Fraud alert: Beware the second email on wire transfers

Fraud alert: Beware the second email on wire transfers

Most of us know that requests from Nigerian princes to help rescue their millions might not be all they are cracked up to be, and if email we’ve received doesn’t even have our correct name, it’s probably suspicious.

However, a friend of mine told me about a new money grab that is much more sophisticated … and difficult to detect.

My friend’s building contractor had thousands of dollars stolen from him, the payment she had made for his services, via his email.

It’s likely that her builders’ PC had a Trojan virus whose job was to watch email for specific words and then work its magic when the correct combination of words were spotted. It was triggered when my friend was billed, by email, for work on their house.  They were asked to pay by bank transfer – not an unreasonable request – because of the amount.  However, a few seconds after the initial email landed, a second email with exactly the same headers and footers arrived, “correcting” the bank account details. Given the speed with which it arrived, and that it came from the same PC, my friends organized a bank transfer and assumed everything went as specified.

Two weeks later, when the builder called to ask if they were going to pay this bill for several thousand dollars, they realized something was amiss. Confused, they retrieved their information and realized that the “corrected” bank details were not sent by their builder.  

The banks investigated, but the account the money was sent to had been subsequently emptied and closed. Bank transfers are not covered by any fraud protection, so it was up to my friends and their builder to sort out what could be done to retrieve this money, which they eventually were able to do.

This appears to be a variation of a problem that has been hitting business hard over the past few years, most noticeably the shipping industry. Maersk, the world’s largest container-ship and supply-vessel company in the world, announced this year that it has lost around $300 million through these sort of attacks, and the FBI warned that banks themselves were falling victim to this kind of attack, as long ago as 2013.

How can you protect your small business from this sort of hack? We bounced this around the office a little and, apart from the usual suggestions – make sure you’re running the latest version of your operating system, make sure you have an up-to-date antivirus – we came up with a couple of recommendations:

  • Post “Please call to verbally confirm account details before proceeding with a transfer” on any invoices requesting bank transfers. This is the equivalent of two-factor authentication and will allow your customers to confirm that the account details are correct before sending large sums of money into the unknown.
  • Alternatively, use a separate method to send account details. This could be by simply making a phone call to give the information or spreading the information over a series of emails, each one carrying a part of the necessary information. This way, if you did have this virus, its algorithm is not triggered when you request payment.

Saying that, we operate with Google’s G-Suite email at Thinker. That forces us to use a webmail interface when entering email. It’s extremely difficult for a hacked PC to alter a Gmail message as it goes out; the traffic itself is encrypted from the browser to the server, unless someone uses Outlook, Thunderbird or another email program that uses an SMTP server.