Fiona Manby, partner at Manby International Sportswear, tells Business Advice about how an email from a seemingly trusted source turned out to be a con which cost her company thousands of pounds.
We have recently been victims of cyber invoice fraud, losing $11,000 (£7,000). Make sure your company does not fall into the same trap, as whether you’re a supplier or customer we are all vulnerable.
Having placed an order with a long-established supplier we received a pro-forma invoice on 30 May 2015. Looking exactly as it did last year, and coming from the same email address, everything seemed in order. This year our supplier was asking us to pay in to another bank account. We thought this was a little strange, but this supplier had changed bank details two years prior and it is not uncommon for Chinese suppliers/trading companies to issue different bank details.
I did verify these bank details with the supplier over email and was assured by the nice lady who I have known for over six years that this was due to the fact that the company’s account was being audited.
Over the following four weeks, numerous emails were sent and replied to about the payment and production. It turns out that over this period a mixture of emails from the fraudster and from the supplier were received and replied to. Three members of staff from our organisation were party to these emails, along with staff from our foreign currency brokers.
Each email was cleverly intercepted and amended to keep both us and the supplier firmly “in the game” and duped into believing there was no reason to distrust the new information we had been supplied with. When you believe the emails are coming from a trusted source, and you have questioned the information, there seems no reason to further distrust the details.
On 19 June I had a meeting in Shanghai with the supplier. Within a few minutes of being in the meeting we realised we had been victims of some sort of email hijacking. It turns out that the supplier’s server had been hacked and every email was hijacked.
Any email that we had sent was intercepted and adjusted to give the supplier the information it wanted to hear, and vice versa. In actual fact, in the same way that we had trusted the emails from the supplier, the supplier had not pushed us to receive funds as it also trusts us to pay. As well as our supplier’s server being hacked, we also discovered that a domain name very similar to our own was registered the day before all the fraudulent emails commenced.
The fraudster intercepted each email and sent them from the “cloned” domain. The supplier did not pick up on the fact that it was receiving emails from different email addresses. The new domain was registered with Tucows via the reseller Vistaprint.
It’s clear, having now been a victim and researched the web, that cyber invoice fraud is on the increase – but what has amazed me is the lack of systems in place to deal with combating the fraud. I was told by our foreign exchange broker that all it could do was request that the beneficiary returns the funds. Why on earth would the fraudster agree to return the funds?
The next option was to contact the police in Hong Kong where the beneficiary’s HSBC bank account was located. But no one could supply us with information on how to do this, and no one seemed to be able to offer advice in how we should progress combating this crime.
For the next step, we contacted our bank in the UK as although we didn’t make the payment through them, the account we paid into was an HSBC account. It has responded to say there is nothing it can do to help return our lost funds. The next avenue was to report the crime to Action Fraud, the online system for reporting cyber fraud. Once the crime is reported they will come back to us within 28 days. Now, 53 days later, it has responded to say “there are insufficient viable lines of enquiry for a successful criminal investigation”.
We contacted the domain registrars Vistaprint and Tucows on 9 July, and on 4 August Tucows responded to say it had suspended the fraudulent domain. That was a result in the grand scheme of things. Vistaprint, meanwhile, have failed to respond.
I believe that if there were better systems in place that it’s possible the banks and police could work with the victims to play the fraudsters at their own game. Furthermore, there appears to be a lack of transparency in the investigations. We have no information with regards to how HSBC have dealt with the fraudster’s account and no knowledge of what Action Fraud have actually done with regards to the investigation. We have now made official complaints with the Financial Ombudsman.
It is possible to insure against cyber fraud, but we couldn’t get cover against our supplier’s server being hacked. So even if we had been insured and paid extra for the premium and the excess, in this instance it would not have been of any help.
The most important point I have taken away from this experience is that prevention is better than cure. Your emails or your supplier’s emails can be hijacked at any time. Changes of delivery addresses or bank details must be sought verbally from a known party. Make your customers are aware that this type of fraud is happening and advise each to not make payment to new bank accounts without receiving confirmation by phone from a known party. Make your supplier’s aware that domains are being duplicated and that each should be aware of who emails are being received from.
The key is to be vigilant, otherwise you will become a victim like us.
Sign up to our newsletter to get the latest from Business Advice.