Scammed by fake Tesla email

[PoitNarf]

Sorry, but nobody intercepted and changed the emails. Email doesn't work like that. Check your Tesla account. The hackers probably guessed your Tesla password, then changed your email address to do a man-in-the-middle attack. Wouldn't be surprised if they changed the email address back on your account after they scammed you, so you may see no evidence of their malfeasance.
If you're using your Tesla password on any other websites please consider those accounts to be compromised as well.

I agree that this is the most likely scenario. Another reason why we need 2FA on our Tesla accounts. I can’t believe that it’s still not an option.

 

[holmgang]

Has everyone agreed on the means of attack here - whether someone accessed OP's email, tesla.com account, or other?

With how much people overshare personal information on the web, it could be even more simple than that. I've seen lots of spreadsheets from excitable new owners with VIN numbers, order dates, delivery notification dates, delivery dates... trivial work to trace that info to usernames and locations and eventually some contact info.

I'm also curious what the banking interface on UK looks like. In Scandinavia we put the account number and the bank automatically populates the account name (obviously not at all foolproof, but its a quick sanity check that you didnt fat-finger the numbers). The SMS we get from Tesla says "your car is scheduled for delivery for xxx, visit your tesla.com to complete payment..", so the communication itself is secure w.r.t. not overexposing information

 

[MudHut]

Has everyone agreed on the means of attack here - whether someone accessed OP's email, tesla.com account, or other?

With how much people overshare personal information on the web, it could be even more simple than that. I've seen lots of spreadsheets from excitable new owners with VIN numbers, order dates, delivery notification dates, delivery dates... trivial work to trace that info to usernames and locations and eventually some contact info.

I'm also curious what the banking interface on UK looks like. In Scandinavia we put the account number and the bank automatically populates the account name (obviously not at all foolproof, but its a quick sanity check that you didnt fat-finger the numbers). The SMS we get from Tesla says "your car is scheduled for delivery for xxx, visit your tesla.com to complete payment..", so the communication itself is secure w.r.t. not overexposing information

So our emails are with Microsoft Office 365 and I have no evidence to say either way that the account was or wasn't compromised. We send out invoices from that account every day and none of those have been altered or misdirected. The account is an IMAP account too so I don't know how someone could catch an email and remove it before it appears on our 8 computers that are attached to this account and then put it back in the inbox. I suspect it was intercepted before reaching us and then altered which is apparently how this sort of fraud can happen.

My Tesla.com account haas never been compromised to my knowledge although again, I'm no IT guru so wouldn't really know.

The banks in the UK are lazy and always blame the customer for sending money to the wrong place. Even though the payment was clearly marked for Tesla Motors Limited I can guarantee that the account it went to did not have this name. The banks are not preventing this type of fraud because they have too many accounts to effectively police and so they just ignore complaints. I've gone to the banking ombudsman too but no idea if that will help.

Basically Tesla have piss poor security. I send out invoices from my Xero accounts program that are more secure than Tesla's and I hope they sort this out quickly so that someone else doesn't lose their car like I did.

 

[MudHut]

I agree that this is the most likely scenario. Another reason why we need 2FA on our Tesla accounts. I can’t believe that it’s still not an option.

This was my complaint to Tesla too. They're a cutting edge technology company that runs competitions to see if their cars can be hacked. just a shame they don't do the same with their invoice procedure.

 

[M109Rider]

I originally thought UK Tesla follows the USA model by not sending an e-mail asking for money to be deposited to the specified bank account.

Now, that I know it's actually UK Tesla's e-mail routine, it's only reasonable that Tesla needs to investigate how their work routine was compromised because they should know that asking money by e-mail is not a good security practice.

The consumer did what was instructed by what was thought of as Tesla's email because that's Tesla's way of security practice so Tesla needs to be held responsible.

That’s not how it works at all.
If a scammer pretends to be someone their not, and scams you. That not Tesla’s, or any other companies fault.
That’s just ridiculous logic.

