Beware! Cyber-hackers manipulating invoices
WHEN last did you pay a company for goods or services using online banking, having been sent their invoice by e-mail?
For me it was five days ago; I did an EFT payment to a computer company which had installed a new hard drive on my laptop.
What should have been a quick and easy process took me about 20 minutes, because I obsessively checked and rechecked that my money was going into the right bank account.
Thanks to the now-prolific bank account details scam, such distrust is essential.
It’s the all-the-rage banking fraud currently catching thousands of unsuspecting consumers and businesses, and causing havoc in those professional relationships. My in-box is full of their stories, hence my paranoia about paying a fraudster by mistake.
Here’s how it works, in brief: The scammers get the e-mail addresses of companies which routinely e-mail invoices to their customers for payment. They then hack that e-mail account, intercept an invoice-containing e-mail to the client, change the bank details to their bank account, create an e-mail address which is almost identical to the genuine address, so as not to be noticed, and send it on the client, who unwittingly pays the fraudster and not the company they owe the money to.
“This type of fraud can lead to strained business relationships as neither party feels that they are responsible for the fraud,” said Investec in a warning to clients about the scam last week.
Conveyancing attorneys are an obvious target for cyber-criminals, given that they hold in their trust accounts the purchase price paid for a property by the buyer, and then, when the transfer has been confirmed, they pay the relatively large proceeds of the sale to the seller.
Its so prevalent among conveyancers that in July 2016, the Attorneys Insurance Indemnity Fund (AIIF) – a non-profit company established by the Attorneys Fidelity Fund to provide a level of professional indemnity insurance to all practicing attorneys in South Africa – excluded cybercrime from the cover.
In the fund’s Risk Alert publication, published last August, the fund’s general manager, Thomas Harban, wrote: “Since that exclusion, we have been notified of more than 50 cybercrime-related claims with a total value of more than R25-million. All fell within the exclusion and have been rejected.”
This despite the law societies and the AIIF warning conveyancers repeatedly, in many forms, about the scam.
Last September a Cape Town-based conveyancing attorney fell for a scam email pretending to be from her client – with a last-minute request that the R420 000 proceeds from the sale of her Muizenberg house be transferred into another bank account.
She did the transfer without doing any of the widely publicised recommended checks, and then refused to take responsibility for the loss.
But in many other cases, it’s the consumer who is doing the paying, based on an e-mailed invoice faked by a fraudster.
Pieter van Aswegen, who runs an IT services company in Cape Town, confirmed it’s not just lawyers with trust accounts who are having their e-mail addresses hacked, but also service providers, particularly medical professionals.
“In February a client of mine, a conveyancing attorney, had R800 000 redirected as a direct result of his e-mail address being compromised.
“And his e-mail host was particularly unhelpful in resolving the matter.”
In Your Corner will be investigating that claim in the coming weeks.
Last week I got a call from a Durban caterer, who’d sent a new client a quote containing the company’s banking details, and after catering two events for her, invoiced her for R6 000.
That e-mail was intercepted by the fraudster, and the address changed slightly, with their banking details replacing the genuine ones.
“She (the client) paid the money into that wrong account, and now she’s refusing to pay us, saying she paid the invoice in good faith,” the caterer said.
But just how are e-mail accounts hacked?
Dave Smith, owner of Durban IT company Cyber Support, said many small companies acquired their own routers and set them up.
“These are usually defaulted to user name “admin” and they tend to use easy, non-secure passwords.
“The scammers apply port forwarding and route the outgoing e-mails to their own server, amend the details, regardless of whether they are MSWord, MSExcel or PDF, and then forward to the legitimate payer.”
“And when banks are presented with damning evidence of fraud they refuse to provide any information to the victim as the account holder is protected by POPI!”
Nerosha Maseti, investigations manager with the Ombudsman for Banking Services, said banks had a duty to keep an account holder’s information confidential.
“The only way you may receive any information relating to the beneficiary account holder is to obtain a subpoena, in terms of the Criminal Procedure Act, ordering the bank to release the information on the account,” she said.
“Once in receipt of the subpoena, the bank will disclose the third party information,” she said, adding that as the account would have been opened with a fraudulent ID and proof of address, there was really no point in going to those lengths.
“The bank has no way of knowing that it is a fraudster opening the account.”
So much for FICA.
WHAT TO DO
● Companies: Get a professional company to set up and configure your router. DIY is risky.
Let current and new clients know that your banking details will never change, and advise them to phone and doublecheck the details before paying.
Consider leaving your banking details off invoices and asking clients to call you for that information instead.
● Conveyancing attorneys: Whenever a client that you are providing legal services to provides or changes an account number to pay into, insist on a bank stamped proof of that account.
Call and confirm with clients if you get an e-mail request to pay monies into a different bank account.
● Consumers: Don’t set up beneficiary details unless you have first contacted the company sending the invoice and verified the account details. And call the company on an independently sourced contact number, not one off the potentially compromised invoice.