Bamboozled October 30, 2017: Yahoo email hack and bank inaction result in $91K theft, consumer says

After a series of phony emails and one phone call, $91,500 of Ben and Joyce Fox’s hard-earned money vanished.

The Foxes were buying a townhouse in Lafayette. The couple, in their mid-60s, planned for it to be a retirement home.

The property was a foreclosure owned by JPMorgan Chase.

For the closing, the couple would need to wire the full amount for the purchase before the documents were to be signed.

Leading up to the Sept. 1 closing date, the couple received money transfer instructions in a series of emails that appeared to come from their real estate attorney’s office.

Joyce Fox called her bank and transferred $91,500 on Aug. 29.

But at the closing, they realized they had been scammed.

Here’s how it happened.

The Foxes, their attorney Stephen McNally, and a representative from ServiceLink — the company handling the closing for JPMorgan Chase — met at McNally’s office for the closing.

The ServiceLink rep asked the couple for the wire transfer receipt.

“My wife handed it to him. He looked at it and said, ‘That’s not our account name. That’s not our account number. That’s not our bank,'” Ben Fox said.

Joyce Fox told the group she followed the email instructions from McNally’s paralegal, but the attorney said no. Those were not the instructions that were emailed.

McNally went to a computer to retrieve the emailed instructions. With one look, Joyce Fox said they weren’t the instructions she received.

Next, Fox logged into her email — a Yahoo account — and she searched for the email.

It was missing. So were other email communications she said she had with McNally’s office.

To her horror, Fox realized someone had taken control of her account — her life, really — and had been sending emails in her name and deleting emails that might have alerted her she was about to be scammed.

“It was at that moment we all realized that the money had been wire-transferred into someone else’s account,” Ben Fox said. “My wife and I had been defrauded out of $91,500 by a sophisticated, yet simple scam.”

ON THE HUNT

Ben Fox hit the internet and started to gather information immediately.

Maitee Pluma Palma’s mug shot from the Miami-Dade Police Department.

He searched for the name of the company on the wire transfer receipt – Star Luxury Trades of Hialeah, Fla. He found the company was owned by someone named Maitee Pluma Palma at the same address for Star Luxury Trades.

Next, Fox Googled Palma’s name, finding an extensive criminal record.

Palma was charged with various felonies. She pleaded no contest to multiple insurance fraud and false insurance claims violations, and received five years probation. Other charges for grand theft, burglary and a probation violation were dismissed.

Bamboozled later confirmed the criminal history, but authorities haven’t commented on whether or not she may have been involved in this incident.

Because the money was sent to a Bank of America (BofA) account, the couple asked the bank to freeze the funds.

That call was placed only two hours after they realized the money was gone.

Fox told Bamboozled the BofA rep said the bank couldn’t help because Fox wasn’t a Bank of America customer. (He’s actually a BofA credit card customer, but alas.)

Fox tried different bank departments.

“Each time I was told there was nothing that they could do as they had to ‘protect the privacy of their customer,'” Fox said.

HOW IT HAPPENED

An analysis of Joyce Fox’s email account revealed a series of messages written by an unknown party.

Some impersonated Fox and were sent from her Yahoo account. Others sent to Fox from the attorney’s office were apparently intercepted and deleted. Still others were sent to her account by someone impersonating the attorney and his paralegal.

These were sent using phony email addresses.

The attorney’s real email address ends with @mcnallylawllc.com. An unknown party created emails that ended with @mcnalylawllc.com with only one “l” in McNally.

Someone also created an email address masquerading as the Fox’s real estate agent, and this, too, was off by one character.

The first email sent from the scammer using the close-but-not-quite email address of the paralegal was sent on Aug. 28. It told Joyce Fox she would soon need to wire the funds.

On the same day, the couple received an email from the real paralegal, saying they’re still waiting for more information before the next steps could be taken.

Joyce Fox didn’t respond to that email, but the scammer, impersonating Fox, did.

Throughout the day, the scammer intercepted real emails and sent others from the phony address. The scammer was so attentive, sending emails to all the parties and deleting those the scammer didn’t want the parties to see, that no one caught on.

Joyce Fox finally received wire instructions from the scammer, still impersonating the paralegal, and Fox replied that she’d send the money the next day.

