Just When you Thought International
Electronic Payments were Safe
BY FRED MENDELSOHN
Many distributors do business with suppliers in foreign countries, such as China. Recently, the FBI released a bulletin titled “Man-in-the-Email” Fraud Could Victimize
Area Businesses, outlining how three Seattle area businesses sent
electronic payments to their China-based suppliers, only to learn
that the payments were intercepted by thieves and diverted from
the supplier, sometimes leaving the supplier, and other times the
purchaser, “holding the bag.” Even if you don’t often do business
across borders, business partners commonly wire large sums of
money to one another, so even one hijacked transaction can prove
devastating to any transacting party, even potentially damaging
established and profitable supply chain relationships.
The Nature of “Man-in-the-Email” Fraud Cases
By no means limited to the three companies named in the bulletin, the perpetrators of the China-Seattle fraud stole an aggregate
$1.65 million from Seattle-based businesses. Crain’s Cleveland
Business recently reported that shortly after a small packaging
company discovered that its $500,000 wire transfer to a reputable
Chinese equipment manufacturer was intercepted by a scammer, it
also learned that it had no insurance coverage for this form of cy-ber crime. These scams follow a very similar fact pattern: imposters
infiltrate the foreign supplier’s email system, intercept legitimate
emails from the American purchaser, and then “spoof” subsequent emails impersonating the supplier to the purchaser. The
fraudulent emails then direct the purchasing companies to send
payment to a new bank account (often due to a purported change
in circumstances, like an audit) which, as you suspect, belong to
the imposters.
What Are The Consequences of “Man-In-The-
Email” Fraud?
In some cases, the purchaser receives its goods, making the lost
payment the supplier’s problem. When the goods have not been
shipped, the purchaser feels the sting. Either way, the effort to
untangle, trace, and attempt to recover the lost payments requires
a great deal of time and effort (including lost opportunity costs),
Moreover, the scam is not always as simple as an intercepted
email, but can arise from malicious access to one of the parties’
email accounts (a.k.a. an inside job), or a spoofed domain using
a lookalike email/domain address — an email header forged to
depict a legitimate sender. Malicious access most likely originates
with the foreign supplier, giving the recipient no means to identi-
fy the email as fraudulent. However, a spoofed email which should
have been identified as coming from an imposter could also be
seen as the purchaser’s problem. If the victims challenge each oth-
er as to responsibility, further animosity can arise between them,
increasing the work required to attempt recovery and/or mitigat-
ing the risk of a “falling out” between the parties.
What Can A Business Do To Protect Itself In These
Cases?
While protection can involve disciplines from sophisticated IT design to enactment of high level security measures, some common
sense solutions can be implemented to protect against scammers:
• Carefully scrutinize incoming email communications, with an eye
toward any unusual changes in the identity of the sender and/or
payment practices. Has the header changed? Did the sender sug-
Legal Watch