Bank account used in Nigerian “Invoice” fraud from hacked email accounts

The following details have been used in an e-mail scam involving hacked e-mail accounts.

Sort: 20-25-19 (Matches a branch in Romford near London)
A/C: 63298612
Richard Hall

It looks like the fraudster gains access to people’s e-mail accounts via phishing or stolen details and then looks through their mailbox for likely victims. In the case of my investigation the hacker looks like they responded to an e-mail titled “invoice” which looked like it was to one of their customers.

Subject: RE: invoice 7 <previous project invoice name REDACTED>

<Victims name REDACTED>,

Please can you do a CHAPs transfer of £8,635 to bank details below,

Sort: 20-25-19
A/C: 63298612
Richard Hall

<Hacked account owners name REDACTED>

The victim (customer) then responded “What for ???”

The scammer then takes an interesting tactic rather than just moving on..

Reference: <hacked account owners name REDACTED>-091115
I will forward you the invoice once received.

Which is clever. Depending on the accounting practices of the victim this may seem entirely reasonable.
The victim continues to question why payment is needed and what for.. once again the scammer responds.

I need you to make the payment on my behalf with this as the payment reference
<hacked account owners name REDACTED>-091115.

The victim then asks the scammer (or what he thinks is actually his supplier) to call. The scammer then responds:

<Victims name REDACTED>,

I am having issues with my internet banking and I need the funds sent in earnest.
Can you have me transfer the sum to the account details provided?

Let me know if you understand this. I will call you by shortly.

<Hacked account owners name REDACTED>

This scam is quite different to the CEO Funds Transfer email scam I investigated a few weeks ago where the scammers just spoof the from address and have the reply-to header set to an entirely off-network domain to the spoofed domain.

Sadly in this case the supplier (the person the victim thinks they are communicating with) did have their account accessed and the scammer retained access while leaving the password the same. They set any responses from the victim to go directly to a sub-folder that wasn’t obvious to the real mailbox owner to prevent the scam from being detected.

The scammer accessed the account from an IP based in Nigeria (


The scammer, once discovered, had the cheek to e-mail the supplier (the hacked account person) to thank them for access to their account. The scammer communicated from “” which, as far as I can see, is probably yet another hacked account. The scammer signed off as “Frac”.

This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to Bank account used in Nigerian “Invoice” fraud from hacked email accounts

  1. Pingback: shopzoneltd, electronic good online store scams. | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s