When the transfer was completed, Fox emailed the confirmation number to the fake paralegal.

A few hours later, the real paralegal sent several emails to Fox with the authentic wire transfer information.

That would have given it all away, but Fox never saw those emails. The scammer deleted them and responded, still impersonating Fox, all while sending other messages from the fake paralegal account.

This went on through the date of the closing.

By the time the couple was in their attorney’s office to sign the papers, the money they wired to the Bank of America account was gone.

Bank of America told Bamboozled it simply followed the wire instructions.

“The bank wasn’t informed of the fraudulent activity in time to take action,” spokeswoman Tara Burke said. “Once the funds are credited to the account, we would need express permission from our customer to send the funds back.”

The bank is investigating the case, she said. So is JPMorgan Chase, the FBI and Florida’s Attorney General’s office.

HOW COULD THIS HAPPEN?

Many questions remain.

How exactly did the scammer gain access to Joyce Fox’s Yahoo account?

It’s widely known that Yahoo said its August 2013 data breach affected virtually all of its customers — some 3 billion accounts, the company said.

“We have definitive proof that her account was hacked, emails intercepted and replaced and deleted,” Ben Fox said. “There was a ‘rule’ in the settings filter directing any emails from our attorney, his paralegal and our realtor to go directly to trash and then be deleted.”

Yahoo, now owned by Verizon and part of its digital media company called Oath, didn’t respond to our requests for comment.

We pondered further.

Let’s say someone got a hold of Joyce Fox’s account. How long would that scammer need to wait before Fox had a wire transfer transaction? It could be forever.

Ben Fox believes this could have been an inside job by someone with intimate knowledge of the deal.

Who knew? Employees at JPMorgan Chase, its closing agent ServiceLink, the couple’s real estate attorney and his employees, and the real estate agents.

How else would someone know Joyce Fox specifically was preparing to wire a large sum of money?

Perhaps one of those entities’ email servers was hacked, Ben Fox said.

“Common sense dictates that these people are trolling and monitoring the servers and emails, etc. of those large companies and corporations like JPMorgan Chase, ServiceLink, real estate attorneys, closing agents and title companies that deal with thousands and thousands of wire transfer transactions every day,” Ben Fox said. “These people are sitting in a room with a hundred computers watching and waiting for just the right opportunity to monitor a particular transaction that is ripe for the picking and then choose their exact minute to intercede and play their games with the principals in the transaction.”

Cybersecurity experts say Fox’s hypothesis isn’t far-fetched.

How easy is it to create imposter email addresses?

“Ridiculously easy and cheap,” said cybersecurity expert Mitch Feather of Creative Associates in Madison.

All it takes, he said, is to register a domain name, in this case, “mcnalylawllc.”

That costs less than $10, Feather said.

Next, you’d need to set up the email addresses. Some domain providers give them free with a domain name, or at most they would cost a few dollars each, Feather said.

We checked WHOIS, the site that details who has registered a web site. It said the domain name was registered to Contact Privacy, Inc., a privacy service used to hide the real owner of a domain name from the public.

Feather also noted more sophisticated operations use hacked computers in different locations to make it harder to track the source of the messages. Then when wire transfers happen, they’re transferred again and again until the final deposit, which is often to an overseas account.

One of the letters received by Ben Fox from Bank of America.

That means it’s possible that Maitee Pluma Palma, the owner of the bank account, was a pawn in the game of a larger operation. Efforts to reach her were unsuccessful.

Then there’s Bank of America, who Ben Fox says he holds “most responsible.”

He said he kept telling BofA about the account owner’s criminal history, saying the bank is “aiding and abetting criminal activities, even possibly terrorism — I am not being dramatic — who the heck knows what the money is being used for.”

Fox even offered to make a $10,000 donation to a charity working to help victims of Las Vegas or the recent hurricanes if BofA would return his money.

So far, Bank of America hasn’t responded.

ServiceLink, the closing agent, said it had no comment.

The Fox’s attorney said this has never happened to one of his closings before, but it highlights an important lesson.

“Never trust email as a primary source of information for important stuff like where to wire money without independent confirmation,” McNally said. “You just don’t know in the age of anonymous emails where something is really generated from.”

The Foxes aren’t done yet, and they’re interviewing attorneys to take on their case.

We’ll let you know what happens.

Advertisements