In the past two months, two of our clients have been caught in the following scenario:
A supplier overseas has their email hacked, and the hackers make a slight change (one character in the email address that goes unnoticed by the importer recipient) and notify the companies that they have new banking details. When the clients place their orders, they wire the money, but unfortunately to the fraudulent bank accounts set up by the criminals. By the time our clients and their vendors notice what has happened, the accounts are drained and the funds gone. Police reports can be filed, but there is little that can be done to recover or reimburse for the stolen funds.
This appears to be a fairly prevalent scam in China that is gaining in popularity,
We spoke to a bank executive in supply chain finance who offered us the following advice:
A standard banking practice is to require an independent verification of new instructions. For example when a relationship is established a Corporate Resolution or other Corporate Document is requested listing the officers of the company permitted to provide payment instructions, there must be at least two. If “Mr. Smith” advises there are new banking instructions, a phone call (to a phone number found on the company’s website) is made to a different officer and a request is made of the second officer to confirm the new instructions. In case of an overseas company the request is made by email (only to a corporate domain address) to the second officer and the reply must come from a corporate email address.
In addition with an overseas company many times it is required that “Mr. Smith” request his bank to provide the new instructions and even with instructions coming from an overseas bank it is still verified by forwarding the overseas bank email message to a different officer at the company and asking that they confirm the payment instructions are correct.
Many small foreign manufacturers do not have a corporate email domain of their own, which is how these spoofs happen to Gmail, Hotmail, Yahoo and other free email services. It’s a lot more difficult to spoof a domain that is owned by a company, but they are not as prevalent overseas as is in the United States.
The takeaway here should be: Before accepting a change of payment instructions from a vendor, validate this change through another means such as a direct conversation online, phone or fax.
In addition to what we have explained above, talk to your financial institution and insurance provider about their fraud protection practices and policies. It’s not a layer that adds complexity; it’s a layer that adds protection.