A Client Story: 100k Paid to Scammers – Don’t Miss These Red Flags

Updated July 21st 2021

We have an unbelievable but all too common client story that needs to be told.

With their permission, we share it here, in the hope you will become more vigilant and recognise the red flags before any damage is done.

Client receives an email from a regular supplier advising that bank details had changed for all future payments and details were in an attached PDF.

Now, because a PDF was included, it wasn’t an immediate red flag to the Client, given the most common information around scammers is that scammers change the body of the email message and don’t normally include PDF attachments.

Client proceeded to change the “supplier” bank details in MYOB. The client then replies to the “Supplier” email advising bank details had been updated.

The “Supplier” then requested confirmation of the next payment date. A seemingly reasonable request given they may have wanted to note it to ensure if processed correctly.

The Client paid the next monthly statement on the due date, to the new bank account.

Another email was received from the Client on the due date asking if payment would still be made that day, to which the Client responded yes.

End of the month rolls round and the Client hasn’t received the statement from the Supplier, but didn’t give it much thought as they knew it’d arrive as usual, but a few days after the end of the month, the Client receives a call from the real Supplier asking when payment would be made.

Client explains it had been paid on time into the new account as requested. The real Supplier states account details had not changed.

It’s at this horrifying moment, the Client realises they’d been scammed to the tune of $100k.

It turns out that the scammers had spoofed the supplier’s email address and was sending emails from companyau.com instead of company.com.au.

The Client shares the other red flags that were missed and discovered once further investigation took place;

  • Invoice and statement emails from this supplier had not arrived as was usual via email. A search located them in the RSS Subscriptions folder. Client themselves had not set up any rules to move these emails into the RSS folder and it was later discovered that the rules had been setup in Office 365, which could only be accessed online.

These rules were setting the emails to ‘read’ and then moving them to an undescriptive folder the client was unlikely to open.

This proved that the Client’s email account had been hacked.

  • The Scammers had intercepted emails from this Supplier, deleted the originals and replaced them with their own, attaching the PDF with updated account details, using the companyau.com address. The alias name for these emails, was the exact same as the Supplier – hence the Client didn’t give it a second thought.
  • It was also discovered that these scammers had previously tried the same trick with another of the Client’s suppliers, but as luck would have it, that supplier also changed their email address, so the RSS Subscription rule didn’t activate and bill was paid correctly.
  • The statement didn’t arrive on time – this was because the scammer had deleted it so that it would delay the Client from raising the alarm as otherwise they would have noticed the overdue status on the statements.
  • By intercepting and deleting the real statement, the Client didn’t see any payments were overdue and therefore, did not raise the alarm.

Your Protection Snapshot;

  • Always follow-up with your contacts by phone first, rather than email, if;
    • Invoices or Statements don’t arrive as scheduled
    • You receive notification of bank details changing
  • Don’t immediately trust when there are official looking attachments
  • When something just doesn’t seem right, be wary of the URL
  • Regularly check if any email rules on your accounts have been created;
    • If discovered, delete them, then change your password
  • Add two-factor authentication to your accounts where possible, including email accounts
  • Have a policy in place to process supplier bank change notices and similar notices
  • Educate all staff on identifying when something doesn’t seem right
  • Ensure accounting staff follow educational streams to stay up-to-date on potential scams and follow current best practices to handle
  • Install firewalls, with firepower, which does packet inspection and detect bad imposters

At time of publication, our Client is still anxiously waiting and hoping for their funds to be returned. Their bank has launched an investigation and are liaising with a line of banks seemingly involved, as the scammers work to hide the trail by moving the funds from bank to bank. An anxious wait indeed.

Most important is vigilance and education.

Reality is that scammers are working 24/7 to hack into businesses, regardless of your size, for any amount they can get their hands on.

So educate yourself and any employees who are responsible for authorising/making company payments – taking the extra time to double check, will save your business from falling prey to a scammer.