By Tom Cowie
When Wendy Angliss and Derrick Thompson received an invoice to pay for a brand new Mercedes-Benz SUV earlier this year, they did not suspect that the PDF document from the dealer had been doctored by hackers.
The couple, from Point Lonsdale in Victoria, purchased a Mercedes-Benz GLE 400d in February for the sticker price of $157,000. After the deposit and trade-in, the pair owed an extra $139,000 before the car could be delivered.
But the keys for the luxury car are yet to arrive, after Angliss and Thompson were caught up in a brazen impersonation scam that involved payments to an unknown bank account not belonging to Mercedes-Benz.
They are now taking court action against the Australian arm of the German carmaker over how the money disappeared without anyone realising before it was too late to recover.
According to filings in the Victorian County Court, an employee at the Mercedes-Benz dealer in Geelong emailed Angliss with an invoice for the payment balance on February 23, one day after she signed the contract to buy the car.
Crucially, that email was not received by Angliss until several weeks later. Instead, another email landed in her inbox on February 24, “ostensibly” from the same Mercedes-Benz employee directing payment into a Westpac bank account.
Between February 28 and March 2, Angliss made three bank transfers of $40,000 and one of $19,000 to that bank account. She also emailed receipts of the transfers to Mercedes-Benz, according to court documents.
Those receipts were acknowledged, court documents state, despite Mercedes never receiving the payments. Mercedes’ real bank account was not with Westpac but another bank entirely, court documents said. On March 7, a Mercedes employee alerted the couple that the company had not received the money.
Bruce King, the lawyer representing the couple, said that the Mercedes-Benz invoice was intercepted by hackers, who altered the attachment to change the bank details and then sent it on from a disguised email address.
“The altered PDF invoice was identical with the original but the bank account details on it had been changed, presumably using some program like Adobe,” he said.
“There was no way on its face that anyone could tell it had been altered.”
King said his clients were “distressed” about the situation and had no idea where the money had gone.
“There is no way of knowing but the funds have likely gone overseas,” he said.
King said his clients had taken action against Mercedes-Benz after they didn’t have any help from the banks in retrieving the funds.
“[They] contacted the bank into which the funds were wrongfully transferred but by then the funds had been withdrawn by the hackers,” he said.
Angliss and Thompson are suing Mercedes-Benz Australia/Pacific Pty Ltd over the $139,000 that went missing, arguing that they would not have made the payments if they were given the correct bank details.
They claim the conduct was a breach of Australian consumer law.
“If the plaintiffs had been told the first transfer was to an incorrect account they would have taken steps to recover the payment from the Westpac Bank,” their writ states.
The couple also claim that Mercedes-Benz breached a duty of care by not providing the correct bank details when they signed the contract and instead sending them in an email attachment.
“The plaintiffs were dependent on the defendant providing details of the account into which payment should be made,” the court document states.
“The defendant was or should have been aware that if payment was made into the wrong account, the plaintiffs could suffer loss and damage.”
A Mercedes-Benz spokesperson said the company was aware of the incident, claiming that the customer’s email was compromised resulting in the payments to the incorrect account.
“Following a thorough internal investigation we are satisfied that the email interception was completely independent of our invoicing and email systems, and those of our retail agent,” the company said.
“Mercedes-Benz Australia takes cyber security and data protection seriously.
“As the matter is now before the court we are unable to comment further.”
In a statement, Westpac said it was unable to comment on the case for privacy reasons.
However, the bank said fraudsters were continuing to target Australians through payment redirection scams.
The bank advised customers to always verbally confirm payment details with a business before sending any money.
The Morning Edition newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.