An elaborate invoice scam has seen a woman purchasing a brand new Tesla transfer $74,000 to scammers after they intercepted the original invoice from Tesla.
The woman from West Australia, Andrea Hammond, says that after booking an online test drive and making a deposit to Tesla, she was sent an invoice from someone masquerading as Tesla.
Instead of paying through Tesla’s secure payment system, Ms Hammond opened the email – which had an invoice attached – and made her final payment of more than $74,000.
Get ISO 27001 – Information Security – Certification With Best Practice
To her dismay, Ms Hammond had actually transferred her funds directly to scammers, who had managed to intercept the email, change the details to their personal bank account, and send the invoice to their victim.
“I absolutely cannot understand why Tesla don’t do the invoicing in the payment system through a secure website,” Hammond told the ABC. “Instead, I was sent an unsecured, editable invoice that anybody could get into and change the numbers, so the hackers didn’t have to create a new invoice.”
“It was just too easy,” Hammond added.
She is not the only Australian to be fooled with a payment redirection, or business email compromise scam, where hackers manipulate invoices with new payment details.
According to the ABC’s report, Hammond is the second Tesla customer to report the same issue, with damages totalling more than $130,000 lost to scammers.
The second victim, a Sydney businessman who remained anonymous for the ABC’s report said Tesla emailed him one afternoon to inform him his Tesla Model 3 was ready to be picked up.
“I should have checked the bank account details on the invoice by telephoning Tesla directly, but there was no phone number readily available to ring or to contact them,” he said.
“They wanted payment quickly because the vehicle had become available, so I paid the invoice,” the victim added.
“The issue I have with Tesla, in my opinion, is that they have failed in their duty of care to their customers by using what is clearly – and certainly one can see this in hindsight – an insecure way and risky way of requesting payment for the vehicles.”
That particular victim was able to recoup $17,800 after the invoice scam, but the remaining $60,000 was lost to a hacker that the police were unable to successfully prosecute.
In that case, the judge said that “I have a very real suspicious about your involvement in this matter, but I must find you not guilty.”
Invoice Scam Sees Tesla Buyer Transfer $74,000 to Scammers
The unnamed victim continued to explain that “one area that needs to be addressed is the verification of bank account numbers against the name of the account. I think that would be enormously helpful and has some technical challenges there. But I think the banks are able to solve that,” he said.
“There should be more secure, more robust processes to open a bank account. I think a bank needs to be held liable if they open bank accounts that are from stolen identities.”
“You’re paying into an Australian bank account that’s operating by a large, well-resourced Australian bank,” the victim said, adding that “I think they need to take some responsibility as to who owns those bank accounts.”
The ABC says that Tesla had still been sending customers invoices via email as late as December, according to a Tesla customer.
Also quoted in the report is Andy Whyte of the Australian Payments Network, who said that matching details isn’t necessarily the answer to solving invoice scams.
“what we know from the evidence in the UK is that it doesn’t work for the vast majority of scams, and that’s because if you think about investment scams and romance scams, the scammer is essentially relying on having tricked me into paying someone that they don’t want to, name-matching is not going to help with that.”
“Unfortunately as well, it can cause a consumer outcome that’s really detrimental in terms of delaying payments that otherwise would flow through.”
Earlier this week we reported that the ACCC’s ScamWatch had issued a warning of business payment redirection scams costing Australian businesses tens of millions each year.
The ACCC’s Deputy Chair, Delika Rickard said that “payment direction scams impact businesses across many industries, including real estate, construction, law, recruitment and universities.”
“Scammers tend to target new or junior employees, even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors,” she said.
“We recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams,” Rickard concluded.