Q. In March I booked accommodation at a Greek hotel. We had an exchange of emails discussing the rooms, hotel facilities and so on. This led to me making a reservation payment of €2,500 to the bank account – details of which I was given in the emails – via an international bank transfer. In my mind, the hotel was booked and I went ahead to book flights, parking, etc. On 9 June, out of courtesy, I sent the hotel an email to tell them how excited I was and to finalise arrangements/transfers etc for the ten night holiday that I thought I’d booked with them commencing 19 June. But the hotel did not recognise me and had no booking in my name. I called the hotel and we went through the email trail and we realised that the email address changed ever-so-slightly during the exchange of emails. It turned out that three emails in, someone had hacked into the hotel’s email account and had taken over the conversation. The hotel accepts that its IT security was breached and confirmed that there were other victims of this fraud, too. The hotel had already contacted the police, Interpol and the Central Bank of Spain – the beneficiary bank was Spanish. I spoke with my bank, Halifax, which looked into this and concluded that it is technically a ‘scam’ and not a ‘fraud’, because I knowingly wired the money. On this basis, the bank says it is not liable to cover my losses. I accept that I did make the payment, but there was no reasonable way for me to know this was a hoaxer and that I was being defrauded/scammed. The Spanish bank says the money was taken out of its account immediately and it does not know who made the withdrawal. My travel insurer says its cover does not include scams. While the hotel admits to its lack of IT security, it does not accept full liability. The hotel has asked me to pay the difference between the website price of the accommodation – €3,700 – and the amount I’d paid the fraudster – €2,500. This means that the holiday that we’d saved up for over 18 months and which was already more expensive than our budget allowed, would cost me an extra €1,200, or else I would lose the cost of the flights. I don’t know where Greek law stands on this. I have contacted several online money advice sites, which effectively told me to accept this as ‘one of those things’. ND, Essex.
A. Halifax confirmed to us that it does not accept liability. It points, in particular, to the long delay between you instructing the bank to make the payment and the date on which you notified the bank of the crime. You initiated payment on 26 March, it debited your account £2,081.80 on 29 March and you notified the bank on 10 June. This, of course, was not your fault, as it was only on this date that you found out that you had been the victim of crime. However, it also meant that Halifax was unable to do anything about your loss. A spokeswoman for the bank said: “[The reader] alerted us to the scam over two months after it took place, and within 24 hours we contacted the receiving bank, to see if the funds could be returned. Unfortunately, no funds remained in the account. While we sympathise with [the reader’s] situation, the bank made the payment in accordance with his properly authorised instructions.” We repeatedly emailed the hotel, but it did not reply to any of our communications. However, we were able to discuss the situation with you while you were staying at the hotel. As a result of your conversations with the hotel and our emails, the hotel agreed to waive the additional €1,200 charge – but on condition that we do not name the hotel in this column. We have very reluctantly agreed to do this, not least as you do not give us permission to publish your experience in the column if we name the hotel. We believe that it is important that other readers are warned of this type of scam. Similar crimes have cost house purchases very large sums of money when buyers’ email accounts have been hacked into. Email exchanges are not necessarily secure and readers are advised not to rely on emails for information used for the transfer of funds.