Key Message
Be wary of any change to bank accounts via email, and unless you are happy paying an invoice twice you should always confirm a bank account change via a known phone number (and not the phone number stated on the email, because if the email is dodgy, you can bet the phone number in the dodgy email is also dodgy).
PAYMENT REDIRECTION SCAMS
Emails can be relatively easy to hack into, and we regularly hear of businesses that have had their emails compromised which has led to customers paying invoices into other bank accounts. It would be worth reading this report from the Government’s ScamWatch site.
What normally happens is that a scammer intercepts a businesses emails during tranmission, changes the email, and then continues it on it’s merry way, and crucially, neither the sender or the recipient are aware that the email was intercepted.
The scammer will change the bank account in the email (or if the email contains an attached invoice, will change the bank account details on the invoice), and the end result is that the recipient of the email will pay the invoice to the bank account of the scammer.
The business, who hasn’t received payment, will then demand what is in effect a second payment. The purchaser will claim they have paid, and a nasty dispute will arise.
HOW IT HAPPENS
We’ll try and leave out the technical mumbo-jumbo, but essentially a hacker needs to either have access to your emails directly, or be able to re-route your emails to go to them. Ways they would do this include:
- Accessing the password to your email account and simply logging in. This commonly happens when you reuse the same password on multiple websites – so when one is hacked, all are effectively compromised. Check out the “Have I Been Pawned” website (https://haveibeenpwned.com) to see if you are vulnerable. Many services use your email address as your username – type it in here and it will tell you if a password attached to this username is circling the Dark Web. If so, and you reuse passwords, you may be in a bit of trouble;
- A “brute force” hack has been made on your email account – which is where a hacker’s computer will guess random passwords until they find the right one. An eight character password can be cracked in 5 hours using this method… You can read more about this on this Practice Protect blog;
- You clicked on a dodgy email that asked you to login to your email account to verify something. In this case, you just handed the scammers the keys to your email account by entering in your username and password; and
- You have a virus on your computer that it is a “keylogger” – software that logs every single thing you type on your keyboard. It’s then not difficult to search this log for your email address, and the word following this is your password.
All of the above are preventable…
Once they have access, they add some rules, filters, and redirection to send emails with the word invoice or payment in it to their server first, they alter the email, and forward it to your customer. They ensure that it still comes from your email address so your customer has no idea the scammers were involved.
IF YOU ARE TOLD ABOUT A BANK ACCOUNT CHANGE
If a supplier informs you via email that their bank accounts have changed, then the best thing you can do is call them. Don’t call the number in the email (any smart scammer will include a fake phone number that they can answer), but call the number you have in your records.
Failing that, check their website, their google maps listing, their facebook page, the linked in page, or other places. Unless a scammer has managed to get control of everything, you’ll find the correct phone number on these.
Yes all of this takes time, and if you are paying a $20 invoice it might be worth the risk of not checking. But if the invoice is for an amount that you can’t afford to pay twice, then you should make the effort to check.
IF YOU SIMPLY PAY TO THE ACCOUNT ON THE INVOICE
Then don’t.
Note the bank account you paid to last time in your records and check that the account on the invoice matches the account in your records. If the differ, then make a phone call to your supplier. If you use accounting software, you can save those details in there. If you use internet banking, you can save those details in there.
SO WHO IS AT FAULT?
Blame seems to lay at the feet of both parties:
- The sender for allowing themselves to get hacked;
- The receiver for not checking payment details.
From what we can ascertain, in a legal sense the purchaser has an obligation to ensure they are paying to the correct account. Where they receive an email with different bank account details, there is an obligation to take reasonable steps to ensure the changed details are correct (source: Factory Direct Fencing Pty Ltd v Kong AH International Company Limited [2013] QDC 239). If the sender of the email has so poor internal controls that they’ve allowed their website, facebook, and google listing along with their emails to be hacked, then the story may be different.
Regardless of the above, there are no winners (except for the scammers) if this does happen to you. You’ll argue with the other party, solicitors will get involved, the supplier will refuse to supply further goods until payment for the first invoice is made, and in the end some compromise will probably be made that suits neither party.
