Despite the ever-increasing scourge of email fraud, resulting in many businesses and their clients having their payments hijacked, there is still a lot of confusion about how fraudsters operate.
So many people will not believe that their email messages are being monitored and hacked by cyber fraudsters and criminals, because it is all happening behind the scenes and there’s nothing to alert us to the fact that our emails are being intercepted.
The reality is that a middleman fraudster is carefully monitoring our email discussions, in preparation for an impending payment that is being arranged in the very email that is to be hijacked.
HOW IS IT THAT OUR PAYMENTS ARE BEING HIJACKED ?
Firstly, we must understand that there is a middleman who has access to all our emails and is noting discussions about an imminent payment.
He would have noticed the payee providing her normal bank details for her account to be paid, in a genuine email.
Secondly, just before payment is to be made, the fraudster strikes by creating a fake replica of the original email address and the recipient doesn’t realise that this particular email comes from a fraudster, because it has the slightest change in its address to resemble the genuine address; but it is completely fraudulent, and the misleading email address is not noticed.
The fraudster then inserts his own fraudulent bank details in the fake email and the person making payment does not realise that the bank details have been changed or does not even think to check whether not the correct original bank details, tally with the fictitious bank details set out in the fake email.
The fake email is created by making the smallest and very innocuous changes that will mislead the recipient of the email into believing that what he is receiving is from the genuine original address: for example; changing just one letter to depart from the genuine address; such as:
All 3 addresses look very similar; but the change of just one letter or just one full stop can be overlooked with devastating consequences.
A further variation of a hoax email address is to insert a prefix label to also mislead the reader such as “Donald Duck< email@example.com”.
So a quick glance at an incoming email, without analysing the spelling of each word, letter by letter, will very easily mislead the reader into believing that the incoming email is genuine and is thereby tricked into paying into the wrong bank account.
There is nothing to alert the sender that what he sent, has been forged.
The recipient is not warned that what he received, has been re-configured into fraudulent bank details.
In essence, there is no independent or parallel verification of the authenticity of messages that were sent and received.
The bottom line is that the sender of the email and the recipient of the email do not obtain direct confirmation and verification from each other; and this disconnect in their messaging, opens a door for the fraudster to manipulate the communications midway between the parties.
THE RISK IS THREEFOLD
Sending an email that contains bank details is extremely dangerous and risky.
Emails between sender and recipient are intercepted midway, resulting in the deletion of the genuine bank details and substitution therefor with those belonging to the fraudster.
There is no subsequent verification of the “about to be paid bank account number”.
Do not send any email that contains bank details.
Do not attach any bank details to any email.
The payor must make sure that he obtains prior valid confirmation of the “about to be paid account number”, before triggering payment.
In order to provide bank details safely, phone the person who will be making payment and request him to write down the bank details and thereafter to photograph what is handwritten to avoid losing the scrap of paper.
There have been numerous examples of clients being physically handed a hard copy of the bank details, only to find that they subsequently misplace the invoice.
So if one saves the photograph into one’s cell phone, the payor will have the correct bank details on his person at all times.
Many people are using WhatsApp to convey bank details because WhatsApp is encrypted. However this may not be entirely secure as they have been un-authorised sim-card swaps, which allow fraudsters to gain control of one’s cell phone and its address book: again resulting in fraudulent and intercepted communications.
Other payors have called for a copy of the payee’s bank statement to verify his account details before making payment; but there have recently been many examples of highly effective forgeries of bank statements, which could well be used to hijack a payment into the fraudster’s bank account.
Any unexpected advice that the bank details have changed just before a proposed payment, should trigger an immediate and direct enquiry with the payee. Most businesses would insist that the payee physically visits the company to verify his identity and to validate whether or not the requested change in bank details, is bogus or not.
In conclusion if there is the slightest doubt, extra efforts must be made to verify the recipient’s bank details directly with the payee before triggering payment.
Denoon Sampson is the Director at Denoon Sampson Ndlovu Inc, currently ranked the ‘number 1’ top performing conveyancer by First National Bank Limited. He has 30 years of experience as a conveyancer, specialising in the full spectrum of property-related law and is often called upon to give talks or contribute content on related matters.