Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Scammed by fake Tesla email

This site may earn commission on affiliate links.
M

MudHut

Member
Feb 1, 2020
26
13
Exeter
#1
So back in early December 2019 I ordered a M3P and waited with baited breath until late March 2020 when I finally got my VIN in the source code. A few weeks later I got an email and text with collection date and was going to collect from Bristol in the 26th of March. Very exciting!

An email came through 6 days before with the VIN, registration number, bank details and the request for £9250 to pay with the rest on finance. I got a text a day later confirming the VIN and reg number and then another email requesting the same payment. Both emails were from Tesla Bristol and as the info in the text confirmed what was in the email I assumed the bank details were also genuine.

As you can probably guess, this is the point that I say that the bank details were not correct and I say that the £9250 was sent to an unknown account. The genuine payment emails from Tesla were intercepted somehow and the bank details were changed prior to it being sent on to my email account.

After I’d spoken to Tesla and realised this was the case I finally had my invoice appear on my online account with the correct bank details on the invoice. Unfortunately losing this money meant I had to cancel the order (my bank also refused to try and get my money back) the day before I was due to pick up the car. I can’t convey how gutted I was.

I’m disappointed in Tesla for sending out unsecured payment requests that can easily be intercepted and changed. Our account online is where the invoices should appear, which is at least password protected, and given Tesla is a technology company I’d expect better security from them. Funnily enough they have not even responded to my complaints which at best is rude and at worst really crappy customer service. Their defence was that they’ve done it this way for the last 6 years and not had any problems. Until now obviously.

Has anyone else had this kind of problem?
 
  • Informative
Reactions: badiban, SageBrush, Arctic_White and 3 others
#3
MudHut said:
...Both emails were from Tesla Bristol and as the info in the text confirmed what was in the email I assumed the bank details were also genuine...
Click to expand...

I the US, the bank/credit card info is not communicated by e-mails.

We have to log into our account and input our bank/credit card info.

Tesla then takes the money out from the online web Tesla account.

That means owners do not know Tesla's bank info details but Tesla does know owner's details because owners put it there on the account.

So if you got an e-mail asking you to fund your money to their specified account number, you've been deceived.

But how to get that money back is up to your bank and the government.

Tesla didn't send that e-mail so it is not their responsibility to get you that lost money.
 
  • Love
Reactions: MudHut
#4
Email insecure? The hell, you say?

It is unfortunate that you got scammed.

Sadly, Tesla should probably only communicate to it’s buyers using their web account. Send an email to tell them they have a message but force the user to go to tesla.com to get it.
 
  • Love
Reactions: MudHut
#5
Eriamjh1138 said:
Email insecure? The hell, you say?

It is unfortunate that you got scammed.

Sadly, Tesla should probably only communicate to it’s buyers using their web account. Send an email to tell them they have a message but force the user to go to tesla.com to get it.
Click to expand...
Exactly. These were genuine emails that were intercepted and changed. Tesla confirmed it. Sounds like the US model should be replicated in the UK. They won’t change until they receive some pressure though I suspect. Very disappointed they didn’t care enough to reply to my emails though.
 
#6
Tam said:
I the US, the bank/credit card info is not communicated by e-mails.

We have to log into our account and input our bank/credit card info.

Tesla then takes the money out from the online web Tesla account.

That means owners do not know Tesla's bank info details but Tesla does know owner's details because owners put it there on the account.

So if you got an e-mail asking you to fund your money to their specified account number, you've been deceived.

But how to get that money back is up to your bank and the government.

Tesla didn't send that e-mail so it is not their responsibility to get you that lost money.
Click to expand...
Good model that should be replicated in the UK. It was a genuine email though, they confirmed it, so I do hold them responsible.
 
#10
I cannot speak for the Tesla e-mails, but I have dealt personally with a business that sent an e-mail to a customer for an online payment.

Somehow their bank details were changed in the PDF to a totally different different bank and account.

The senders outbox had the proper Email and PDF, the receiver forwarded the message they had received and it was modified.

There was nothing we could find wrong at the sender (rootkits/viruses/malware etc).

We assumed the receiver had a compromised Email account or computer and the message was replaced, since we had no way to diagnose them. And they never made the incorrect payment, so they didn't really have much incentive to pursue it further.

The receiver was a freemail account (hotmail).

I am not saying this is the same situation, but I have seen it before.

