns.
‘I feel completely helpless and abandoned. If someone broke into my office and stole £90,000 of equipment, action would be taken. But when it’s computer hacking, nobody wants to know.’
Barclays pointed out that it did block £16,000 of the money from leaving Mr Walker’s account – the original sum stolen was about £106,000 – and provided his company with security advice and workshops both before and after the incident.
HSBC, meanwhile, insisted that the bank ‘could not reasonably have acted sooner’.
Mr Walker’s business, Ski 2, which sells all-inclusive skiing holidays at the Italian resort of Champoluc, has a turnover of £2.5 million and employs up to 70 staff.
At the end of every year, the company makes regular large payments, including to an insurance firm to insure its fleet of vehicles in Italy.
The company has always used an external IT contractor to keep its systems secure. ‘In terms of cyber security, we’re quite diligent,’ Mr Walker said. ‘Our tech experts are very astute. We were just very unlucky.’
In November, hackers infiltrated his Outlook system. After learning that several large payments were due, they enacted a sophisticated fraud.
Simon Brown, left, and Roger Walker, right, run the Italian and British offices respectively
Mr Walker at his office computer in Twyford, Hampshire, where he was scammed out of £90k
The Ski 2 staff in the Italian Alps pose beside their vehicles for a ‘team picture’
The only letter Mr Walker received from the police in five months, offering him ‘support’
The hackers sent an email from Mr Walker’s account to inform his book-keeper that his insurers had changed their bank details. The text of the email was modelled closely on the informal style of past messages.
The previous year’s invoice was attached, but with the figures and details updated. The criminals even copied in fake email addresses for the insurance provider.
After the book-keeper made the payment, the hackers deleted the emails to cover their tracks. A few days later, they tried the ruse again with another provider.
‘It was our busy season and it’s impossible to check every email with a fine tooth comb,’ Mr Walker said. ‘If you receive emails from your boss’ address, with the language exactly right, you don’t question it.’
MICROSOFT: HOW TO AVOID EMAIL FRAUD
A Microsoft spokesman said:
‘Realising that you’ve fallen victim to fraud of any kind is a horrible experience for anyone or any business.
‘Not just the loss of money, but also the feeling that you’ve been tricked and that your personal information has been stolen.
‘There is unfortunately no one-size fits all approach to preventing fraud, but there are ways that you can help protect yourself and your business.
‘Using tools like two factor authentication will provide an extra layer of security for your online accounts in the form of a pin or code, in addition to a password, that must be put into a device in order to access the account.
‘Additionally, The Fraud Advisory Panel has published a helpful fact sheet on how businesses can spot the potential risks and what you can do about them.’
The father-of-two realised that he had been scammed when the insurance firm contacted him for the money that had already been paid. ‘It was one of those blood draining from your face moments,’ he recalled.
‘It was just horrendous. It happened on a Friday evening and I can’t even describe that weekend. I just felt violated, as if I’d been burgled.
‘I felt stupid, cross and upset. I built my business up over 20 years and this was money I had worked so hard for.
‘But then it all turned into frustration when I realised that neither the police nor the banks would do anything to help.’
Mr Walker avoided bankruptcy by using his savings and cash reserves to pay for the losses, and will be forced to borrow money when more expenses come in later this year.
‘If I hadn’t been running the business with a rainy day fund, we may have gone under,’ he said. ‘I dread to think how a smaller organisation would have coped.’
His insurance policy did not cover the loss, as he did not have special cyber insurance. ‘I’ve got that now,’ he said. ‘It’s expensive but it’s worth it.
‘I’ve become an advocate against naivety. People feel that their emails are secure, but you’ve got to do so much more to protect yourself.’
Hertsmere Chief Inspector Clare Smith said: ‘We completely understand why the victim is frustrated at the timeframe of the investigation and apologise for not contacting him sooner.
‘We have since made contact with him and updated him on progress to date. A full and thorough investigation is ongoing and our enquiries continue.’
A spokesman for HSBC said: ‘We adhere to best practice standards and where a report of a potentially fraudulent payment or scam is received we take appropriate and timely action.
‘Having looked at the specific detail of this case we have determined that the payments had been withdrawn before we were notified by the originating bank and we could not reasonably have acted sooner.’
A Barclays spokesman said: ‘Barclays takes any scam issue very seriously and we have no higher priority than the safety of our customers’ funds and data.
‘Barclays advises all its customers to be alert to the possibility of fraud, especially invoice fraud and CEO fraud, and offers face-to-face cyber security training along with daily cyber webinars.’
Source: Read Full Article