LEHIGH ACRES, Fla. — A Lehigh Acres woman dodged a $3,000 bullet. Scammers posing as her plumbing company targeted her via email.
Sally Goodro received an email from Next Plumbing requesting a $3,000 payment via bitcoin or a wire transfer on Thursday. She says it didn’t come as a surprise to her.
“I didn’t suspect anything since the email came from a conversation I was already having with someone [from Next Plumbing],” she said.
She’d hired Next Plumbing to install a shower and knew she had to pay them. The email included a Wells Fargo routing and account number. As a Wells Fargo customer herself, she drove to the bank, rather than making a wire transfer. Good thing she did!
“The bank teller told me the account didn’t belong to the business I was trying to deposit to,” said Goodro. “I really felt kind of stupid I guess because I don’t fall for many issues at like that.”
Patrick Garner, Operations Manager with Next Plumbing says even he could’ve been fooled by the email.
“It had our name on it. It had a Wells Fargo bank account number on it. It had a routing number,” he said. “After I looked at it, I copied and pasted it into a search engine, and I found multiple, multiple, multiple instances of this happening to other people.”
He then filed a complaint with the Lee County Sheriff’s Office and the FBI. He says an agent with the FBI told him they’d seen numerous reports like this statewide.
Evan Lutz with Cigent Technology, a cybersecurity company says Goodro did the right thing by double-checking with the actual company before handing over the cash. But, the AOL email address Next Plumbing is using may not be a good idea.
“That makes them an easy target,” said Lutz.
He recommends companies buy a domain for emails. Preferably the same as their website to stay consistent for customers. So, for Next Plumbing it would coincide with their asknextplumbing.com site.
“Anybody can go make an AOL email account. Not everybody can go make an “ask next plumbing” email,” said Lutz.
Next Plumbing says since the scam, they’ve changed their password and added two-step verification when someone signs into their account from an unknown device.