July 28th 2025
A Routine Refund Request
When Svetlana, a care manager at a residential home, began supporting a client through a complex funding dispute, she had no idea it would evolve into a cautionary tale about email fraud.
The client, acting under power of attorney for her mother, had been partially funding her mother’s care while awaiting the outcome of a year-long Continuing Healthcare (CHC) dispute. Eventually, CHC agreed to fund the care in full. This meant the client was owed a refund of £3,800. Simple in theory, but as Svetlana soon discovered, things were far from straightforward.
Coordination and Communication
Svetlana worked with the client over email to confirm the refund amount, checking receipts and payment records to ensure accuracy. The care home doesn’t often deal with refunds, so everything had to be coordinated carefully, especially as the home’s owner, who usually handled financial transactions, was abroad and unable to set up a payment account. Svetlana was authorised to issue the refund using petty cash and began preparing the payment.
When Something Felt Off
That’s when things started to feel off. The client had confirmed, over email, the bank account she wanted the refund paid into. But the name on the account didn’t match any of the names Svetlana had previously seen associated with the client’s family. Cautious, she emailed back several times for confirmation. The response came back each time. The client was firm, insistent even, that this was the correct account. “I am the power of attorney,” she wrote. “Please pay into this account.”
Despite the oddness of the situation, Svetlana considered the pressure the client had been under. She was a full-time working mum, caring for her mother and her child with special needs, and dealing with building works at home. Her brother had also been contacting Svetlana to push for the refund, which they needed urgently. After a year of waiting for the CHC dispute to be resolved, Svetlana reasoned that perhaps the client’s tone was just firm because she needed this sorted quickly.
A Critical Warning from the Bank
When Svetlana attempted to make the payment, however, her bank flagged the transaction as potential fraud and urged her to confirm the recipient by phone. Still wanting to proceed, Svetlana called the client directly, and the truth emerged.
The Shocking Discovery
The client was shocked. She hadn’t sent any bank details at all. Her email account had been hacked. The hackers had cleverly retained her access so she wouldn’t realise, while secretly deleting any fraudulent emails from her view. She’d occasionally heard the ping of new emails on her iPad, only to find no messages when she checked. It was a sign that something was wrong, but easy to dismiss amid her busy life.
Meanwhile, from Svetlana’s perspective, everything had looked legitimate. The hackers had mimicked the client’s writing style and tone. They replied from her exact email address. Nothing had seemed suspicious, except the bank account name.
Face-to-Face Clarification
In the end, Svetlana invited the client into the care home office, where they reviewed the email trail together. The client was understandably distressed, not just about the refund, but about what else the hackers might have accessed. With other financial matters ongoing, including building works and invoice payments, she feared further losses.
A Turning Point for the Care Home
This experience was a turning point for Svetlana and her team.
The care home has since taken a number of steps to increase security. They now work with a professional IT company on a monthly basis to ensure their network is secure. Svetlana also moved away from her old Hotmail account, which she had used for over a decade, and transitioned to a secure NHS email. However, due to ongoing communication from clients on the old address, the IT company has added additional protections to that account too.
New Safeguards in Place
When it comes to refunds, the care home has implemented a new multi-step verification process. Refunds now require confirmation via at least two different channels. This could be email plus phone, or email plus an in-person or video meeting. While not always convenient, these extra steps are a critical safeguard.
Svetlana and her team also completed a phishing awareness course offered by East Sussex Council. All team members now use secure work devices only, which had already been put in place before the incident.
Advice to Other Care Providers
Her advice to other care providers:
“Don’t rely solely on email,” Svetlana says. “Even if it’s the same email address you’ve been working with for months, that doesn’t mean it’s safe. Pick up the phone. Ask for confirmation another way, preferably in-person. If something feels off, even just a name not matching, listen to that instinct.”
Lessons Learned
What could have been a costly mistake was averted thanks to Svetlana’s persistence and a moment of caution. It’s a reminder that in today’s digital world, even the most familiar of interactions can mask a threat. Human judgement, backed by the right systems, is still one of the best lines of defence.
View all case studies