Tax & admin 13 August 2015

The story of a small business defrauded out of 7, 000 and the lessons learned


Micro businesses need to be careful about the true origin of emails
Micro businesses need to be careful about the true origin of emails
Fiona Manby, partner at Manby International Sportswear, tells Business Advice about how an email from a seemingly trusted source turned out to be a con which cost her company thousands of pounds.

We have recently been victims of cyber invoice fraud, losing $11, 000 (£7, 000). Make sure your company does not fall into the same trap, as whether you’re a supplier or customer we are all vulnerable.

Having placed an order with a long-established supplier we received a pro-forma invoice on 30 May 2015. Looking exactly as it did last year, and coming from the sameemail address, everything seemed in order. This yearour supplier wasasking us to pay in to another bank account. We thought this was a little strange, but this supplier had changed bank details two years prior and it is not uncommon for Chinese suppliers/trading companies to issue different bank details.

I did verify these bank details with the supplier over email and was assured by the nice lady who I have known for over six years that this was due to the fact that the company’saccount was being audited.

Over the following four weeks, numerous emails were sent and replied to about the payment and production. It turns out that over this period a mixture of emails from the fraudster and from the supplier were received and replied to. Three members of staff from our organisation were party to these emails, along with staff from our foreign currency brokers.

Each email was cleverly intercepted and amended to keep both us and the supplier firmly “in the game” and duped into believing there was no reason to distrust the new information we had been supplied with. When you believe the emails are coming from a trusted source, and you have questioned the information, there seems no reason to further distrust the details.

On 19 June I had a meeting in ShanghaI with the supplier. Within a few minutes of being in the meeting we realised we had been victims of some sort of email hijacking. It turns out that the supplier’s server had been hacked and every email was hijacked.

Any email that we had sent was intercepted and adjusted to give the supplier the informationitwanted to hear, and vice versa. In actual fact, in the same way that we had trusted the emails from the supplier, the supplier had not pushed us to receive funds as italso trusts us to pay. As well as our supplier’s server being hacked, we also discovered that a domain name very similar to our own was registered the day before all the fraudulent emails commenced.

The fraudster intercepted each email and sent them from the “cloned” domain. The supplier did not pick up on the fact that it wasreceiving emails from different email addresses. The new domain was registered with Tucows via the reseller Vistaprint.

Fiona Manby isn't looking this happy right now
Fiona Manby isn’t looking this happy right now
it’s clear, having now been a victim and researched the web, that cyber invoice fraud is on the increase but what has amazed me is the lack of systems in place to deal with combating the fraud. I was told by our foreign exchange broker that all itcould do was request that the beneficiary returns the funds. Why on earth would the fraudster agree to return the funds?

The next option was to contact the police in Hong Kong where the beneficiary’s HSBC bank account was located. But no one could supply us with information on how to do this, and no one seemed to be able to offer advice in how we should progress combating this crime.

For the next step, we contacted our bank in the UK as although we didnt make the payment through them, the account we paid into was an HSBC account. It hasresponded to say there is nothing itcan do to help return our lost funds. The next avenue was to report the crime to Action Fraud, the online system for reporting cyber fraud. Once the crime is reported they will come back to us within 28 days. Now, 53 days later, it hasresponded to say “there are insufficient viable lines of enquiry for a successful criminal investigation”.