IN YOUR CORNER
Scam alert: Read this before paying another invoice
Beware this all-the-rage online banking fraud
When last did you pay a company for goods or services using online banking, having been sent their invoice by e-mail?
For me it was five days ago: I did an EFT payment to a computer company which had installed a new hard drive on my laptop.
What should have been a quick and easy process took me about 20 minutes because I obsessively checked and rechecked that my money was going into the right bank account.
Thanks to the now-prolific bank account details scam, such distrust is essential.
It’s the all-the-rage banking fraud currently catching thousands of unsuspecting consumers and businesses and causing havoc in those professional relationships.
My inbox is full of their stories, hence my paranoia about paying a fraudster by mistake.Here’s how it works, in brief:
The scammers get the e-mail addresses of companies that routinely e-mail invoices to their customers for payment. They then hack that e-mail account, intercept an invoice-containing e-mail to the client, change the bank details to their bank account, create an e-mail address which is almost identical to the genuine address so as not to be noticed, and send it on the client who unwittingly pays the fraudster and not the company they owe the money to.
“This type of fraud can lead to strained business relationships as neither party feels that they are responsible for the fraud,” said Investec in a warning to clients about the scam last week.
Conveyancing attorneys are an obvious target for cybercriminals, given that they hold in their trust accounts the purchase price paid for a property by the buyer, and then, when the transfer has been confirmed, they pay the relatively large proceeds of the sale to the seller.
It is so prevalent among conveyancers that in July 2016 the Attorneys Insurance Indemnity Fund (AIIF) – a nonprofit company established by the Attorneys Fidelity Fund to provide a level of professional indemnity insurance to all practising attorneys in South Africa – excluded cybercrime from its cover.In the fund’s Risk Alert publication, published last August, the fund’s general manager, Thomas Harban, wrote: “Since that exclusion, we have been notified of more than 50 cybercrime-related claims with a total value of more than R25-million. All fell within the exclusion and have been rejected.”
This despite the law societies and the AIIF warning conveyancers repeatedly, in many forms, about the scam.
Last September a Cape Town-based conveyancing attorney fell for a scam e-mail pretending to be from her client – with a last-minute request that the R420,000 proceeds from the sale of her Muizenberg house be transferred into another bank account. She did the transfer without doing any of the widely publicised recommended checks, and then refused to take responsibility for the loss.
But in many other cases it’s the consumer who is doing the paying based on an e-mailed invoice faked by a fraudster.
Pieter van Aswegen, who runs an IT services company in Cape Town, confirmed it’s not just lawyers with trust accounts who are having their e-mail addresses hacked, but also service providers, particularly medical professionals.
“In February a client of mine, a conveyancing attorney, had R800,000 redirected as a direct result of his e-mail address being compromised. And his e-mail host was particularly unhelpful in resolving the matter.”
In Your Corner will be investigating that claim in the coming weeks.Last week I got a call from a Durban caterer who’d sent a new client a quote containing the company’s banking details, and after catering two events for her, invoiced her in the amount of R6,000.
That e-mail was intercepted by the fraudster and the address changed slightly, with their banking details replacing the genuine ones.
“She paid the money into that wrong account, an now she’s refusing to pay us, saying she paid the invoice in good faith,” the caterer said.
But just how are e-mail accounts hacked?
Dave Smith, owner of Durban IT company Cyber Support, said many small companies acquire their own routers and set them up.
“These are usually defaulted to user name ‘admin’ and they tend to use easy, non-secure passwords. The scammers apply port forwarding and route the outgoing e-mails to their own server, amend the details, regardless of whether they are MSWord, MSExcel or PDF, and then forward to the legitimate payer.“And when the banks are presented with damning evidence of fraud, they refuse to provide any information to the victim as the account holder is protected by POPI (the Protection of Personal Information Act)!”
Nerosha Maseti, investigations manager with the Ombudsman for Banking Services, said banks had a duty to keep an account holder’s information confidential.
“The only way you may receive any information relating to the beneficiary account holder is to obtain a subpoena, in terms of the Criminal Procedure Act, ordering the bank to release the information on the account,” she said.
“Once in receipt of the subpoena, the bank will disclose the third-party information,” she said, adding that as the account would have been opened with a fraudulent ID and proof of address, there was really no point in going to those lengths. “The bank has no way of knowing that it is a fraudster opening the account.”
So much for Fica (the Financial Intelligence Centre Act). WHAT TO DO
Get a professional company to set up and configure your router. DIY is risky. Let current and new clients know that your banking details will never change, and advise them to phone and double-check the details before paying. Consider leaving your banking details off invoices and asking clients to call you for that information instead. Conveyancing attorneys
Whenever a client that you are providing legal services to provides or changes an account number to pay into, insist on a bank-stamped proof of that account. Call and confirm with clients if you get an e-mail request to pay monies into a different bank account. Consumers Don’t set up beneficiary details unless you have first contacted the company sending the invoice and verifying the account details. And call the company on an independently sourced contact number, not one off the potentially compromised invoice.
#SHELFIEIt’s a sign: with increasing numbers of retailers offering lay-by deals to customers who don’t qualify for credit or don’t want to pay interest, signs offering this payment method are in demand. Let’s hope those retailers are also doing lay-bys the Consumer Protection Act way, allowing customers to cancel such deals while still paying off an item – for a full refund.