Scammed by fake Tesla email

[kenahoa]

So back in early December 2019 I ordered a M3P and waited with baited breath until late March 2020 when I finally got my VIN in the source code. A few weeks later I got an email and text with collection date and was going to collect from Bristol in the 26th of March. Very exciting!

An email came through 6 days before with the VIN, registration number, bank details and the request for £9250 to pay with the rest on finance. I got a text a day later confirming the VIN and reg number and then another email requesting the same payment. Both emails were from Tesla Bristol and as the info in the text confirmed what was in the email I assumed the bank details were also genuine.

As you can probably guess, this is the point that I say that the bank details were not correct and I say that the £9250 was sent to an unknown account. The genuine payment emails from Tesla were intercepted somehow and the bank details were changed prior to it being sent on to my email account.

After I’d spoken to Tesla and realised this was the case I finally had my invoice appear on my online account with the correct bank details on the invoice. Unfortunately losing this money meant I had to cancel the order (my bank also refused to try and get my money back) the day before I was due to pick up the car. I can’t convey how gutted I was.

I’m disappointed in Tesla for sending out unsecured payment requests that can easily be intercepted and changed. Our account online is where the invoices should appear, which is at least password protected, and given Tesla is a technology company I’d expect better security from them. Funnily enough they have not even responded to my complaints which at best is rude and at worst really crappy customer service. Their defence was that they’ve done it this way for the last 6 years and not had any problems. Until now obviously.

Has anyone else had this kind of problem?

Hi, yes I was scammed of $60,000 in October 2019 in exactly the same way.

 

[daniel]

To the OP: Very sorry to hear, belatedly, that you were scammed.

Two anecdotes:

I once used a tour operator who told me this story: A client of theirs received an email, apparently from the tour operator, instructing them to send the payment for their tour to a different account than originally specified. It turned out that a scammer had hacked into the tour operator's email account, learned the names of people booking tours, and sent out the scam emails from the tour operator's email account, which I think was Hotmail, IIRC. After that, the tour operator started telling clients to check with them by phone before sending money based on an email. Personally, I thought that the tour operator should have reimbursed the client because the tour operator allowed their email to be hacked. But the tour operator turned out to be incompetent on so many different levels that their use of an unsecured email and probably an easily-guessed password, was no surprise. Halfway through the tour I quit using them because their service was so terrible, and booked with a local operator instead.

When I bought my house about a year and a half ago there were documents to be e-signed and money to be transferred. The escrow agency was very explicit that every time I received an email from them, I should phone them and talk to the escrow agent to confirm the email was legit. This was mostly the e-sign emails.

The lesson for all of us is that email is not secure unless you're using a special secure email service, and even then I wouldn't trust email with personal or financial information or money. It's also not a good idea to send large amounts of money via a method that cannot be reversed in the case of fraud. If Tesla is asking people to send them money by such means, shame on them.

Again, so sorry to the OP that you got robbed.

 

[kenahoa]

To the OP: Very sorry to hear, belatedly, that you were scammed.

Two anecdotes:

I once used a tour operator who told me this story: A client of theirs received an email, apparently from the tour operator, instructing them to send the payment for their tour to a different account than originally specified. It turned out that a scammer had hacked into the tour operator's email account, learned the names of people booking tours, and sent out the scam emails from the tour operator's email account, which I think was Hotmail, IIRC. After that, the tour operator started telling clients to check with them by phone before sending money based on an email. Personally, I thought that the tour operator should have reimbursed the client because the tour operator allowed their email to be hacked. But the tour operator turned out to be incompetent on so many different levels that their use of an unsecured email and probably an easily-guessed password, was no surprise. Halfway through the tour I quit using them because their service was so terrible, and booked with a local operator instead.

When I bought my house about a year and a half ago there were documents to be e-signed and money to be transferred. The escrow agency was very explicit that every time I received an email from them, I should phone them and talk to the escrow agent to confirm the email was legit. This was mostly the e-sign emails.

The lesson for all of us is that email is not secure unless you're using a special secure email service, and even then I wouldn't trust email with personal or financial information or money. It's also not a good idea to send large amounts of money via a method that cannot be reversed in the case of fraud. If Tesla is asking people to send them money by such means, shame on them.

Again, so sorry to the OP that you got robbed.

Daniel, yes now I know to do this and be more careful. Indeed shame on Tesla for having such an insecure payment process that exposes their customers. There are two incidents in Australia (including mine) that I know of and now this one in the UK - all exactly the same.

 

[daniel]

And of course it can happen at either end: If the sender's email or the receiver's email is hacked. Or (though I don't know enough about how this stuff works) maybe at the ISP level or somewhere else. The protocols for email were developed at a time when people weren't thinking of this kind of stuff.

