Has a company treated you unfairly? Our Consumer Champion is available to help. For how to contact her click here.
Dear Katie,
Two years ago a monstrous fraud was perpetrated via me and my wife on a trust which we manage on behalf of my late brother-in-law, distributing funds to his adult son. A sum of £100,000 was spirited away, it is believed, to Nigeria, of which nothing has been recovered.
Our nephew was experiencing significant stress-related mental health problems which had impacted his finances. It seemed likely that he would need to sell his house unless he received a cash injection, so we decided to unlock some money from the trust for him.
We were corresponding with our nephew over email and unbeknown to us, cyber fraudsters had hacked into one of our computers. They were diverting all our emails to another account without our knowledge; returning the relevant ones to us (having been altered), and later even initiating emails created by them, but written in our style.
They managed to intercept all traffic between us, our nephew, and the fund management company managing the trust, JM Finn. Using an email account which was very slightly different from our nephew’s, they first managed to trick us into transferring £90,000 from the trust into a foreign exchange account which appeared to have been in our nephew’s name.
They then tricked JM Finn into transferring another £10,000 into the same account, before the alarm was raised a few days later.
We were devastated at the loss of this huge, life-changing sum of money. Since then my wife and I have pursued every avenue to obtain justice and some compensation for the trust, and for our nephew.
We brought in security experts to discover how the crime was committed, and to beef up our protection. We had endless discussions with several police forces and raised official complaints against JM Finn, its bank and currency platform Verto FX.
JM Finn admitted it was responsible for the smaller, second loss of £10,000, and it reimbursed the trust with this amount. However, it refused to refund the rest as it said it was not at fault.
We also complained to Verto FX and took our case to the Financial Ombudsman, but after nearly six months the Ombudsman said it could not help because we were not “eligible complainants”, as we had no direct relationship with Verto FX.
In February last year we asked our lawyers to review the whole case to see if there remained any route untested. We also approached our local MP, who helped us write to the Financial Conduct Authority. The FCA replied to our MP recommending that we make a complaint against JM Finn, which it regulates.
Accordingly, we wrote personally to JM Finn’s chief executive, who investigated but ultimately decided no further compensation was going to be paid as JM Finn had taken all measures correctly.
So guilty does my wife feel about this theft that she gave, some months ago, a sizeable sum to her nephew from her own funds to assist him with his troubles.
Anon
Dear reader,
You and your wife were hand-picked by your late brother to be the trustees of his estate. This was due to your absolute reliability and trustworthiness as family members, rather than any specific financial training.
You take this responsibility as trustees extremely seriously, and you were both left feeling utterly awful after this evil cyber fraud, which was silently perpetrated over the course of many weeks without either of you suspecting.
By your own admission, neither of you are particularly tech-savvy people, and it’s only because you’ve employed cyber experts to assess the situation retrospectively that you now understand that the criminals may have gained access to your computer by tricking you into downloading spyware on to your computer, possibly from an email.
Once they had access to your emails the fraudster was able to learn of the impending £90,000 transfer from the trust and intercept conversations at opportune moments, using an email address which was identical to your nephew’s other than the domain, which was virginmedia.com instead of hotmail.com.
This truly is the sort of scam that anyone could fall for, as it’s so hard to spot, particularly if you’re not looking out for it. Then, sending an email from your real email address, the fraudster struck again, tricking JM Finn into sending a further £10,000 to the fraudulent Verto FX account.
The JM Finn trust arrangement had been in place for 30 years, and it was set up in such a way that its beneficiaries could only receive funds with trustees’ authorisation. As trustees it was also down to you to provide the bank account details for your nephew’s account, which you thought you had received via email. But what you – and JM Finn – didn’t know was that these bank details were actually the fraudster’s.
When you relayed these details on to JM Finn I asked you what security had been in place to check the money was going to the right place?
You said JM Finn called you and simply asked “are you sure you have the right details?”, to which you responded “yes”. Then it processed the transfer. Considering you, an untrained layperson, were the gatekeeper of a £90,000 transfer, this level of security was, in my opinion, far too lax.
