There’s an easy way to protect yourself from a very nasty form of fraud: every time you receive an email from a company with their invoice for services rendered, do not pay until you’ve verified the banking details.
And by that I mean phone the company — having sourced the number from somewhere other than that email — and check that the bank details in the email are actually that of the company.
Here’s why: the intercepted email scam is on the rise, according to the SA Banking Risk Information Centre (Sabric).
They refer to it as business email compromise, which gives rise to email account compromise.
In short, cyber criminals use various tactics, such as password sprays, phishing or malware to compromise a victim’s email account and gain access to legitimate mailboxes, along with calendars, meetings with suppliers or customers, corporate directories, all used to profile their victim. They maintain access to those mailboxes by creating email forwarding rules or changing account permissions, so they can closely monitor the business.
What they are looking for are emails containing invoices, which they intercept, then replace the business’ banking details with theirs before sending it to the unsuspecting customer for payment.
The thing is, we can’t afford to be unsuspecting of any email containing an invoice for payment.
We have to do our own authentification before paying. Yes, it’s a schlep but paying a crook instead of the company we owe the money to is a far bigger schlep.
Use different and strong passwords for each account — one that is at least six characters long and is a combination of letters, numbers, and capitals/lower case.
— SABRIC
In the cases victims have shared with me, the emails were sent either from the actual email address or from a new one so similar most don’t notice the difference. I was first alerted to this scam back in 2017, when the fraudsters were targeting conveyancing attorneys in a big way, given the large amounts of money moving into and out of their trust accounts with the buying and selling of properties.
The Legal Practitioners Indemnity Insurance Fund excluded cybercrime-related claims from its policy in July 2016, and issued heaps of warnings about email hackers, but despite that, lawyers have since put in claims adding up to more than R151m.
The incidences of successful email account compromise with conveyancing attorneys are still about five a month on average, down from about 20 a month in 2016.
But the crooks continue to target other businesses and individuals, and they’re getting it right in increasing numbers.
Bev of Durban has fallen victim to it three times this year, would you believe.
In two of those cases, the fraudulent account was the same Standard Bank account, suggesting it was Bev’s email account which was being monitored. In case one, in late April, Bev received in email an invoiced attached from a roofing company which had done work for her.
The email came from the woman with whom she had been corresponding, with the identical email address.
And that’s how Bev came to pay her first R4,577 into the crook’s Standard Bank account.
Six weeks later, she booked accommodation at a hotel in Clarens via Booking.com. Payment was said to be on arrival, but the next day she got an email from a woman claiming to be a hotel employee, attaching an invoice with all the correct booking details, adding up to R7,245.
She was instructed to pay within 48 hours or lose the room.
Being a long weekend and knowing she’d booked the last available room, she paid. Of course, when she arrived at the hotel on June 16, she was asked to pay that R7,245 again as the account she’d paid into was not the hotel’s.
She liaised with the banks concerned to get her money back, but the crook’s account had been cleared. Bev is a Standard Bank client. The bank told me that she only reported this fraud almost three and a half weeks after the event, “which negatively impacted the successful repatriation of funds”.
In the third case, in early July, Bev had emailed invoices to a property management company for payment of a gate company’s work at an apartment block.
Those, too, were intercepted and the money was paid into the same Standard Bank account, the details of which had been fraudulently inserted into the roofing company’s invoice.
“I then realised all invoices sent to and from my email account were being intercepted,” Bev said.
According to Sabric CEO Nischal Mewalall, other forms of this fraud include:
- The attacker positions themselves as the head or an executive of a company and typically emails an individual within the finance department, requesting that funds be transferred to an account controlled by the attacker.
- An employee’s email account is hacked and used to request payments to vendors. Payments are then sent to a mule account under the control of the attacker.
- The scammer acts as if they are the supplier and requests fund transfers or payments (by manipulating invoices) to mule accounts.
Sabric urges bank clients spread their risk of email compromise by using their original email address for personal or business communication and a separate one for registering with newsletters, online shopping and other services. “Use different and strong passwords for each account — one that is at least six characters long and is a combination of letters, numbers and capitals/lower case.”
Then, on a secure PC, log into your email and check if any of the settings have been changed. “This could indicate that your email account has been hacked, so ensure that if any of the settings have been altered, that you delete these immediately.”
Sabric’s advice is to never list your main email address publicly anywhere online — in forums, in online advertisements, on blogs, social media “or any place where it can be harvested by spammers”. Oops, too late for me!
But remember, the crooks can only get your money if you fail to verify the banking details before paying.
And that’s something you don’t need to be tech savvy to get right.
• GET IN TOUCH: You can contact Wendy Knowler for advice with your consumer issues via e-mail: consumer@knowler.co.za or on Twitter: @wendyknowler.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.