 

[MudHut]

How much different were the bank details?

I knew Tesla had an account in Canary Wharf, London but it was with Citi and not TSB who were the account holders for the account I sent my money to. The numbers were different, completely different, I would have known this if the invoice had come through on my Tesla.com account at the same time instead of 5 days later.

 

[MudHut]

That’s not how it works at all.
If a scammer pretends to be someone their not,‘and scams you. That not Tesla’s, or any other companies fault.
That’s just ridiculous logic.

In the UK companies have a duty of care to make sure that sensitive information is conveyed in a secure way. Email is not considered to be one of these ways, unsurprisingly. It is the same for my company and that is why we use products like Xero which send out much more secure emails than Tesla. It costs me £25 per month. Maybe I should suggest Tesla could use it?

 

[MudHut]

Rule #1 of the internet: don't wire money to someone that asks you to wire money to them, regardless of your country, their laws, or a company's policies.

Sorry to hear you got scammed.

Thanks. I got too busy and too excited and had no idea this was even possible.

 

[M109Rider]

So our emails are with Microsoft Office 365 and I have no evidence to say either way that the account was or wasn't compromised. We send out invoices from that account every day and none of those have been altered or misdirected. The account is an IMAP account too so I don't know how someone could catch an email and remove it before it appears on our 8 computers that are attached to this account and then put it back in the inbox. I suspect it was intercepted before reaching us and then altered which is apparently how this sort of fraud can happen.

My Tesla.com account haas never been compromised to my knowledge although again, I'm no IT guru so wouldn't really know.

The banks in the UK are lazy and always blame the customer for sending money to the wrong place. Even though the payment was clearly marked for Tesla Motors Limited I can guarantee that the account it went to did not have this name. The banks are not preventing this type of fraud because they have too many accounts to effectively police and so they just ignore complaints. I've gone to the banking ombudsman too but no idea if that will help.

Basically Tesla have piss poor security. I send out invoices from my Xero accounts program that are more secure than Tesla's and I hope they sort this out quickly so that someone else doesn't lose their car like I did.

Cyber criminals hack the most secure companies all the time. Saying Tesla has piss poor security is just ignorance to reality.

There are very sophisticated processes criminals use to enable them to find out what they need from anyone, then happily hack them. That’s what they did from you, and you didn’t even know it.
It has happened to millions of people across many countries.
Blaming Tesla is just an out. They scammed you, they hacked you. It happens unfortunately.
Consumers and Companies can do things to help prevent it, but ultimately, if they want you, and you aren’t aware how they hack you, they will do it.
Not Tesla’s fault.

 

[MudHut]

I cannot speak for the Tesla e-mails, but I have dealt personally with a business that sent an e-mail to a customer for an online payment.

Somehow their bank details were changed in the PDF to a totally different different bank and account.

The senders outbox had the proper Email and PDF, the receiver forwarded the message they had received and it was modified.

There was nothing we could find wrong at the sender (rootkits/viruses/malware etc).

We assumed the receiver had a compromised Email account or computer and the message was replaced, since we had no way to diagnose them. And they never made the incorrect payment, so they didn't really have much incentive to pursue it further.

The receiver was a freemail account (hotmail).

I am not saying this is the same situation, but I have seen it before.

I deal with security matters on a regular basis, if you wish you can DM me the full headers of the modified message and I can take a look, and if you can send me the full headers of the "good" one that would be great too. You can XXX out any particulars you feel are private.

Thanks, that's really kind of you to offer help. I'm going to try and save up for a model Y next and make sure I pay on my debit card in store next time!!

 

[dan223]

So our emails are with Microsoft Office 365 and I have no evidence to say either way that the account was or wasn't compromised. We send out invoices from that account every day and none of those have been altered or misdirected. The account is an IMAP account too so I don't know how someone could catch an email and remove it before it appears on our 8 computers that are attached to this account and then put it back in the inbox. I suspect it was intercepted before reaching us and then altered which is apparently how this sort of fraud can happen.

