A WA man’s plan to buy his dream car turned into a nightmare after a single email ended up costing him a staggering pile of cash.
Anthony Palmer’s plan to buy his dream car turned into a nightmare within mere seconds after a single email ended up costing him a “distressing” $20,000.
The FIFO worker’s troubles began late last year after he ordered a Land Rover Defender from Barbagallo Motors in Osborne Park in Perth, after previously purchasing several vehicles from the same dealership without incident.
But in October 2021, with just $20,000 left to pay on his car – which Mr Palmer had previously been told would be best sent via a bank transfer instead of a physical cheque – he received an email that would cause months of anguish.
The email, purportedly from Barbagallo’s business manager, included banking details for the final transfer, and seemed “100 per cent legitimate”, according to Mr Palmer.
Within seconds, the cash had been sent and all seemed well – until two weeks later, when he received a voicemail from the same manager urging Mr Palmer to call “ASAP” and to “not transfer money to us”.
The WA man panicked and immediately contacted the dealership, and was told Barbagallo Motors would contact its bank, while Mr Palmer was also urged to contact his own, Westpac, to try and recover the funds.
However, Barbagallo then told Mr Palmer they would not release his car unless they received the $20,000 which had been sent to the scammers.
“Their email had been compromised,” Mr Palmer told news.com.au.
“They said they had been hacked and it was not their fault.
“You can imagine how stressful it is, especially when you can’t do anything about it.”
After already forking out a significant amount of cash for the car, Mr Palmer was anxious to take it home, and he said he and the dealership reached a compromise – that he would pay an extra $10,000, with the understanding it would be returned to him once the situation was investigated and resolved.
However, more than a year later – and after lodging formal complaints with the police, Westpac and several institutions such as WA’s Consumer Affairs – Mr Palmer is still out of pocket, and furious at the lack of protection for consumers in Australia today.
“It doesn’t feel like (Barbagallo’s) has done any investigating – they were the ones who were hacked, but I’ve got no apology … and we haven’t found out where the money has gone – it feels like they washed their hands of it,” he said, describing the ongoing ordeal as “distressing”.
“Westpac has also taken no accountability,” he continued.
“I received an email (purportedly) from a respected garage and transferred money through the same banking institution I belong to, which gave the whole thing credibility – the last thing I would think would be that it was a scam.
“Australia is probably one of the easiest places for cybercrime because our institutions just don’t take any accountability.
“It’s just hard … all that time and cost has ended up being a long road. I don’t know if I’ll get anything back … but the email was 100 per cent legitimate, and cybercrime is happening everywhere now. The responsibility (to protect customers) should lie with the banks.”
In a statement, Barbagallo Motor Group denied its email system has been hacked, instead insisting it had been caught in a so-called “man-in-the-middle” attack.
“A thorough and external investigation at the time showed that there was no breach of our servers. What occurred was a ‘man-in-the-middle’ attack where email interactions with this customer were intercepted. This was explained to the customer at the time, a fact which he accepted in deciding to proceed with the purchase of his car,” the spokesperson said.
“Furthermore, at the time the customer happily accepted our offer to absorb 50 per cent of the financial impact ($10,000 of the $20,000 deposit) which we made in good faith.
“Although our servers were not compromised, as a prudent business measure we responsibly and pre-emptively took steps to ensure we strengthened our systems for requesting and receiving client deposits to ensure customers would not have similar issues in the future, and worked with relevant authorities in connection with this customer’s issue.
“This incident serves as an important reminder that scammers and hackers are an ever present threat and unfortunate reality of doing business.
“Barbagallo’s servers have never been hacked. No customer information has ever been compromised. We are renowned for how we do business, the focus of which is our relationship with our customers. This matter was amicably settled 10 months ago with the client’s close involvement, and we see no reason why this matter is being raised now.”
But Des O’Driscoll, a counsellor who provided Mr Palmer with support through the ordeal, said more needed to be done to protect Australians.
“If Anthony were a vulnerable single parent on a tight budget, who was heavily reliant on a car for work, kids’ doctors appointments and visits to the hospital, what would have happened if he were scammed and didn’t have the extra money for the dealer to secure the release of his car?” he asked.
Without commenting on Mr Palmer’s case, Mr O’Driscoll said Australian businesses generally needed to do more to protect consumers.
