Many distributors do business with suppliers in foreign countries, such as China. Recently, the FBI released a bulletin titled “Man-in-the-Email” Fraud Could Victimize Area Businesses, outlining how three Seattle area businesses sent electronic payments to their China-based suppliers, only to learn that the payments were intercepted by thieves and diverted from the supplier, sometimes leaving the supplier, and other times the purchaser, “holding the bag.” Even if you don’t often do business across borders, business partners commonly wire large sums of money to one another, so even one hijacked transaction can prove devastating to any transacting party, even potentially damaging established and profitable supply chain relationships.
The Nature of “Man-in-the-Email” Fraud Cases
By no means limited to the three companies named in the bulletin, the perpetrators of the China-Seattle fraud stole an aggregate $1.65 million from Seattle-based businesses. Crain’s Cleveland Business recently reported that shortly after a small packaging company discovered that its $500,000 wire transfer to a reputable Chinese equipment manufacturer was intercepted by a scammer, it also learned that it had no insurance coverage for this form of cyber crime. These scams follow a very similar fact pattern: imposters infiltrate the foreign supplier’s email system, intercept legitimate emails from the American purchaser, and then “spoof” subsequent emails impersonating the supplier to the purchaser. The fraudulent emails then direct the purchasing companies to send payment to a new bank account (often due to a purported change in circumstances, like an audit) which, as you suspect, belong to the imposters.
What Are The Consequences of “Man-In-The-Email” Fraud?
In some cases, the purchaser receives its goods, making the lost payment the supplier’s problem. When the goods have not been shipped, the purchaser feels the sting. Either way, the effort to untangle, trace, and attempt to recover the lost payments requires a great deal of time and effort (including lost opportunity costs), and can easily trigger the need for intervention by federal and/or foreign authorities (e.g., FBI, Chinese provincial police, Interpol, etc.). Because the party wants to admit fault for the lost payment, the business relationship can quickly sour.
Moreover, the scam is not always as simple as an intercepted email, but can arise from malicious access to one of the parties’ email accounts (a.k.a. an inside job), or a spoofed domain using a lookalike email/domain address — an email header forged to depict a legitimate sender. Malicious access most likely originates with the foreign supplier, giving the recipient no means to identify the email as fraudulent. However, a spoofed email which should have been identified as coming from an imposter could also be seen as the purchaser’s problem. If the victims challenge each other as to responsibility, further animosity can arise between them, increasing the work required to attempt recovery and/or mitigating the risk of a “falling out” between the parties.
What Can A Business Do To Protect Itself In These Cases?
While protection can involve disciplines from sophisticated IT design to enactment of high level security measures, some common sense solutions can be implemented to protect against scammers:
- Carefully scrutinize incoming email communications, with an eye toward any unusual changes in the identity of the sender and/or payment practices. Has the header changed? Did the sender suggest a change in business practice for some unilaterally asserted reason? Is bank account information identical to previous account information? Your reservations are warranted even if an account number is “off” by a few digits.
- Set up a protocol to authenticate transactions with suppliers and others, particularly when dollar amounts are significant. Establishing a secondary method for authenticating transactions outside of email communication can make the difference between a lost or received payment, and might also serve to expose any infiltration into your business partner’s affairs by imposters or rogue employees.
- Delete spam emails; do not open them. Install safety systems on your email account and use dedicated, not free, email account systems.
- Instead of replying to an important email that could be part of a scam, forward it to the proper recipient(s) by forwarding the email to the correct email addressee(s).
- Retain a sophisticated consultant to audit your businesses’ e-commerce practices that relate to computer fraud.
Am I Covered By Insurance?
It depends on a number of variables, including the types of coverage that a business has in place. Start by reviewing your “high risk” policies to determine the scope of your directors and officers liability coverage (D/O), crime coverage, and/or cyber-crime coverage. While D/O coverage may exist if the theft is caused (at least in part) by a dishonest employee, “Man-In-The-Email” fraud and similar hacking scams are often not covered or are subject to one or more exclusions. It is reported that most insurers take the position that “Man-In-The-Email” and similar fraud are not covered, sometimes citing to what is commonly referred to as the “voluntary payment exclusion.” While not yet legally tested, securing coverage can be difficult, but not impossible. A careful reading of your insurance coverage contract is critical. Contacting your agent and/or obtaining your attorney’s review of coverage purporting to protect against such losses are good starting points.
New breeds of swindlers and con men have evolved right alongside – and sometimes just ahead of – every other facet of 21st century business practice. Cybercrime can be conducted from physical locations remote from the injured parties, where the fraudster need not find a hideout after pulling off a significant job, but simply moves on to his next “virtual” storefront, to infiltrate a fresh victim’s email server.
For distributors interested in discussing these issues, please contact Fred at 312-840-7004 or by email at firstname.lastname@example.org.