This case study explores the risks of using public Wi-Fi networks to send financial information.
Case studies are based on real events. All names and identifying information have been removed.
Mrs B was in the process of purchasing a house. The day before the deposit was due, she realised she didn’t have her solicitor’s bank account details to transfer the money to. She was also at the airport waiting for a flight to the Caribbean and so had limited time.
Using the free Wi-Fi at one of the airport coffee shops, Mrs B emailed her solicitor to ask for the details she needed. She received two emails back – both appearing to be from her solicitor’s firm. The first contained the details she’d asked for, the second the details for a different account and a message explaining the firm’s primary bank account was being audited and asking her to transfer the deposit to the alternative account.
Unfortunately, the second email was sent by fraudsters. They’d set up a Wi-Fi access point with a name very similar to the coffee shop’s and were intercepting data and emails from people who thought they were using the real Wi-Fi. By reading the emails between Mrs B and her law firm, they’d learned about the deposit she was due to pay.
Unaware of this, and in a hurry to catch her flight, Mrs B followed the instructions in the second email and arranged with her bank to transfer the £60,000 deposit to the fraudulent account.
Shortly after her flight landed she received another email thanking her for the funds. Assuming everything had gone smoothly, she thought no more of it. Two days later, however, another email arrived from her solicitors – this time asking when the funds would be transferred.
By this time, the fraudster had withdrawn the money from the fraudulent account.
As Mrs B’s bank had acted on her specific instructions, they refused to offer any refund. Her solicitors, who had acted in good faith, were not liable either. This left Mrs B to bear the loss of the £60,000 herself.