My Tesla.com account haas never been compromised to my knowledge although again, I'm no IT guru so wouldn't really know.

The banks in the UK are lazy and always blame the customer for sending money to the wrong place. Even though the payment was clearly marked for Tesla Motors Limited I can guarantee that the account it went to did not have this name. The banks are not preventing this type of fraud because they have too many accounts to effectively police and so they just ignore complaints. I've gone to the banking ombudsman too but no idea if that will help.

Basically Tesla have piss poor security. I send out invoices from my Xero accounts program that are more secure than Tesla's and I hope they sort this out quickly so that someone else doesn't lose their car like I did.

I doubt it is your tesla account that was hacked you already said the invoice wasn’t on the Tesla site so they Couldn’t have got the invoice from there. It was either there email that was compromised, or yours. Since your the only known report I would assume it is yours (and would suggest changing your password and enabling two fa if you haven’t already).

Cyber criminals hack the most secure companies all the time. Saying Tesla has piss poor security is just ignorance to reality.

There are very sophisticated processes criminals use to enable them to find out what they need from anyone, then happily hack them. That’s what they did from you, and you didn’t even know it.
It has happened to millions of people across many countries.
Blaming Tesla is just an out. They scammed you, they hacked you. It happens unfortunately.
Consumers and Companies can do things to help prevent it, but ultimately, if they want you, and you aren’t aware how they hack you, they will do it.
Not Tesla’s fault.

It isn’t teslas fault no, but they are not following best practises by sending an invoice with details on how to pay by email, it opens up these types of scams that could otherwise be avoided. All they needed to do was send an email saying login to your tesla account to view payment details, make a test payment of £1 and come back here in 24 hours to check it has updated (they have the figure in the source code but don’t put it publicly on the site) just a couple of small steps they could take to prevent these scams.

 

[MudHut]

Cyber criminals hack the most secure companies all the time. Saying Tesla has piss poor security is just ignorance to reality.

There are very sophisticated processes criminals use to enable them to find out what they need from anyone, then happily hack them. That’s what they did from you, and you didn’t even know it.
It has happened to millions of people across many countries.
Blaming Tesla is just an out. They scammed you, they hacked you. It happens unfortunately.
Consumers and Companies can do things to help prevent it, but ultimately, if they want you, and you aren’t aware how they hack you, they will do it.
Not Tesla’s fault.

That's a fair comment but do you really think that sending a payment request in a plain email is secure enough? Generally this is not accepted in the UK. Anyway, there's seems to be nothing I can do about it now. My heart does bleed whenever I see one on the road though!

 

[wooter]

my bank also refused to try and get my money back

This is very unusual. We've had something similar happen with a colleague and I'm not saying he got the money back immediately, but the bank opened a fraud case and eventually he was refunded.

I’m disappointed in Tesla for sending out unsecured payment requests that can easily be intercepted and changed.

In truth, what probably happened is that your email account was compromised and someone could retrieve the email out of your account, delete the original and send you a new one with modified account numbers, impersonating this second email is from Tesla. Inherently, email is mildly safer than your physical mail box, where you have been receiving paper invoices for ages and never questioned if they weren't intercepted and modified to get you to send your money to the wrong account. Most utility companies have started asking to double check account numbers before you pay a paper invoice.

The whole SPF/DKIM technobabble only works if not only sender (Tesla) but also recipient have these technologies configured. And even then you can easily modify the "from" field to not cause any suspicion.

 

[wooter]

All they needed to do was send an email saying login to your tesla account to view payment details, make a test payment of £1 and come back here in 24 hours to check it has updated (they have the figure in the source code but don’t put it publicly on the site) just a couple of small steps they could take to prevent these scams.

Ah, but would you click any link in any email that says to click here to pay?