“Too often these days, and I’m speaking broadly, we see businesses whose systems are compromised go on the offensive to assure the public it was not their fault and it won’t happen again. Rarely do we see a business who has been compromised acknowledge the issue, and then commit to ensuring their affected customers are their priority until matter is resolved. “There is no support for people like Anthony who have lost money through no fault of their own, in many cases they do not have the knowledge, resources or support to increase their chances to having the funds returned.
“What we would like to see is businesses whose customers have been impacted to commit to providing support for people like Anthony, rather than, and again, speaking broadly, tick the boxes and say they have done everything within their control.”
He said the best way to reassure the public that systems were not hacked was to be open and completely transparent.
“Show customers the ‘Big Green Tick’ you got when you had an independent audit conducted on your systems. And if you’re not prepared to provide this to the customer, why should the customer believe that you did not indirectly allow this to happen?” he said.
“We see this as one way to make businesses more accountable rather than see blame and responsibility shifted to the victims of fraud. The victims aren’t responsible for the security of your servers, but they are almost always the ones who foot the bill.
“Be honest with your customers; where a business says their systems were not hacked and they didn’t drop the ball, prove it. If a business did not contribute to a loss and their systems were not ‘hacked’, I can’t see why the business would not provide the big green tick they got from conducting an independent internal and external review.”
A Westpac spokesperson also said while they were unable to comment on this particular case due to “confidentiality obligations”, the bank “invests heavily in scam prevention and has robust processes in place to alert and protect customers”.
“We work hard to recover money for customers where possible. When funds are unable to be retrieved, reimbursement is considered on a case-by-case basis with a range of factors taken into account,” the spokesperson said.
“Business email scams are among the most common scams targeting Australians at the moment. This is where scammers trick unsuspecting victims by impersonating a known business, employee or supplier – for example, by intercepting emails and sending false invoices. Customers should be wary of any emails suggesting payment details for a business have been changed, and if ever in doubt, call the business to confirm payment details before sending any money.
“We urge customers, particularly business customers, to use PayID. This allows you to link your payee details to a registered ABN or mobile number, providing peace of mind that funds are being sent to a legitimate account.”
According to Consumer Protection WA, a government body which provides advice and information for Western Australian consumers, businesses, landlords and tenants, in payment redirection scams such as the one experienced by Mr Palmer, it regards “both the business and consumer as victims of fraud, because the consumer has lost money after making a payment to scammers and the business has lost the proceeds of the sale”.
“Often it is difficult to prove which party’s email account was hacked,” Consumer Protection said in a statement.
“Consumer Protection recommends to businesses to ensure their cyber security protection is up to date and to train staff not to click on links or download files from suspicious emails which is the most common way for scammers to gain access to an email account or computer system.
“Consumers are advised to double check any email request for a money transfer by calling the business to verify that the request is genuine and the bank account details are correct before sending any money.
“We encourage an amicable settlement of the issue as has happened in this case, or the two parties can come to Consumer Protection to assist them to reach an amicable solution through our conciliation process. The question of liability is a matter that would need to be resolved by private court action.”
However, Australian cybersecurity expert Ajay Unni, the CEO of cyber security services company StickmanCyber, told news.com.au when it came to these types of scams – also known as Business Email Compromise (BEC) scams, or the man-in-the-email scams – more needed to be done to protect consumers.
“Companies can’t just take (consumer) data without providing any kind of assurance,” he said.
“These scams have been around for a number of years, and it’s when hackers access usernames and passwords and then get copies of every incoming and outgoing message. They can then go in and start sending emails to (a business’) contact list.
“We’ve seen this across many businesses, including a CEO’s email sent to the CFO.”
While not commenting directly on Mr Palmer’s case, Mr Unni said while both businesses and consumers had a responsibility to reduce risks, he said he believed companies should “refund (lost) money that occurred from a compromised (but otherwise legitimate) email system”.
“Leaving systems vulnerable is like leaving your doors and windows open in your house – there’s going to be a high risk,” he said.
“Both sides have to be educated, but on the business side, you have to make investments in cyber security.”
He urged consumers to never trust an email requesting payment, and to always call companies to confirm or wait for a physical invoice before transferring large amounts of cash.
Mr Palmer’s devastating experience comes amid heightened concerns surrounding cybercrime, after the recent Optus and Medibank hacks left millions of Aussie customers exposed, and after Savvy’s Cybercrime in Australia, 2022 Report: How to Protect You and Your Family revealed cybercrime and scams cost Australians a whopping $56 million in 2021.