I deal with security matters on a regular basis, if you wish you can DM me the full headers of the modified message and I can take a look, and if you can send me the full headers of the "good" one that would be great too. You can XXX out any particulars you feel are private.
 
  • Helpful
  • Like
Reactions: aTri, Arctic_White, Tron 3 and 3 others
#11
MudHut said:
Exactly. These were genuine emails that were intercepted and changed. Tesla confirmed it. Sounds like the US model should be replicated in the UK. They won’t change until they receive some pressure though I suspect. Very disappointed they didn’t care enough to reply to my emails though.
Click to expand...
Sorry, but nobody intercepted and changed the emails. Email doesn't work like that. Check your Tesla account. The hackers probably guessed your Tesla password, then changed your email address to do a man-in-the-middle attack. Wouldn't be surprised if they changed the email address back on your account after they scammed you, so you may see no evidence of their malfeasance.
If you're using your Tesla password on any other websites please consider those accounts to be compromised as well.
 
  • Like
Reactions: Spacep0d, LionXng, Arctic_White and 10 others
#13
MudHut said:
So back in early December 2019 I ordered a M3P and waited with baited breath until late March 2020 when I finally got my VIN in the source code. A few weeks later I got an email and text with collection date and was going to collect from Bristol in the 26th of March. Very exciting!

An email came through 6 days before with the VIN, registration number, bank details and the request for £9250 to pay with the rest on finance. I got a text a day later confirming the VIN and reg number and then another email requesting the same payment. Both emails were from Tesla Bristol and as the info in the text confirmed what was in the email I assumed the bank details were also genuine.

As you can probably guess, this is the point that I say that the bank details were not correct and I say that the £9250 was sent to an unknown account. The genuine payment emails from Tesla were intercepted somehow and the bank details were changed prior to it being sent on to my email account.

After I’d spoken to Tesla and realised this was the case I finally had my invoice appear on my online account with the correct bank details on the invoice. Unfortunately losing this money meant I had to cancel the order (my bank also refused to try and get my money back) the day before I was due to pick up the car. I can’t convey how gutted I was.

I’m disappointed in Tesla for sending out unsecured payment requests that can easily be intercepted and changed. Our account online is where the invoices should appear, which is at least password protected, and given Tesla is a technology company I’d expect better security from them. Funnily enough they have not even responded to my complaints which at best is rude and at worst really crappy customer service. Their defence was that they’ve done it this way for the last 6 years and not had any problems. Until now obviously.

Has anyone else had this kind of problem?
Click to expand...
The same type of problem happens in the USA. Real estate wire instructions are intercepted and the bank info changed. If you don't catch it right away your funds are gone.
 
#15
MudHut said:
So back in early December 2019 I ordered a M3P and waited with baited breath until late March 2020 when I finally got my VIN in the source code. A few weeks later I got an email and text with collection date and was going to collect from Bristol in the 26th of March. Very exciting!

An email came through 6 days before with the VIN, registration number, bank details and the request for £9250 to pay with the rest on finance. I got a text a day later confirming the VIN and reg number and then another email requesting the same payment. Both emails were from Tesla Bristol and as the info in the text confirmed what was in the email I assumed the bank details were also genuine.

As you can probably guess, this is the point that I say that the bank details were not correct and I say that the £9250 was sent to an unknown account. The genuine payment emails from Tesla were intercepted somehow and the bank details were changed prior to it being sent on to my email account.

After I’d spoken to Tesla and realised this was the case I finally had my invoice appear on my online account with the correct bank details on the invoice. Unfortunately losing this money meant I had to cancel the order (my bank also refused to try and get my money back) the day before I was due to pick up the car. I can’t convey how gutted I was.

I’m disappointed in Tesla for sending out unsecured payment requests that can easily be intercepted and changed. Our account online is where the invoices should appear, which is at least password protected, and given Tesla is a technology company I’d expect better security from them. Funnily enough they have not even responded to my complaints which at best is rude and at worst really crappy customer service. Their defence was that they’ve done it this way for the last 6 years and not had any problems. Until now obviously.

Has anyone else had this kind of problem?
Click to expand...
Can you take your complaint to an ombudsman, better business bureau, local news? Something to get Tesla to get off their duff and improve their communication security, since I'm sure you aren't the only person who got scammed.
 