It is certainly well below the standard at high street banks, which have been forced to tighten up their procedures in recent years amid a tidal wave of fraud.
In my view, what JM Finn should have asked you instead were two very specific questions: “have you verbally confirmed the bank details with the beneficiary?” .
You would have answered no, in which case you should have been asked to do so, but you should also have been asked: “have you checked the email address from which the bank details came is definitely correct?”
In other industries where large customer-executed bank transfers are commonplace, such as conveyancing, such specific questions are commonplace.
This is because email interception fraud is rife, and fraudsters perpetrating this type of fraud typically impersonate someone by changing one or two letters, or the email domain of their address, making the interception difficult for victims to spot.
Given the trust’s set-up I felt JM Finn should have been more switched on to this type of fraud, and known the right questions to ask you to preemptively weed it out.
JM Finn’s website boasts that the “security of client assets is at the top of [its] agenda”, describing the processes around fund withdrawals as “stringent”.
However, from what I’ve seen its own security call was as good as useless at stopping fraud. You have rightly pointed out that had you moved the money directly from a major bank, you would have been covered by anti-fraud measures called the “contingent reimbursement model” (CRM).
Under the code, the bank would have had to show it protected you adequately from fraud. And this absolutely would have included asking you the right questions on the security call. I’ve caught banks out before for failing to ask the right questions on security calls, after which they’ve quite rightly admitted fault and coughed up.
Therefore, I was hoping JM Finn, as a respectable FCA regulated asset manager might do the same, once I’d shown it how it could and should have done better.
But no such luck. As a smaller asset manager, JM Finn is not covered by the CRM code, so its fraud procedures are not under such scrutiny. So it was not prepared to accept that it had failed in any way, shape or form.
From the first conversation I had with it, it felt like it was on the defensive, repeatedly reverting back to the line “we correctly followed our procedures”. When I tried to explain that it was precisely its procedures that were the problem, it disagreed.
Getting nowhere with its journalist-facing team and, frankly, feeling appalled at its attitude and lack of interest in improving security to prevent future fraud among its customers, I demanded a meeting with its chief executive. I’m pleased to say this did materialise.
While he managed to persuade me that the company was taking your case seriously and taking steps to tighten up fraud prevention for clients, he stood firm on not compensating the trust beyond the £10,000 it had already paid out because “processes were correctly followed”.
Later, I proposed that if JM Finn was not prepared to accept my arguments then it would only be right to allow you to take your case against it to the FOS, even though you were now out of time, as it was not your fault that it was so slow to confirm you couldn’t complain against Verto FX.
Although customers usually only have six months to lodge a case with the Ombudsman, it will accept cases after this point with special permission from the company.
This, I argued, would allow JM Finn to put its arguments to the test in the fairest way possible for all parties. However it declined to let you proceed, it said, “out of fairness to other customers”, which I felt was a load of utter codswallop. As far as I know there is no one else in the extremely unlucky predicament you have found yourselves in for it to worry about.
When I approached Verto FX, it said: “Upon being notified of suspected push payment fraud by the originating bank account, we immediately conducted our own investigation and attempted to reclaim the funds. This was unfortunately unsuccessful.
“We have cooperated fully with the Financial Ombudsman’s investigation. We have deep sympathy for the victims in this case, however, we do believe that we acted properly and fully in adherence to the required regulations and procedures.”
Your case is a terrifying lesson for other trustees who are gatekeeping large transfers from trusts run by professional fund managers, without financial or cyber security training.
Companies like JM Finn claim the security of their clients’ money is their top priority, but when push comes to shove, questions still remain as to whose financial interests come first.
Disclaimer: The copyright of this article belongs to the original author. Reposting this article is solely for the purpose of information dissemination and does not constitute any investment advice. If there is any infringement, please contact us immediately. We will make corrections or deletions as necessary. Thank you.