In recent times, phishing attacks have become far more common. We are aware of several incidents. Those who have been attacked should certainly not feel alone.
One popular variation is for the defrauding party to gain access to an individual’s email account. This may happen by sending an email to the email address, containing a link. If the recipient clicks on the link this causes a process by which the attacker is able to gain access to, and often unseen control over, the individual’s mailbox.
What commonly happens is that the scammer either lurks in the email account or sometimes creates an email account which is disguised to look like the account of the original recipient. The scammer then trawls through the recipient’s email account and takes or accesses information contained in it.
It is not unusual for the scammer to be looking for invoices payable to the original recipient by third parties and then to send an email (apparently from the account) to the third party to direct payment of the invoice to a new bank account. Some explanation is often given why this change is to occur.
Unsuspecting third parties often heed that instruction and make payment over. The funds are rapidly disbursed from the fraudster’s bank account. Recovery from the fraudster is often very difficult, if not impossible.
What is the position in these circumstances? Who suffers the loss? Is it the recipient whose invoice has been paid away to the scammer’s account or is the third party at risk to have to pay the invoice a second time?
Often the bogus emails to do not bear close scrutiny. There are quite often some telltail signs within the email, such as some of the cc recipients or the language used, which gives rise to the fact that the email may not be genuine.
In circumstances where the email is self evidently not genuine, there is a very real risk a third party has not discharged the debt in making payment in accordance with the instructions in that email.
There is also a very serious question to be determined whether or not it is appropriate for a third party ever to accept a direction given via email to change their payee’s banking account. This is more so when large sums are involved.
We recommend that wherever a third party receives an email of a kind directing a change in banking account or a change to payment details, some form of simple independent verification should be undertaken to check the veracity of that instruction. This may be as simple as a phone call (of course not relying on any telephone numbers given within the email) or an email, during ordinary office hours, to the organisation from whom the direction has come. Again, of course, this should not be done as a reply to the email received giving the instruction.
Scamming is becoming more common and more sophisticated. All parties need to be alive to it.
If in doubt, verify. The loss may not always lie with the phishing victim. The paying party may not have discharged the debt.