Tricia Harding was tricked by an online fraudster in a cunning email phishing scheme and is now urging banks to do better to prevent more people from being swindled.

“It was devastating, horrifying, I was just distraught,” Mrs Harding said.

The Sunshine Coast woman said the ordeal began when she sent an email to her three children indicating that she wanted to gift them some money after she and her husband Peter sold their home.

She sent off the emails asking for their bank details in April last year, but the person who emailed back was not her children.

A scammer had impersonated her son Simon and one of her daughters, Amy, and replied to Mrs Harding’s email on an address almost identical to that of her children.

The difference was subtle and cunning – an extra letter added to each of the email addresses.

The scammer sent through two sets of bank details and Mrs Harding, thinking it was her children, transferred a total of $154,000 to the criminal.

It wasn’t until her children alerted her that the money had not come through that they realised something was wrong.

“(Amy) looked at me and said ‘I don’t have a Commonwealth account’,” Mrs Harding said.

“Your heart sinks … I clicked on the email address and showed her and she said, I didn’t send that.

“It took us five minutes to realise … it was like ‘oh my’.

“I thought, what happens now, where’s my money?”

It came to light that Simon had replied to her email, but it had somehow been intercepted, deleted and reproduced with the fake details.

Amy had also replied to her mother’s email, but a scammer sent another just minutes later with new bank details.

IDCare managing director David Lacey said the scammer had most likely hacked into Mrs Harding’s email account in a data breach and created forwarding rules.

“These are rules that deliberately share to external email accounts, such as the criminal’s account, emails Ms Harding receives that may contain specific words or characters – such as BSB or $ signs,” Dr Lacey said.

“The reason criminals do that is to reduce the burden of having to read every email a person receives and be alerted in real time to the emails that contain information that they can exploit.”

Dr Lacey said sadly this was a very common scam, but it had detrimental impacts.

“Email phishing, and in particular spear phishing, accounts for almost one in ten community members who engage our national support service.

“(It’s) very concerning for Ms Harding, her mental health and well being, confidence in engaging online, and privacy.

“She faces a real risk of other identity misuse. So do other people that may have information contained within her emails.”

Mrs Harding contacted the recipient banks, as well as her own, and eventually all the money was returned to her within five months.

“It was a long process of waiting and just hoping,” she said.

Mrs Harding said banks should be more aware of mismatched account names.

“I also strongly believe that banks have a responsibility to match names to account details, which happens overseas and I can’t see why it doesn’t happen here,” she said.

“I really feel people need to be aware.”

Dr Lacey said there were some simple things which could be done to protect yourself online, like using multi-factor authentication, using long and strong passwords and ensuring filtered or deleted messages are checked regularly.

More Coverage

Cruel twist on ‘Hi Mum’ text scam

Adelaide Lang

Text that could cost you $2 million

Adelaide Lang