Skip to content

Kitchen retailers fall foul of phishing scam

Two independent kitchen designers have sent a strong warning to the industry about the threat from opportunistic cyber-criminals after being robbed by online fraudsters.

Hampshire-based Herbert William and Eco German Kitchens in Winchester were both recently targeted in separate cyber-attacks that resulted in customers sending thousands of pounds to fraudulent bank accounts.

While Herbert William was alerted to the scam in time and managed to retrieve its customers’ money, Eco German Kitchens was not so lucky.

The small firm was robbed of £23,500 after “keylogger” malware was used to steal username and passwords from director Sabine Searle’s computer, which allowed the hackers to send e-mails and invoices from Searle’s e-mail account.

“We used to file our invoices in Outlook, so once the hackers were in our system they must have been quite easy for them to find,” said Searle. “They managed to contact five customers, sending them our invoices with a new bank account and apologising for the inconvenience.

“Thankfully, the first customer to receive the fake invoice had already settled their payment with us, and of the last three customers to be contacted in the scam, one of them alerted us to the fact that the e-mail he received seemed suspicious because of the very official language and tone – not like ours at all. So we managed to alert the other two customers on the same day that they received the fake invoices.

Sabine Searle
Sabine Searle

“If the criminals had been successful and conned all five customers, we could have been defrauded out of £75,000, but it was just one customer in the end who paid the fake invoice, worth £23,500.

“The worst bit is that their bank initially blocked the transaction, but the customer pushed it through.

“It must be noted here that this particular customer is a couple in their 40s, educated and very successful – and yet they were completely taken in by fraudsters who sent e-mails in a very different tone to ours, telling them that we had changed our bank account with immediate effect. They didn’t even call us to check. Why would a small kitchen company change their bank details with immediate effect? They even asked how many fitters were coming to install and the hackers e-mailed back, while we were completely in the dark.

“This is why our industry is so vulnerable to cyber-fraud. Getting a new kitchen is so exciting. It’s like going on holiday. You wait for it for so long; you spent so much time getting the design right and then you can’t wait to see it in place.

“Being defrauded £23,500 could bankrupt a business. We have paid all the suppliers. We are the ones now bearing the brunt of this.”

Sarah McCrossan, who set up kitchen design business Herbert William in 2007 was shocked to find herself in a similar situation last year.

She said: “I know exactly the moment we were phished. We received an e-mail supposedly from couple wanting to work with them on their dream retirement home project. They had attached a blueprint of their plans, but when we opened it, it said the house was in the Philippines.  We are a very local firm and don’t work abroad, but we had a bit of a chuckle about it and it raised no alarm bells.

“In the meantime, malware was on the attachment and used to steal our senior designer’s Office 365 username and password, using it to have communications with customers, asking for deposits on the designs that Lorna was sending out.

“In this way, they actually managed to get £11,500 out of one customer.  When we realised, my whole body started shaking. Thankfully, as it was only a few days later, the customer managed to stop the payment. In the end, we sorted it out, and we gave the customer a free dishwasher to make up for the upset. But it was horrible, and something no one should have to go through.”

Now, neither business will open e-mail attachments unless they are certain they are from a trustworthy source and Herbert William has set up a two-step authentication system for payment, first requesting a £5 payment by secure transaction. This is followed by a phone call confirmation from the firm before the rest of the deposit is requested.

“We tell people from the very first meeting that we will not ask for any more than £5 to get any order under way and we put on all our paperwork that we have no intention of changing bank account details and if we do you will be notified by post or phone but never by e-mail,” McCrossan said.

She added: “Don’t think this will never happen to you.  We are high on the radar of cyber-criminals, who target industries that use bacs payments for large sums. So change your passwords regularly, be careful with e-mail attachments and be aware.”

  • Have you been affected by a cyber attack? If you’d like to share your story, please e-mail [email protected]

You may also find interesting