Imagine you run a jewellery shop in your town and regularly buy large quantities of gemstones from a trader abroad. What would you do if your trader sent you an e-mail telling you that the IBAN you use to pay your invoices has changed? If your answer is “change the IBAN stored in my e-banking”, you would be easy prey for fraudsters, as cybercriminals regularly manipulate payment orders with fake e-mail invoices.
To send messages from a different mailbox unnoticed, fraudsters take over control of an e-mail account belonging to a private individual or company – such as your trader – and thus gain access to their correspondence. The hackers also make use of from their saved contacts. As soon as they have access, the fraudsters can send a modified “original” invoice to a shop owner by e-mail. In order to appear credible, they add a simple note stating, for example, that the bank details have changed. The shop owner pays into the new IBAN on the assumption that the e-mail was sent by the trader. However, in this case the money will be sent to the hackers rather than to the trader.
The fraud is usually only noticed a few days later when the trader asks why the invoice hasn’t been paid yet. In such cases, the victim – so the jewellery shop owner in this instance – has no way of knowing that they are communicating with cybercriminals . After all, they are using the trader’s real e-mail address. You should therefore always confirm any changes to payment details. E-mail enquiries can also end up in the wrong hands if the e-mail account has been hacked. It is therefore essential to check by telephone if you are asked to make a payment to a new bank account. If the trader confirms the new IBAN over the phone, the amount can be transferred using the new payment details without a second thought.