Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Scammed by fake Tesla email

This site may earn commission on affiliate links.
You can set up additional accounts, but then you can't easily switch cars or you'd have to log into the other account on your phone, and have your SO around to give you the 2FA code.

But anyway, that's not the topic here.

Best way would have been that Tesla specifically and clearly state their bank account number on all documents. But even then, you risk that someone with some background knowledge can fake an email to you with a fake bank account. If you don't have the reaction to check the bank account number with their website and a pro-forma invoice in your account on the Tesla website, you can still be conned.

Compare it to all the emails with "orders" or "invoices", or even CEO fraud in the hopes someone from accounts payable is deceived and just blindly pays an invoice.
 
It isn’t teslas fault no, but they are not following best practises by sending an invoice with details on how to pay by email, it opens up these types of scams that could otherwise be avoided. All they needed to do was send an email saying login to your tesla account to view payment details,...

This is what Tesla sends here (translated to English). Their practices are fine

Delivery Profile
Complete the following details in your Tesla account : registration, trade-in options and payment method. If you have already verified it listed, you need not take any action.
 
This is what Tesla sends here (translated to English). Their practices are fine

Delivery Profile
Complete the following details in your Tesla account : registration, trade-in options and payment method. If you have already verified it listed, you need not take any action.
In your country they may be fine. In the UK they are not so good. Hopefully the UK will catch up before too many others lose money like this.
 
You can set up additional accounts, but then you can't easily switch cars or you'd have to log into the other account on your phone, and have your SO around to give you the 2FA code.

But anyway, that's not the topic here.

Best way would have been that Tesla specifically and clearly state their bank account number on all documents. But even then, you risk that someone with some background knowledge can fake an email to you with a fake bank account. If you don't have the reaction to check the bank account number with their website and a pro-forma invoice in your account on the Tesla website, you can still be conned.

Compare it to all the emails with "orders" or "invoices", or even CEO fraud in the hopes someone from accounts payable is deceived and just blindly pays an invoice.
They should just have it on the website they shouldn’t have it on anything that comes by email and anything by email should just say to check our website.

This is what Tesla sends here (translated to English). Their practices are fine

Delivery Profile
Complete the following details in your Tesla account : registration, trade-in options and payment method. If you have already verified it listed, you need not take any action.
But it isn’t in the UK as that is why this has happened. Also it isn’t good practise to link to teslas website either as this could just take you to a phishing website as already discussed.
 
Moderator note: Title amended.

@MudHut, I didn't see this asked, but can you view the headers on your email to ensure that it truly came from Tesla Bristol? Emails can appear to be from a certain sender (just by tweaking reply-to and other settings) but the routing information may tell you otherwise. I find it unlikely that it was "intercepted" and more likely that it was a spoofed address. You can compare the headers from a real Tesla Bristol email and the scamming email. Or maybe you're tired of thinking about it and reliving it, in which case I totally understand.

Really sorry to hear about your issue.
 
If Tesla is indeed sending emails with sensitive information like bank account numbers to solicit payment then they have to take some of the blame. However, the majority usually falls on the recipient. Especially in this day and age where electronic fraud is commonplace.

At end of the day, the recipient is the weakest link the chain. And no anti-virus application or anti-fraud technology client is going to change that.

Any email asking for payment with a target for deposit (bank account info, email address, link etc), should raise a big red flag regardless of who sent it. At that point, pick up the phone and call for verification. Without verification, do nothing until it's received.
 
  • Like
Reactions: Spacep0d and MudHut
I'm curious .. do you expect anyone outside of the cryptographic community to understand any of this? And if not, how do you expect them to know if an email follows such stringent precautions?
That's a total red herring. Individuals don't manage their own domains and email servers. I do expect the people that do maintain email servers and domains to be proficient in such topics. Tesla, though, has terribly configured mail servers. They do not have mta-sts configured (MTA-STS validator)

I'll note that I was responding to the assertion that email cannot be secured. That's a verifiably false statement. Whether email providers do is a whole different topic.
 
  • Like
Reactions: ohmman
That's a total red herring. Individuals don't manage their own domains and email servers. I do expect the people that do maintain email servers and domains to be proficient in such topics. Tesla, though, has terribly configured mail servers. They do not have mta-sts configured (MTA-STS validator)

I'll note that I was responding to the assertion that email cannot be secured. That's a verifiably false statement. Whether email providers do is a whole different topic.

But the fact that some do and some dont does make it a user problem. How do they know which emails they can trust? How do they know what email service they can use?
 
First of all, some of you guys need to be more sensitive to OP's situation. That's a whole lot of money to lose. Sorry for your loss OP.