 

[Spacep0d]

VERY sorry for the OP's loss. I would be gutted had I lost my substantially higher down payment. I'm quite suspicious about these things naturally, and would never trust a link from an email from any company. I'd go to my own account and go from there. Email can be too easily spoofed and most people don't check for this. When it involves money or other losses, take the long way and go through your account.

Sorry MudHut. I hope you get some kind of relief through your bank but if not, be glad it wasn't a whole lot more.

 

[daniel]

... Email can be too easily spoofed and most people don't check for this.

I would not know how to check for it. So I just never trust emails. Never send money, personal information, or passwords through a link in an email. But I gather from the discussion upthread that in the UK and OZ Tesla does not provide the relevant information via the website. Here in the U.S. IIRC I did everything via the website.

 

[SageBrush]

I hope OP is made whole, and I find it offensive that his bank did not try and get his money back from the fraudulent account. I also want to thank him(her) for sharing.

Scams are getting ever more clever, but there is a basic point to all of them that we must learn: a scam is based on a lie that we accept. Our job is to recognize what information we are accepting at face value; and when it is important, to verify that information. In this case the key piece of information is the bank account #

Wire transfer scams that end up sending money to the scammer's account is nothing new; the variation here is that we are inclined to accept emails as truth. @daniel wrote that we have to now treat email as suspect. I think a better lesson and approach is to realize that ANY communication may be inaccurate, misleading or fraudulent.

Trust, but verify.

 

[ohmman]

Scams are getting ever more clever, but there is a basic point to all of them that we must learn: a scam is based on a lie that we accept. Our job is to recognize what information we are accepting at face value; and when it is important, to verify that information.

For sure. The issue is that our human tendency is a default to truth. In fact, truth-default theory explains how scams such as this perpetuate. It’s pretty fascinating stuff, and Malcolm Gladwell has done his typical entertaining job describing it in his recent book, “Talking To Strangers.” I recommend the read to anyone interested in this topic and in how terrible we (all) are at judging the character and intent of strangers.

An important takeaway from truth-default theory is that the victims of these scams are not to be judged for being victims, because we are all almost equally susceptible to misjudging the intent of others. Even those in highly trained professions.

 

[SageBrush]

we are all almost equally susceptible to misjudging the intent of others.

That gets to my point: DO NOT judge, just verify if the matter is important or of consequence. Or perhaps better stated, the more important or consequential the matter, the more verification we should pursue. It is a matter of due diligence. The aspect of this I was trying to emphasize is learning to recognize those pieces of information that are key assumptions.

A sane approach to the question whether something is a lie or a truth is the same answer: maybe

 

[Spacep0d]

That gets to my point: DO NOT judge, just verify if the matter is important or of consequence. Or perhaps better stated, the more important or consequential the matter, the more verification we should pursue. It is a matter of due diligence. The aspect of this I was trying to emphasize is learning to recognize those pieces of information that are key assumptions.

A sane approach to the question whether something is a lie or a truth is the same answer: maybe

This is an important point you're making here. Higher stakes require greater verification and stringent skepticism. It pays to be skeptical, even if people are annoyed by one's precautions. It rarely pays to be too trusting.

 

[daniel]

An important takeaway from truth-default theory is that the victims of these scams are not to be judged for being victims, because we are all almost equally susceptible to misjudging the intent of others. Even those in highly trained professions.

While I have not fallen for an email scam (yet) I have been scammed and lost considerable sums by trusting professionals. In one case someone I trusted and still think is honest accepted bad information from a higher-up professional. And on another case, I'm not sure whether the person I trusted was in on the scam or a victim himself. I'm still angry at them but there's nothing that can be done (in my case) but move on.

I hope OP is made whole, and I find it offensive that his bank did not try and get his money back from the fraudulent account.

There are methods of transferring money that are not reversible and are generally labeled by the transfer agents as being not reversible. If you send money by Western Union, for example, they tell you you cannot reverse it. Zelle is the same, and they tell you that. Scammers will always ask you to send money by one of these means. If you are not absolutely certain about the recipient and the address and the amount is more than you want to lose, you should refuse to use these means. There are safer ways to send money. They may carry a higher charge for the transaction, but it's worth it.

 

[moa999]

(for others reading this thread)
In Australia at least Tesla has a dedicated BSB (or routing number) with Citibank
(And you can find it by searching for Tesla Citibank BSB)
And..
The Account number used is the same digits as in the Order Number created weeks earlier.
(Seemingly a similar procedure to the UK)

Now the Order/Account number matching is mentioned in the email, but obviously if a fraudster hacks your email to alter the PDF invoice, they would also remove that wording.

