VANCOUVER — After the owner of a Shaughnessy mansion e-transferred a sizable amount of money — more than a half-million dollars — to pay for extensive renovations, he prudently followed up with an email two days later to confirm receipt.
He received a return email the same day, purportedly from the email account of his Vancouver-based contractor, saying the payment had been received.
But the emails — the June 12 initial invoice directing the owner to send payment to a bank account in Ontario, the e-transfer, the followup email and the acknowledgment of receipt — were all fakes, according to a lawsuit filed by the homeowner in B.C. Supreme Court.
The four emails were the first of several emails intercepted or fraudulently sent by a hacker or hackers in June. The fraud wouldn’t be noticed for another 10 days, buying the hackers time to cover up their crime and be long gone.
The owner’s loss of $526,417.19 is a reminder of the permanence and finality of increasingly popular e-transfer payments, if sent to the wrong place.
The hackers are listed as defendants in the lawsuit as John Doe #1, #2 and #3 and the owner of the house in the lawsuit is a business entity made up of the house’s address followed by Property Inc. The contractor is GemLevy Projects, a boutique builder specializing in custom renovations.
After the first four intercepted emails, the hackers weren’t yet done.
On June 17, five days after sending out the invoice, GemLevy’s president, Grant Malinowski, emailed the homeowner “to enquire as to when the payment of the invoice could be expected,” according to the claim.
The hackers then sent a second email that appeared to be from Malinowski advising the homeowner that payment had been received and to ignore Malinowski’s earlier email. The homeowner responded to that email and that reply was intercepted, too.
Also on June 17, the hackers sent an email to Malinowski, from someone named Tony Ching and purporting to be the owner’s agent, promising payment on June 20, the lawsuit said.
On June 20, someone named William Cheng, posing as the owner’s director, advised by email the payment would be delayed to June 24.
The next day, on June 21, Malinowski discovered GemLevy’s email system had been “breached and infiltrated” and he sent an email to the owner to warn him.
But the hackers got that email, too, when it was “inadvertently” sent to the hackers’ addresses, “which had been made to appear similar to the actual email address of the owner’s officers and agents,” the lawsuit said.
The hackers then sent an email to Malinowski, assuring him the June 24 payment would be made to GemLevy’s “legitimate credit union account,” it said.
“The purpose … of the fraudulent emails sent by the defendants on June 17, 20 and 21 was to delay or prevent the discovery of the fraudulent misdirection” of the owner’s payment on June 14 into the fraudulent bank account, it said.
It wasn’t until June 24 that the fraud was discovered and the fraudulent account frozen by the bank, the claim said. How much is left in that account isn’t known.
According to Interac, “Unfortunately, once a deposit has been made (by the recipient) there is no way to reverse the transaction. You’ll have to make arrangements directly with the recipient. You should only send money transfers to parties you know and trust.”
The Royal Bank noted that people receiving a transfer have the option of accepting or refusing it. An e-transfer can be cancelled — but only if the recipient has not yet accepted the funds.
The owner wants the court to declare any funds in the account are “beneficially owned” by the homeowner and to order restitution of the more than $526,000, under B.C.s’ fraud laws, it said.
A message left with the owner’s lawyer wasn’t returned. None of the allegations in the claim have been proven in court.