Resources   >   Invoice Interception Scams
 

Emailed Invoice Interception Scams


How they work and how to avoid them


How did this happen ?
Why can't the bank refund my money?
Why does the law favour the creditor?
How do I protect myself against these scams?


You receive an invoice from your supplier. You make the necessary payment to his bank account. He calls a week or so later querying your non-payment. You indignantly send him your proof of payment. He replies that it not his bank account. You explain that was the bank account on his invoice. "Nope", he says - "Dunno how that happened but it's not my account details".
This is R50,000 at stake here. You call your lawyer. He tells you your debt is not settled and you will need to pay again. It seems the funds have disappeared and it wasn't your fault. But you are still liable for the original debt..
And of course this happens the other way around where funds are being paid to you.

What on earth happened here? This all seems extremely unfair.


HOW DID THIS HAPPEN ?


The fraud usually originates on the supplier side. here someone is paying you. Which could be you. The caution and prevention starts here so we look at events from the supplier (creditor) side.

Somehow, sometime, someone on your staff (you?) fell for one of these phishing scams where you were tricked into feeding your email password into a false form. Nothing seemed to happen - or you figured you had rectified whatever they needed to get you to correct - and you thought no more of it. Pity, as that was when you should have immediately changed your email password.

The scammer would then have visited your upstream mailbox (at your host server - not on your PC) and installed a filter to detect incoming emails containing words such as invoice, statement, debtor, creditor, bank account, etc and configured for copies of those incoming emails to be sent a monitoring email account. That mail would be inspected as it comes in to determine if you make large payments from time to time. Once such a correspondence is identified then the trap is set.

First step would be to divert incoming from that debtor to the scammers. They then look for a suitable invoice being sent by you to a debtor. All regular mail is then released to you so you are none the wiser. When the invoice is identified then they doctor it to show a different bank account number and it is sent on its way to your debtor. The trap is baited. Your debtor opens the mail and pays the account as per the invoice into the scammer's account.. The trap is sprung. They have the money and your debtor's fate is sealed.

We have seen this done so successfully that the debtor asks you, the creditor, for several month's terms. The creditor (actually the scammer) intercepts and agrees and skims three monthly payments. Only after that time has passed does the debtor realise what's happened after a bebtor follow up from the creditor. The people running several of these scams appear to be in the UK and the technical level of forgery and false communications is high.


WHY CAN'T THE BANK REFUND MY MONEY ?


Yes they could - but No they won't.

South African banks move slowly and staff are extremely reluctant to break any privicy regulations (remember the new POPI Act in place). A long time sacred cow has been "client confidentiality" and typically it can take a week to get the information on who controls the account where the funds were diverted. Usually it is not your bank and you now have to convince your bankers to move fast. Usually they won't.

The ideal move is to get an emergency order from a lower count to compel your bank and the recipient's bank to release all the account holder's information. It will cost and has to be done quickly. But it may simply reveal that the funds went to an account which transferred them on. So the process starts again. Very often it is found that the final destination account is a gogo in the depths of the Eastern Cape who is using her SASSA bank account to receive the funs for a "stranger" who offered her R1000 to use her acount to receive funds from a "friend". Little to salvage in these instances.

The banks usually claim client confidentiality before releasing payee details and that two to three week delay helps the money move between even more accounts. But there has been recent South African case law which relies on an application where the principle is that the banks have been used as instrumental in a fraud and it is then possible to get an urgent order which can freeze money in accounts.


WHY DOES THE LAW FAVOUR THE CREDITOR ?


The person who has not been paid (the creditor) then demands payment saying that the debtor has not fulfilled their obligation under South African law to ensure that the funds were delivered to the creditor. It is really as simple as that.

If the creditor's email account was hacked, then the creditor would be negligent to a degree. So the funds were paid to the scammer by the debtor because the creditor was negligent in giving their password away. Would that negligence override the debtor's requirement to deliver the funds into the right account and, because of that negligence, would the debt then be considered paid.?

Likewise, if the debtor's email account was hacked (the scan can be run that way as well) would the debtor not be considered negligent and would the debtor also be deemed to have not delivered the funds.? So the debtor now has a weak case to prove the debt is paid. Normally, though, the person receiving the funds is usually the one whose email is hacked.

The question is: If the creditor's email was compromised, and the debtor was given the forged bank account to pay to, would the debt be considered paid.?

The unfortunate conclusion is that in almost all cases the creditor would be deemed to be unpaid and the debtor would be considered not to have discharged the debt and to still be liable. Courts will follow the basic legal principle that it is the debtor's responsibility to transfer the payment funds as per the creditor's instruction. In the case of invoice interception and the subsequent fraud that follows, it is not the creditor that is changing the payment instruction, not matter how artful the fraud and false communication. In basic common law the debt will be considered unpaid due to undelived funds and the debt would still be due.