Anyways, regarding the email being intercepted, modified, and then resent again..I didn't even know such a thing was possible? How do they resend the email and make it appear like it's coming from the original sender (Tesla Bristol)? I think a more likely scenario is someone accessed your email account and then used the information in the email to send a spoofed email which appears to come from Tesla Bristol? I know it's possible to spoof email addresses but I don't know how difficult it would be to execute in this scenario.
 
  • Like
Reactions: MudHut
So our emails are with Microsoft Office 365 and I have no evidence to say either way that the account was or wasn't compromised. We send out invoices from that account every day and none of those have been altered or misdirected. The account is an IMAP account too so I don't know how someone could catch an email and remove it before it appears on our 8 computers that are attached to this account and then put it back in the inbox.
If they have hacked your email account, they may have seen Tesla's original email, made a copy, and deleted it in your mailbox in the middle of the night. You'd have no way of telling that it was ever there. Then they may have modified the email and sent it to you with a spoofed from-address.
I suspect it was intercepted before reaching us and then altered which is apparently how this sort of fraud can happen.
Intercepting emails on the network is difficult these days, since almost all SMTP traffic is TLS encrypted.

Anyway, you should really secure your email account just in case that's actually what happened (i.e. change main password, activate 2FA if you haven't yet, and generate new application passwords for the IMAP clients). Email accounts are pretty much the most important accounts these days, since so many other things depend on them ...
 
IMO, the best way to secure an email, is to use end-to-end encryption. Relying on back end security is still too risky and people can still snoop at the servers. Also, it should be assumed that at some point in transit, the SMTP traffic will be unencrypted. Of course, end-to-end encryption may not help of the email account is compromised.
 
@MudHut that’s a big chunk of change to lose, especially like this and a hard lesson in cybercrime. Terribly sorry and good of you to share the circumstances of your situation. Hopefully someone who is about ready to pay for their car shortly will keep your story in mind. You can never be too safe, just sorry. I do think calling the institution/company directly to verify payment routing is the best advice.

Someone mentioned real estate transactions being hijacked in a similar fashion. I recall reading about cases like this here in the U.S. and the buyers didn’t find out until it was too late. So stuff like this does happen. I read recently that Barbara Corcoran (real estate “Shark Tank” lady) was victim to something like this but had to do with a fake invoice and luckily it got acted on before they money got moved.

Best of luck going forward and do hope you get your Tesla.
 
  • Like
Reactions: ohmman
Tesla later sent me a copy of the original. It was exactly the same but the bank details were different.
Did you compared the e-mail 'source' (this option is available to any mail reader, this should be listed after 'reply', reply-all', 'forward', 'print'...)
Looking at the source you can see the "real" e-mail address, not the one who is 'displayed'.

Also, look if there are any big blocks of binary code, those are boot who get activated as soon as you click on any web link....

Note: The coming US elections e-mail spam attacks will be certainly something to look at:
 
This is what Tesla sends here (translated to English). Their practices are fine

Delivery Profile
Complete the following details in your Tesla account : registration, trade-in options and payment method. If you have already verified it listed, you need not take any action.

This is exactly what I had to do, everything was done on-line, I mean I had to log to the Tesla website.

The only e-mails that I received were only dealing with driving tests or delivery appointments.... no money or credit card were involved.

Note: I never receive a link like this one from Tesla?
If you right click on the link, you get the following:

Tesla account : https: // click.emails.tesla.com/?qs=e14a13feaf6aa96ef88f145df260eaa33f17876d8009e8785908375d48244d20c2ff6bb43bce068623709cda7e7162e71ee7a92c78247e039833d2cfb763217f​

it should be:

Tesla account : https: // www.tesla.com/en_gb/teslaaccount
 
Last edited:
But the fact that some do and some dont does make it a user problem. How do they know which emails they can trust? How do they know what email service they can use?
Ok. If that's the standard, then a lot of people are screwed. It's like the adage of the two guys in the tent with the bear outside. One starts putting on running shoes. The other reminds the first that they cannot outrun a bear. The first says "I don't have to outrun the bear, I just need to outrun you."

Again, the bare minimum is to pick an email provider that has expertise. I'm not suggesting society has to work by everyone outrunning bears. But it's also less than "it's a user problem to solve".

But I'm open to options. Instead of arguing against my viewpoint, tell us the recommended solution.

We already know that two people don't want to own the responsibility:

Disagree x 2
M109Rider
morbidz
 
  • Funny
Reactions: Watts_Up
I just closed a real-estate transaction remotely, because, you know, the whole virus thing.

The title-company emailed me a link to Home Page - CertifID which used a secure connection, verified my identity via SMS text and by querying my credit report, and only then did it verify my wire information to be used in the transaction. This was initiated via email, but the exchange of sensitive information was done through a secure web browser. Encrypted browsing has become ubiquitous, and is far more secure than email will ever be.

Also, right in the middle of certifying my identity, I got a LifeLock alert on my phone. You should probably be using an equivalent service unless your credit is so bad that no one would want to steal it.