Profile picture
Sumit Kumar @TweetsOfSumit
, 12 tweets, 3 min read Read on Twitter
😱😱 WOW... get this:
A friend went to his HR department today asking why he did not receive salary since two months. HR had to check and apparently, they got hit by fraudsters in the most insane way. You should read this as a warning 👇
It all started with a friend searching for an apartment on german website @Immobilienscout. To verify his identity and income he had to upload his ID and the last two income reports from his employer - standard practice in german apartment hunting.
Thinking this data is only shared with serious apartment offers or not at all was something that he (and I until now) considered obvious. But *someone* now had his ID, bank account data, salary, employer name, employee number and signature. So...
That sneaky bastard sent a FAX(!!!) to the companies HR department to send the salary to a new account from now on. Happened 3 months ago. HR did it because it had his sig, employee #, etc. A fax is a valid official document even if the sender is not identified (opposed to email)
Neither HR nor the bank got suspicious that the new bank account had a different holder name but that name is also not bound. You can write whatever you want as long as your IBAN is correct.
There was no additional notification to the employee (two-factor-auth anyone?).
Not sure why the fraudsters even tried though. Bank will refund everything but it's still a big blow to the privacy & data protection of the company and of course ImmoScout.
So please, black out all data that is not needed on this documents, like your employee number, bank account, etc. I blindly trusted those services and I'm definitely only lucky that it did not hit me yet. Uploading this data to @Immobilienscout seems like a huge mistake.
Seems to be exactly the reason why there are so many fake listings. Nice observation 👏
Small update: bank did not refund yet and it’s still up in the air. They obviously see the fault on HR side. So all parties are blaming each other right now.
I talked so much about this today with my colleagues as it is such an interesting attack, exploiting different weaknesses in different established systems. From german housing, to tech, to money transfer, auth, etc... 🤓. Interesting and scary.
Let me make this perfectly clear: I wanted to share this to show the problem with german apt hunting. I have no idea about @Immobilienscout‘s data topics. I never wanted to imply a leak or anything. It’s normal to give salary verification and ID to landlords in Germany like this.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Sumit Kumar
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!