However, there are two flimsy lifelines. Negligence and Reasonableness

1 - Negligence on the part of the creditor

If the debtor can prove that the creditor has been grossly negligent in allowing their email password to be hacked (assuming that the creditor's mailbox was compromised to effect the fraud) then there would be contributary liability which could lower the quantum and lead to a lesser award being made. The debt could be reduced.

However, this could prove to be extremely difficult to prove and would require complete cooperation on the part of the creditor to allow a forensic audit of their mailboxes. They may be reluctant to help to prove they are negligent. The host mailserver provider's security and abuse engineers would also need to be enlisted and there is generally a reluctance on their part to get involved in issues which will result in court appearances.

Examples of gross negligence would be be weak passwords, documents stored online detailing usercode/password pairs and using standard or easy-to-guess passwords. The creditor, for example, should have instructed all employees to change the original assigned password to one known only to themselves and to describe the strong password guidelines and insist that employees confirm every six months that they have changed their passwords. If the creditor could prove that then they would destroy your negligence defence.

Remember that you have to prove the creditor's negligence beyond doubt.

2 - Actions of the "Reasonable Man"

The expectation of what could be expected of the "reasonable man" would apply in two instances.

- What would be reasonable in terms of the creditor taking enough care to not be duped into releasing passwords to a phishing ruse and also taking reasonable care of passwords. What would the reasonable creditor do to ensure that the passwords could not be breached.

- You, the debtor - have you been reasonable in believing that the fraudulent communications sent to you be the scammers was a perfect forgery of the creditors usual invoice.? Have you received invoices in the past where the creditor noted on the invoices that they would never change bank accounts unless you were advised verbally by your contact person. Have they moved from a mainstream bank (FNB, Standard, Absa) to a banking group more associated with low cost personal service (Capitec, TymeBank) which is less often used by corporate business. These are more issues that weaken your case rather than strengthen it.

These scams are becoming widespread and the courts are also aware of other judgements. The public is also becoming more aware (including that reasonable man) and this further weakens the debtor's case.


IS THERE PRACTICAL ADVICE FOR THE DEBTOR ?


Due to the confusing technical issues and the initial interpretaion of the points of law, it may be opportune to offer some type of mediated settlement. An example would be for the debtor to convince the creditor that due to the murkiness of the issues perhaps each party should contribute to a 50% settlement. This is helped by the apparent view that the debtor has been unfairly tricked after making a good faith payment.

Initially, due to the fraud having clearly originated inside the creditor's systems, the creditor may be more disposed towards a negotiated settlement. If you get an early agreement on that then this may be your best result.

The amount of the fraud, relative to the cost of legal fees, and the possible award of fees would be relevant to a decision by the creditor to sue. Assume the debt is for R35,000. Both sides could be incurring legal costs of around R10,000 if a court appearance is involved. If the creditor wins (the likely outcome) then you the debtor could end up with having to pay R45,000 (debt plus your costs) and you may have to pay the creditor's costs to take you to a cost of R55,000.

The additional cost are relevant in a claim of around R30,000 but far less relevant when the amount is R100,000 or more.

Approaching the Small Claims Court would probably not be to the debtor's advantage. However, the SCC is sometimes known for less than perfect judgements and an unusual award, more in the debtor's favour, could result. A higher court would most likely rule in the creditor's favour. The SCC is limited to a maximum claim of R20,000.

The size of the frauds noted is often around plus R50,000 which would be on the cusp of whether or not to sue.

Also, the creditor would be looking at this risk and for an initial debt of R40,000 or less would presumably be less likely to take the risk of an additional costs award.

Conclusion : Best to negotiate early to minimise your loss.


HOW DO I PROTECT MYSELF AGAINST THESE SCAMS ?


There are a number of precautions that can be taken which would minimise this risk.
 
  1. Increase the vigilance and awareness for staff who issue large large invoice amounts.
     
    • Know the signs ..... If there are unusual delays in incoming mail, for several hours or even up to a day, then your mail may be in the process of being intercepted, read and returned.
       
  2. Ensure that all staff are very aware of the dangers of phishing breaches
     
  3. Consider changing all user passwords and NOT releasing those passwords to the users
     
    • Works on the principle that if the user does not know their password (a tech person configured their email account) then they cannot possibly give it away.
       
    • But a major drawback would be that the user would not be able to access Webmail (which requires password input) and therefore would not be able to monitor the spambucket on the server mailbox.
       
  4. Have all mail accounts checked for unauthorised filters and the disable the any filtering function for each user
     
    • This is a cleansing and innoculation process and is highly recommended.
       
  5. Consider adding a footer to all outgoing emails which states that bank account changes would never be made without prior, verbal discussions with customers. Suggest that new customers making their first payments first make a small test payment
     
    • Perhaps this is added only to the emails of those staff who correspond with curtomers that make subsequent large payments.
       
  6. If you have appointed a Risk Management Officer (as required in terms of the new POPI Act) then ensure that an annual review of these procedures is scheduled.
     


Print Friendly and PDF  
 
  Anything we left out, stuff you don't agree with.?
Good article, bad article.?
  Please give us your comments and suggestions.