The first time I heard about this type of scam was about 2 years ago. An importer noticed that he received emails from “marc0@…” (with a zero at the end) instead of the usual “marco@…”.
A hacker has penetrated the supplier’s email account, created a new email address, and was asking for a deposit higher than previously agreed to. They also sent an invoice that called for payment on a different bank account.
And it seems like this type of scam is on the rise. I heard many similar cases recently, including one instance where over half a million USD was stolen! The bank could trace the origin to one country, then another, then another… and then it was impossible to trace back to the source.
Obviously, many Chinese suppliers have heard of this, too. No later than this morning, I saw this message in a supplier’s signature (in big bold red letters):
(Any E-mail about Change of [their company] company name and bank accounting no.,please confirm with us by phone )
What is the supplier’s responsibility in this case?
I am not a lawyer so I won’t mention legal liability issues. But two things are clear to me:
- The supplier is, arguably, more at fault than the buyer. After all, they didn’t ensure their email system was secure… Or, worse, maybe one of their employees got paid to facilitate that scam… Or maybe they didn’t get hacked and they are pulling this off by themselves after all!
- Chinese suppliers’ lack of professionalism is making this type of scam MUCH easier than it should be. Buyers have gotten used to working with suppliers that issue invoices in the name of another company, that send emails through @163.com or @yahoo.com addresses, and so on. It is so common, few buyers question it. (I wrote about this here).
And, the most important question is…
How to avoid falling victim to this scam?
Dan Harris, over at the China Law Blog, wrote this advice in China Fraud Season Starts Early This Year:
-
The computer networks of many Chinese companies are not secure. The networks are subject to abuse by employees of the Chinese company and by outsiders. This means that you can NEVER trust an email communication from a Chinese company. Email is inherently insecure in China and you never know with whom you are really dealing when engaging in electronic communication with Chinese companies.
-
Chinese companies tend to be very loyal to their banks and so you should view with extreme suspicion any request to make a change in the payment bank. You should not even consider following such a request unless the request is made in writing on a revised purchase order stamped with the company seal. Even in that case, it is important to contact someone you know in the company with supervisory authority to ensure that the request is valid. Email requests to make a change should be ignored, but the request should be forwarded to your trusted Chinese company contact for an explanation.
-
Carefully review all bank account information. Monitor both the name of the payee and the location of the bank. Where the payee is even slightly incorrect, do not pay. Where the location of the bank is in the wrong city or country, do not pay. I have seen cases where foreign buyers paid to bank accounts outside of China to payees with no connection to the seller. These cases were all obvious frauds and the buyers lost their entire payment. I have seen millions of dollars vanish into thin air with this sort of scam. The Chinese parties committing the fraud will explain the need for this irregular payment as part of a plan to hold foreign currency outside of China. This kind of arrangement is no longer required in China. Explanations of this kind are indicia of fraud and should be ignored.
All excellent advice. I would add this: make sure you know several people who work with each of your suppliers. When a weird invoice comes up, or when your contact says “the factory is bankrupt“, you’ll have someone else to call and ask questions to.
Any other tips to avoid this scam?
Good warning. This is indeed increasing.
When there is any change regarding bank information for payment, or the company (legal entity) used to receive payment, it is always safer to request a letter from the company listing the changes and “chopped” with the red company seal. This will dramatically reduce the risk of scam
Also, a similar approach is required when the account name (banking info) and the company name on the business licence are not the same. It may be legitimate (normally the Chinese name will be the same but sometimes English name will vary) but there must be a good explanation to avoid scam again,
Yes that’s true. Good advice, thanks Etienne.
“The supplier is, arguably, more at fault than the buyer. After all, they didn’t ensure their email system was secure.”
I think that’s probably a little bit unfair as a requirement. Email is inherently insecure, and systems to try and keep it more secure are nowhere near universal yet. Currently it’s still very easy to pretend to be sending from a particular email address. There is little that the legitimate owner of the email address can do about this; they wouldn’t even be aware it was happening until they got ‘replies’ to the spoofed emails.
https://en.wikipedia.org/wiki/Email_spoofing
Actually that’s a good point. Thanks for pointing this to me.
