Cyber criminals have been stealing money by hacking bank accounts and placing unauthorized wire transfers for years. Lately, we have seen a new twist on this scam. In this new version, a cyber criminal hacks the e-mail account of a seller or vendor. It then sends an e-mail to the buyer changing the wire transfer instructions for a large purchase. The e-mail appears to be from the vendor because it is from the vendor's e-mail account. And, because the hacker knows all about the transaction from the e-mail correspondence, the phony communications have all the necessary detail to appear legitimate. Sometimes, the hacker will send diversionary e-mails from the buyer back to the seller. Only after the wire transfer is placed, when the vendor claims it has not been paid, is the fraud uncovered. While a forensic investigation should shed light on how the scam was perpetrated, it may be impossible to retrieve the funds, and it may not be clear which party - the buyer, the seller or an insurance carrier - will bear the loss.
Both buyers and sellers can reduce the risks associated with this kind of scam. Buyers can avoid problems by refusing to act on wire transfer information sent via e-mail, and by double-checking any changes to wire transfer instructions by telephone, fax or other non-e-mail form of confirmation. Additionally, buyers should consider whether their written agreements allow vendors to rely on e-mail correspondence regarding payment directives.
In addition to implementing robust cyber security policies, sellers should consider contract language that would prohibit buyers from relying on e-mails containing wire transfer instructions.