The Alfa sales company forwards by email to the acquiring company Beta a pro forma invoice in pdf format, with the payment clause in advance, and containing the bank details of payment of the sales consideration. After a few days, the Alfa sales company is contacted by the Beta buyer who complains that the goods have not been sent despite the payment of the same.
Subsequent checks show that:
- Beta has made the payment of the consideration using the bank details indicated in the proforma invoice received in PDF format;
- the document received by Beta is identical in format and characters used to that sent by e-mail by the selling company Alfa, but differs from that in the part relating to the indication of bank details;
- the payment was made by Beta to a current account of an international bank operating in Italy which is not, however, attributable to the selling company Alfa.
At this point, Beta is forced to make a new payment, successfully, in favor of Alfa. The case represents, plastically, a hypothesis of man in the mail, that is, a scam perpetrated through direct access to the inbox via IMAP protocol, thanks to which the criminals directly replaced the emails arrived at the Alfa company, leaving the text of the email intact but modifying the document attachment in PDF containing the invoice with the correct IBAN code, which was modified indicating a different one.
The scheme that also takes the name of “Man in The Middle”, “BEC Scam”, “Wire fraud”, “Business Email Compromise”, “BEC Fraud” or even “Bogus Invoice Scheme”, “Supplier Swindle” or “Invoice Modification Scheme”, is quite simple: the attacker, with more or less sophisticated techniques, violates a company’s email account, thus being able to intercept incoming emails containing sensitive documents, which may include invoices.
Once the email containing the invoice with the bank payment data has been intercepted, usually consisting of a document drawn up using common text processing programs, the villain modifies the bank details, leaving the rest of the document unchanged. At this point it is practically impossible for the recipient of the document to distinguish the fake from the original.
What, then, can be the countermeasures to be taken in order not to incur possible forms of competition in the cause of property damage?
While it is always necessary to protect your email account with the use of suitable antivirus and antimalware, on the creditor’s side, the easiest and most immediate solution may be to avoid returning your bank details directly to the document (invoice or pro forma). If this is not possible, a number of small precautions may nevertheless be taken when the document is being drawn up.
First, it is useful to invite the addressee of the document to proceed with the payment only after telephone confirmation of the correctness of the bank data indicated therein. In this sense it may be useful to include in the body of the document a wording of the following: “In order to prevent computer scams, before proceeding with the payment by bank transfer the customer is required to verify the correctness of the bank data reported on the invoice by calling our headquarters”.
Secondly, it is appropriate that the document to be sent, be it PDF or word, is previously encrypted with a code shared only with the recipient, in advance or later, so that the file cannot be opened by third parties.
Thirdly, IBAN coordinates should not be limited to the simple alphanumeric code, but should also indicate the Bank and the reference subsidiary, to make it easier for the payer to check the coincidence between the coordinates and the header of the current account.
On the receiving debtor’s side, each payment should be preceded by a telephone confirmation of the correctness of bank details.
Secondly, the maximum attention must be paid at the time of payment to the coincidence of bank details with the current account header. It should be borne in the court that, as a result of the amendments introduced by Legislative Decree No. 11/2010 the payment service provider (i.e. the Bank) is relieved of the obligation to carry out the check of congruity between the IBAN and the identifying elements of the holder of the recipient’s account, binding it to the “mere execution” of the provision exclusively in accordance with the IBAN indicated by the customer.
It is therefore within the bank’s mere discretion to put in place control measures to limit the risk of inaccurate payment transactions. This means that in any event of undue payment, the defrauded customer could hardly retaliate against the Bank.
Photo by Austin Distel