Just received this via e-Mail from Air Total:
Dear Sir, Madam,
We wish to inform you that a client of TotalEnergies — another purchaser of aviation fuel — has recently been the victim of a fraud which resulted in the client consenting, at the request of the instigators of the fraud, to process payments towards a new bank account controlled by said instigators.
The utmost vigilance is obviously called-for when presented with unusual or new terms or demands concerning banking details and information.
Note that we have not modified nor do we intend to modify our bank account where your payments are directed and if we were to do so one day formal and very precise directives with all supporting evidence would be provided to you.
Oh dear…
This possibly means that TOTAL’s customer database has been hacked (or has escaped) and the conman emailed their customers with a “change of bank details” email.
Or he might have known that he uses TOTAL, and got his email address.
Or just a bulk email to any list of aviation email addresses.
I think some aircraft registries include email addresses.
I also get spam emails to an email address that I only used with a UK aviation shop. So they were obviously hacked years ago. Sending spam to this address list could get some “lucky” hits for them.
Many, many sites have been hacked and it’s why it’s vitally important you don’t re-use passwords across different websites, especially any site that is sensitive in any way. “Credential stuffing” attacks are common place (this is where the attacker has a list, often with many millions of logins and passwords, and tries to brute-force other sites. These attacks often succeed because people use the same password on every site they registered on).
Given user ids are often your email address, it’s not a bad idea to have a secondary email address for user ids.
Putting my own into the “Have I Been Pwned” search shows it has come out in no fewer than 15 data breaches.
I wonder if that site collects the passwords which people gave it for testing 
That’s very weird, since Total (at least for me) works by Direct Debit, so I don’t ever have to enter their bank details; so I wouldn’t be able to change them at the request of anyone, fraudsters included.
That was my thinking, it’s billed by SEPA
I’m not sure where the confusion is.
The fraudsters will contact the client. They’ll tell them that they are from Total and Total have changed their bank and need to set up a new direct debit.
They’ll ask the client to complete a new direct debit mandate and sign and return it by email (or enter it on their fake website).
Once they do, the fraudsters will empty the bank account.
It won’t affect the Total direct debit, other than the fact that there will be no money left in the account once Total try to collect their payment!
dublinpilot wrote:
They’ll ask the client to complete a new direct debit mandate and sign and return it by email (or enter it on their fake website).Once they do, the fraudsters will empty the bank account.
That’s unlikely to work. The client can just claw back the money within 8 weeks.
This kind of fraud is very hard to prevent, partly because the banks will try to block any recovery. I’ve had this at work. The fraudster opened an account at Regions Bank (a bank for poor people in the US, who have no education, no fixed address, no ID, etc – every country has these communities) and then legged it after he collected our 2k and probably much more elsewhere. Started with email addresses and correspondence acquired via, prob99, an inside job.
Here in the UK the stupid arrogant banks have only just started validating account names to make this harder.
A more general fraud thread. In B2B, i.e. ethics not a prime consideration, politically it is very hard to get money back if your customer (who sent your money to a fraudster instead) is much bigger than you are. He is likely to just stick a finger up and ask you to swallow the loss. And if the inside job was in a chinese supplier, they will definitely stick a middle finger up (I had to pay 2x).
The only solution is: upon receipt of any bank details, make a phone call to the number on the company’s website. This is hard with some countries unless you speak their language.
