Payment Diversion Fraud - A disturbing new hacking trend hitting corporate Australia

When Sydney business owner, Mr Tony Davies (not his real name), hit the send button on the $175,000 payment to Malaysia in October 2017, he had a bad feeling about the payment. His gut instinct told him something was wrong but he needed the shipment of products urgently to satisfy his customers in Australia.

He had met his Chinese supplier, Mr Jack Sim (not his real name), in person some months previously. Mr Sim was a reputable Chinese building product supplier who manufactured products from his factory in Fujian province. Mr Sim’s office girl, Tammi, dealt with all financial matters involving the company.

In early October 2017, Mr Davies sent his first deposit, for a large order of products, to the Chinese bank account controlled by Mr Sim’s company. The product order was prepared for shipment.

When Mr Davies was preparing to send the final payment of $175,000 he received an urgent notice from Tammi by email not to pay the money into their China bank account as they had some tax issues with the Chinese authorities. She advised him that the money needed to go into their Malaysian account as they wanted to keep the funds offshore whist they sorted out their tax problem.  

Mr Davies expressed his concern to Tammi about sending the funds to Malaysia but was convinced by Tammi that this was the only option. “Sir, we use overseas accounts for many of our international customers, this is normal for China business and Mr Sim has told me to give you this message”, Tammi wrote in her email.

The products needed to be shipped urgently and the only option was for Mr Davies to pay the funds into their Malaysian account or face delays. “Okay Tammi I will make the wire today, thank you”, Mr Davies wrote. “Please send the remittance immediately so we can release the products”, Tammi responded. Mr Davies wired the funds and sent Tammi the remittance but something worried him about sending the funds to Malaysia.

Several days later, Mr Davies received an email from Tammi stating, “Sir, we have not received the funds, please send urgently”. Mr Davies immediately responded saying the funds were already sent to the Malaysian bank account and the remittance was also sent. “Sir, I did not receive any remittance from you and we don’t have a Malaysian bank account”, Tammi replied.

Mr Davies slumped on his desk with shock. “How could this be possible, I will forward you the email again”.  Mr Davies sunk further into shock and despair when he received the real Tammi’s response. “Sir, that’s not my email address, that’s a fake, it’s my signature details but not my email, how could this happen?”.  Mr Davies was gutted. He just became the latest victim in a new crime wave targeting corporate businesses in Australia.

The hackers had entered the email communication between Tammi and Mr Davies and were monitoring every conversation. They cleverly set up an almost identical email addresses of Tammi and used her real email address in the signature. They also set up an almost identical email address of Mr Davies and communicated with Tammi, making excuses why the payment was delayed. Both parties were communicating with the hackers and not each other. The fraud was blatant but clever. The fraudsters knew when to strike and celebrated another big pay day before disappearing offline, never to be seen again.

This new trend of payment diversion fraud has become much more prevalent in Australia during 2017. The hackers are always offshore and work with highly organised fraud groups to perpetrate the frauds in an anonymous online environment. They slip away before any action can be taken. The offshore bank accounts are closed and money withdrawn in cash, before they can be frozen. The evidence trail is cold before law enforcement agencies can even record a complaint. The jurisdiction of the fraudsters is never known so no law enforcement agency will put their hand up to take the complaint let alone investigate the fraud.

So, what can be done to avoid these costly frauds? Firstly, companies need to be made aware of these frauds and have proper countermeasures in place for sending money overseas. Even a simple code word only shared with the genuine supplier could be used by text message to verify payments. Secondly, companies must ensure that their emails and servers are secure. Regular penetration testing can be carried out to check for vulnerabilities. Software security updates should be kept current and email programs should be regularly checked and updated by an IT security professional. Many companies become so busy they forget to patch simple flaws in their system or forget to update their software not knowing that exploits and vulnerabilities have been identified causing online security risks.

These vulnerabilities can be easily identified by foreign based hackers using sophisticated remote access tools to silently gather data about your company’s computer habits, email usage, security software, browser types and operating systems. Many companies who operate in the manufacturing industry don’t place enough emphasis on their computer security until it’s too late. For Mr Davies, it’s a $175,000 lesson learned. Meantime the hackers who got his money are busy perpetrating the next attack.

Written by: Ken Gamble

Ken Gamble is the Executive Chairman of IFW Global, an international cybercrime intelligence firm. 

He is also the current Australian chairman of the International Association of Cybercrime Prevention. 

Professional investigator, corporate security specialist and cyber crime expert with 30 years experience working with multinational corporations.