I am seeing and hearing more and more about a newer type of fraud where fraudsters are monitoring email accounts which have subsequently been hacked or the username and passwords stolen either through phishing emails or websites.
When the criminals have access to the email accounts, they monitor incoming and outgoing emails for invoices and intercept them. They then alter them with different payment instructions such as changing the bank account details to the fraudster’s account or an account to which they have access. Once the alterations have taken place, which could be completed within a few minutes, they then let the email continue to its destination.
When the email arrives at the destination, it looks to be legitimate and the payment is made to the wrong account. But who is at blame? The payer, the banks, or the payee?
No one is taking responsibility:
In my experience, sometimes the banks have refunded the money but small companies issuing invoices often lose out, whilst larger companies become more demanding for payment and many individuals gives in and end up paying the invoice again. One of the latest stories I have heard relating to this locally involve a small building firm and it clients, The disputed amount is over £10 thousand, an amount which could leave a small building company struggling to get materials for their next job or even bankrupt.
This fraud is particularly prevalent in the conveyancing space. If you are a conveyancer or an estate agent, take extra precautions. However, these fraudsters, target many industries and I know of several cases with painters and decorators, solicitors and shop keepers who have fallen victim to this crime. One of payment services are most often targeted as it is easier to change or add new bank details without detection. Regular invoices for payments are generally easier to detect and at less risk because many payers don’t look at the payment details and just use the information which is already setup with their bank.
Here are some tips to help you prevent this fraud:
If you are running a business, you can pre-empt this type of attack. Let both current and new clients know that your banking details will never change. If they receive any correspondence announcing a change in bank details, advise clients to contact you and verify your banking details before they pay.
You could also consider not including your bank details on your invoices and instead call your clients to give them this information, or have bank details printed on a business card, which you could leave with the client before sending them an email invoice.
If you are an individual who is supplying banking details, do not email invoices with bank details. Instead, give your banking information directly over the telephone.
If you are making a large payment, double check the account details with the company or make a test payment with a smaller amount, if this can be agreed with the payee.
Use a secure password for emails and avoid using the password for other accounts.
If you receive an email stating bank account details have changed, then check this with the company before making payment.