But the email hacking I was describing is (in most cases) based on more than email spoofing. The hacker creates a new email address on the supplier’s email server, and so that he can receive the responses from the supplier. I still think suppliers bear some responsibility, don’t you think so?
Yes, that’s a good point. If a hacker had actually gained access to their email system in order to impersonate them, I agree that would be at least partly their fault!
DEAR SIRS , I WOULD LIKE TO TELL MY STORY ,I HAD AN ORDER FROM INDIA , ALREADY PAID A DEPOSIT TO COMPANY “A“ ACCOUNT “B“ AFTER 3 MONTH THE ORDER WAS READY FOR SHIPMENT AND I HAVE BEEN ASKED TO MAKE THE TRANSFER TO THE SAME COMPANY“A“ACCOUNT “B“SO I REPLIED WITH CONFIRMATION , BUT I RECEIVED AN EMAIL TO MAKE THE TRANSFER TO COMPANY “C“ ACCOUNT “B“ SAME BANK , I REFUSED TO DO SO AND ASKED MULTIPLE QUESTION AND EVEN CONTACTED THE COMPANY THROUGH PHONE AND THEY CONFIRMED THE “B“ COMPANY , AFTER 4 DAYS OF DELAY FROM OUR PART WE RECEIVED AN EMAIL REQUESTING TO MAKE THE TRANSFER TO COMPANY “A“WITH ADDED NAME TO IT ACCOUNT “D“OFF SHORE BANK IN LONDON ( CLAIMING THAT THIS ACCOUNT WAS MADE BECOSE WE REFUSED TO MAKE TRANSFER TO COMPANY“B“ )
WE DID SO WITH 2 TRANSFER AND FOR 4 DAYS WE RECEIVED MAILS CONFIRMING THE RECEIPT OF THE TRANSFER AND THAT THE DOCUMENTS WILL BE SENT , BUT AFTER 2 DAYS WE RECEIVED AN EMAIL ASKING US FOR THE MONEY AND DENYING ANY RECEIPT , A PHONE CALL ALSO CONFIRMED THE LATEST , ALSO AN E MAIL FROM THE SUPPLIER ADMITTING THAT HIS E MAIL WAS HACKED AND A NEW E MAIL WAS ADMITTED .( THE GOODS ARE UNDER DISPUTE IN COURT OF LAW BETWEEN US AND THE SUPPLIER ) .
YOU MAY SAY THAT IT IS MY FAULT FOR LACK OF AWARENESS ( YOU ARE TRUE )BUT MY POINT OF VIEW IS 1- HOW CAN A HACKER INTERFER AT THE PERFECT TIME AND GO WITH THE SCAM WITHOUT HAVING A HELP FROM INSIDE WHO PROVIDED THE INFO 2- HOW CAN A HACKER PROVIDE AN ACCOUNT ( A COMPANY ACCOUNT ) IN SUCH SHORT PERIODE OF TIME ( UNLESS IT WAS PLANNED ) 3 – ALL E MAILS WERE DIRECTED FROM THE SAME PERSON ( THE SUPPLIER CONTACT ) WHOM WE SUSPECT . SO I AM WITH MR RENAUD THAT SUPPLIER RESPONSIBILITY IS GREAT
Thank you Sam. And sorry about what happened to you!
But the question is how Hackers able to gain access of email and they know each and every communication is being done between buyer and supplier. He sometime spoof, register similar domain name and sometime they create gmail id of company name.
Any idea how it works? and what is security measures can be taken. (offcourse we should install a good antivirus and not to open uknown email etc).
But if we know how exactly we can caught incident.
Appriciate valuable information
I am not sure about the “how” it happens. There are probably different ways to infiltrate email servers.
What i have an idea about is the “what” to do to prevent this problem, on the buyer’s side. I suggest you read https://www.qualityinspection.org/bank-info-scam-china/.