  • Disagree
  • Like
Reactions: DDHEverything and X-pilot
#16
M109Rider said:
...This is a case of being scammed, and not by Tesla...
Click to expand...

MudHut said:
Good model that should be replicated in the UK. It was a genuine email though, they confirmed it, so I do hold them responsible.
Click to expand...

MudHut said:
Tesla later sent me a copy of the original. It was exactly the same but the bank details were different.
Click to expand...

I originally thought UK Tesla follows the USA model by not sending an e-mail asking for money to be deposited to the specified bank account.

Now, that I know it's actually UK Tesla's e-mail routine, it's only reasonable that Tesla needs to investigate how their work routine was compromised because they should know that asking money by e-mail is not a good security practice.

The consumer did what was instructed by what was thought of as Tesla's email because that's Tesla's way of security practice so Tesla needs to be held responsible.
 
  • Love
  • Like
Reactions: DDHEverything and MudHut
#18
focher said:
Secure email is entirely possible.

  1. all connections are encrypted
  2. Servers use SPF
  3. Servers use DKIM
  4. Servers use MTA-STS

Faked email is practically impossible under those conditions. Otherwise, don’t trust it.
Click to expand...

I'm curious .. do you expect anyone outside of the cryptographic community to understand any of this? And if not, how do you expect them to know if an email follows such stringent precautions?
 
  • Love
  • Like
Reactions: Durzel, Trevor B, morbidz and 2 others
#19
MudHut said:
I’m disappointed in Tesla for sending out unsecured payment requests that can easily be intercepted and changed. Our account online is where the invoices should appear, which is at least password protected, and given Tesla is a technology company I’d expect better security from them. Funnily enough they have not even responded to my complaints which at best is rude and at worst really crappy customer service. Their defence was that they’ve done it this way for the last 6 years and not had any problems. Until now obviously.
Click to expand...

I'm also very sorry indeed that you have been the target of fraud. I also agree that Tesla should NEVER use email as the mechanism for exchanging account information. If, as you state, they are in fact doing this, then you (and others in the community) need to raise this urgently since you will certainly not be the first or last to have your hard-earned money stolen in such a fashion.
 
  • Like
  • Love
Reactions: Tron 3 and MudHut
#20
Obviously sorry to hear this. I can’t remember the exact process but I’m pretty sure at the same time the invoice was emailed to me it was also in my account. Regardless I sent £10 to the account and verified in the source code of the web page that the deposit amount had increased by £10, if your not aware of how to do that you could of course phone tesla up and confirm they have the £10, that is the safest option when sending this sort of money. I then paid the remaining amount to the same details I had previously used which therefore leaves no room for mistakes.

I have seen this happen a number of times (not tesla) and 99% of the time either the sender or the recipients email account has been compromised. I would suggest change your password to your email if you haven’t already (to something you don’t use elsewhere) and enable two factor authentication. I would guess that your email account was compromised, Tesla sent the email, and someone then maliciously edited your received email. Unfortunately banks are pretty hard at getting any refund at this point, they should try but often the money has already left the other persons bank account and gone elsewhere so it can’t be recovered.

Agreed with others that Tesla should make you login to see the invoice rather than send it to you directly.


focher said:
Secure email is entirely possible.

  1. all connections are encrypted
  2. Servers use SPF
  3. Servers use DKIM
  4. Servers use MTA-STS

Faked email is practically impossible under those conditions. Otherwise, don’t trust it.
Click to expand...
It sounds to me the recipients email was compromised and that the email sent from tesla was edited, in which case none of the above would have helped.
 
  • Like
Reactions: JasonR67
You must log in or register to reply here.

Similar threads

C
Tesla Insurance - Any way to talk to a live human?
Replies
4
Views
306
Insurance
ThomasD
T
A
WARNING - Car Report Scam- VinGator
Replies
3
Views
1K
Off Topic
swaltner
swaltner
H
  • Question
After delivery, how can I review and change the loan payment details?
Replies
10
Views
2K
Model Y
Prodock
Prodock
W
Lease end billing error from Tesla
Replies
0
Views
259
Model 3
Willy’sEV
W
ColR
  • Article
New Tesla owners in Republic of Ireland - few questions
Replies
11
Views
828
The UK and Ireland
WannabeOwner
WannabeOwner
Top
Back
Blog
New
Forum list
Marketplace
Menu