Never click on any link in any email. Best you can do is ask a customer to "log in into our website <which we don't link to> to continue your purchase".

 

[MudHut]

I doubt it is your tesla account that was hacked you already said the invoice wasn’t on the Tesla site so they Couldn’t have got the invoice from there. It was either there email that was compromised, or yours. Since your the only known report I would assume it is yours (and would suggest changing your password and enabling two fa if you haven’t already).


It isn’t teslas fault no, but they are not following best practises by sending an invoice with details on how to pay by email, it opens up these types of scams that could otherwise be avoided. All they needed to do was send an email saying login to your tesla account to view payment details, make a test payment of £1 and come back here in 24 hours to check it has updated (they have the figure in the source code but don’t put it publicly on the site) just a couple of small steps they could take to prevent these scams.

Quite. I appreciate it probably was an issue our end but there has been no effort from Tesla to prevent it. They guy at Tesla even said that they'd been doing it this way for the last 6 years without any problems (which I struggle to believe) but things have moved on a long way since 2014.

 

[MudHut]

This is very unusual. We've had something similar happen with a colleague and I'm not saying he got the money back immediately, but the bank opened a fraud case and eventually he was refunded.


In truth, what probably happened is that your email account was compromised and someone could retrieve the email out of your account, delete the original and send you a new one with modified account numbers, impersonating this second email is from Tesla. Inherently, email is mildly safer than your physical mail box, where you have been receiving paper invoices for ages and never questioned if they weren't intercepted and modified to get you to send your money to the wrong account. Most utility companies have started asking to double check account numbers before you pay a paper invoice.

The whole SPF/DKIM technobabble only works if not only sender (Tesla) but also recipient have these technologies configured. And even then you can easily modify the "from" field to not cause any suspicion.

Your colleagues bank is obviously better than mine. I bank with Revolut (online) and they're fantastically unhelpful when it comes to this kind thing.

 

[dan223]

Ah, but would you click any link in any email that says to click here to pay?

Never click on any link in any email. Best you can do is ask a customer to "log in into our website <which we don't link to> to continue your purchase".

Agreed that is why I said “asking them to login to there website” I didn’t saying click a link in the email to login to there website

 

[dan223]

Your colleagues bank is obviously better than mine. I bank with Revolut (online) and they're fantastically unhelpful when it comes to this kind thing.

Unfortunately that may be another mistake, Revolut aren’t actually a registered bank, and while I don’t know the ins and outs of the differences it could be why they are less helpful. I bank with natwest and whenever I create a new payment there is a warning as your to make sure you are making the right payment. I think generally with a bank transfer they can only retrieve the money if the funds are still in the other parties account, and normally the money is moved through a number of other accounts fairly quickly to prevent that.

 

[wooter]

Agreed that is why I said “asking them to login to there website” I didn’t saying click a link in the email to login to there website

Good.

Linking to a website asking people to log in, is a fine way to get people's password too.

There are even fake websites impersonating banks, where the layer of security provided by 2FA through a dongle or card reader is compromised because the fake website just transfers the 2FA question and response codes back and forth.

I also foresee that Tesla is having trouble implementing 2FA/MFA because their security design was never set up as having multiple users/drivers in one account. Who do you send the MFA response to if a family has 2 smartphones logged into the same account for their 2 cars?

 

[dan223]

Good.

Linking to a website asking people to log in, is a fine way to get people's password too.

There are even fake websites impersonating banks, where the layer of security provided by 2FA through a dongle or card reader is compromised because the fake website just transfers the 2FA question and response codes back and forth.

I also foresee that Tesla is having trouble implementing 2FA/MFA because their security design was never set up as having multiple users/drivers in one account. Who do you send the MFA response to if a family has 2 smartphones logged into the same account for their 2 cars?

You can setup additional accounts so that would be a way around that problem, and depending how they setup 2fa it’s possible to have the code work on more than one device.