Bank transfers and the "Man in the Middle" fraud

Bank transfers and the "Man in the Middle" fraud

Over the last few weeks, the mainstream press and Which? Magazine contain articles concerning significant frauds against private individuals who are transferring large sums of money between banks, often relating to house purchases or sales, normally over a weekend.

Typically, these have been following interceptions of e-mails between the client and solicitor or the solicitor and the bank or the client and the bank, where the fraudster has impersonated one or more parties and diverted the money to a bank account they control. Once the money is in a “wrong” bank account it is moved on several more times to confuse the trail.

The IT industry has been aware of this methodology for many years, the usual jargon is a “man in the middle” attack or exploit, as it requires a third party to intercept and inject false e-mails purporting to be someone else. This is not a new idea; you could do much the same with letter post, a kettle and a typewriter back in the day, but vetting of postal employees, tamper-proof envelopes and distinctive stationary make this too “old-school” for modern fraudsters. (

Who stands the loss on the fraud is always going to be a contentious issue, but Which? has put in a super-complaint to the Financial Conduct Authority to try and get some clarity. As a general expectation, liability usually falls on the party who made the mistake, so a client who advises a false bank account to his solicitor will lose out; the solicitor who advises the bank of a false account will lose out and the bank that acts on a spoofed e-mail will lose out. So far, so murky.

The Which? super-complaint is about bank attitudes to fraud in general, not just “man in the middle” frauds, like the majority of house purchase frauds but one of the suggestions would help combat such activities. Incredibly, banks do not currently cross reference the sort code to the branch and the account number to the account name, although that data is usually requested on the transfer pro-forma, so if a fraudster can get in spurious account details as there are no further checks if the transfer goes thorough first time!

Some banks are offering ‘helpful hints’ to avoid fraud, (the URLs for Barclays are, but banks are pressing for more customers to be held liable for their errors. A recent blog from Which? suggests that the Metropolitan Police also feel that customers need to be held liable for their failings, (although there appears to be some back-pedalling in the updates!).

I tell my clients not to use e-mail to third parties for vital details like bank account numbers; e-mail is not even as secure as a picture postcard! We tend to use voided cheques, (a cheque with “VOID” written in big letters across it), personal visits, telephone calls or faxes.

For anyone who uses computers and e-mail for personal affairs, or a home business, as a bare minimum you need:-

  • Complex passwords changed every six months, (8 characters or more, a mix of upper and lower case, symbols and numbers).

  • Different passwords for different systems, (don’t have the same password for Facebook as your on-line banking! Not all websites take the same care of your personal details. For the criminal, hack an easy target, like an on-line hobby forum, then try that password on the juicier targets)

  • All programs updated to the most recent versions and all of the security updates added to the operating system.

  • Anti-virus and anti-malware programs up to date and scans done regularly.

If you do not do all of the above or have no idea what I am talking about, then using your computer for personal financial purposes is probably a risk you should not be taking.

Even if you have done the above, the IT industry would suggest that for high risk activities like on-line banking, you should go further:

  • Check for site certificates, (SSL errors reported) and only use “https://” websites for any high risk activities.

  • Do not use public WiFi, unless you are willing to take the precautions above. Free WiFi can be exploited to gain your details and often the only warnings will be SSL errors and websites not showing up as secured, (HTTPS:).

  • Use the best anti-virus and anti-malware software you can find, perhaps paying for the Pro version.

  • Do not use other peoples’ USB drives without taking precautions. At least a virus scan for any you intend to plug in.

  • Make sure no USB components have been added without your knowledge. Some RAM discs or WiFi modules are very small and barely noticeable.

It can be a jungle out there!

If you would like to know more about how we can help you plan and realise your financial goals, then contact us at or call us on 01223 792 196.

The information contained is for guidance only and does not constitute financial advice. It is based on our understanding of UK legislation, whether proposed or in force, and market practice at the time of writing. Levels, bases and reliefs from taxation may be subject to change. Accordingly, no responsibility can be assumed by Martin-Redman Partners its officers or employees, for any loss in connection with the content hereof and any such action or inaction