Personally I think a better system would be to
1. Tell you that Order Number will be Account number at Order stage (if this is the case in all countries)
2. Require you to login to the Tesla website to access the invoice.

Now that still wouldn't stop a fraudster altering an alert sent to you by Tesla and attaching a fake invoice, but it at least provides another step.

 

[Trevor B]

Secure email is entirely possible.

1. all connections are encrypted
2. Servers use SPF
3. Servers use DKIM
4. Servers use MTA-STS

Faked email is practically impossible under those conditions. Otherwise, don’t trust it.

Other than coming off as somebody who knows a lot of important sounding acronyms, your reply is of ZERO help.

 

[boriszima]

Other than coming off as somebody who knows a lot of important sounding acronyms, your reply is of ZERO help.

I agree. In todays age, one should educate on-self on phishing attacks. Here is how you can check sfp record for an email you receive
Information about what is SFP Sender Policy Framework - Wikipedia and how to test it
SPF Check & SPF Lookup - Sender Policy Framework (SPF) - MxToolBox

As others said, need to be very mindful of all of this.

 

[focher]

Other than coming off as somebody who knows a lot of important sounding acronyms, your reply is of ZERO help.

Why do you assume I was trying to “help”? You might try re-reading the thread, as my post was explicitly to refute the assertion that email cannot be secure and that there are a number of technologies to provide secure email. You don’t need to understand them. But you can check to see if your email provider uses them.

But hey, if you don’t want to bother then that’s fine too. It’s like the story of the two guys in the tent who hear a bear outside. One guy starts putting on running shoes. The other guy points out that it’s impossible to out run a bear. The first guys replies that he doesn’t need to out run the bear, just the other guy.

 

[MudHut]

Hi, yes I was scammed of $60,000 in October 2019 in exactly the same way.

Sorry to hear that. Makes my £9250 / $12000 seem pretty poultry.

 

[MudHut]

To the OP: Very sorry to hear, belatedly, that you were scammed.

Two anecdotes:

I once used a tour operator who told me this story: A client of theirs received an email, apparently from the tour operator, instructing them to send the payment for their tour to a different account than originally specified. It turned out that a scammer had hacked into the tour operator's email account, learned the names of people booking tours, and sent out the scam emails from the tour operator's email account, which I think was Hotmail, IIRC. After that, the tour operator started telling clients to check with them by phone before sending money based on an email. Personally, I thought that the tour operator should have reimbursed the client because the tour operator allowed their email to be hacked. But the tour operator turned out to be incompetent on so many different levels that their use of an unsecured email and probably an easily-guessed password, was no surprise. Halfway through the tour I quit using them because their service was so terrible, and booked with a local operator instead.

When I bought my house about a year and a half ago there were documents to be e-signed and money to be transferred. The escrow agency was very explicit that every time I received an email from them, I should phone them and talk to the escrow agent to confirm the email was legit. This was mostly the e-sign emails.

The lesson for all of us is that email is not secure unless you're using a special secure email service, and even then I wouldn't trust email with personal or financial information or money. It's also not a good idea to send large amounts of money via a method that cannot be reversed in the case of fraud. If Tesla is asking people to send them money by such means, shame on them.

Again, so sorry to the OP that you got robbed.

Thanks Daniel. Hindsight is a wonderful thing! I was busy and careless and got stung. I'm still not sure that it wasn't an inside job from Tesla though as I have 8 computers connected to that account and not one of them picked up the original email. Someone would have had to be pretty fast on removing the original or else would have to have known it was coming!

 

[MudHut]

(for others reading this thread)
In Australia at least Tesla has a dedicated BSB (or routing number) with Citibank
(And you can find it by searching for Tesla Citibank BSB)
And..
The Account number used is the same digits as in the Order Number created weeks earlier.
(Seemingly a similar procedure to the UK)

Now the Order/Account number matching is mentioned in the email, but obviously if a fraudster hacks your email to alter the PDF invoice, they would also remove that wording.

Personally I think a better system would be to
1. Tell you that Order Number will be Account number at Order stage (if this is the case in all countries)
2. Require you to login to the Tesla website to access the invoice.

Now that still wouldn't stop a fraudster altering an alert sent to you by Tesla and attaching a fake invoice, but it at least provides another step.

Absolutely agree, logging in to the website should be the way that invoices are received, not by sending out a plain email as a payment request. The only reason I paid it was because the info about the VIN and registration number were on the email and had previously been verified by a genuine text message from Tesla. I wasn't aware that emails could be changed once they'd been sent (assuming this is what happened). I guess overall I'm still really disappointed that Tesla have never come back to me and said anything, even that there was nothing they could do. Just stoney silence, which does make me wonder.