“Man-in-the-email” Scam

Money stamped with word SCAMMED

In 2013 at least 3 companies in Washington State were led to believe they were sending money to an established business partner in China. However fraudsters intercepted the emails and conned purchasers out of their money, which between them totalled roughly $1.65 million. This form of scam is being called a “man-in-the-email” scheme.

Many companies do business with others overseas, and use email to communicate invoices and other financial information to each other. Scammers are becoming more and more sophisticated in their techniques to hijack these communications and trick people into believing they are still dealing with the company.

In each case they intercepted emails between purchasing and supply companies, and then spoofed subsequent emails, impersonating each company to the other. These emails led the purchasing companies to a new bank account, which the scammers said was because of an ‘internal audit’. However, metadata collected from these messages showed that they actually originated from Nigeria or South Africa.

This could result in the supplier shipping out legitimately ordered products and not receive payment, or for the purchaser may make a payment and never receive their ordered goods; damaging the reputations of the companies and any future business they may have together.

Top tips to reduce your chance of being scammed

  • Make sure you use other forms of communication, like telephone calls, to verify transactions. Arrange this second form of authentication early on and not via email to avoid interception by a fraudster.
  • Utilise digital signatures in email accounts.
  • Avoid free, web based email. Create a company website domain and use it to establish company email accounts.
  • Do not use the ‘Reply’ option, instead use the ‘Forward’ option and type in the correct address or select it from your address book. This ensures the email address you use is the real one.
  • Delete spam immediately. Do not open it, click on links or open any attachments.
  • Beware of sudden changes in business practices. For example if someone asks you to contact them using a personal email address, and all other correspondence has been via company email, verify via other communication channels that you are still talking to your legitimate business partner.

What if I have been scammed?

If you believe you have been a victim of a scam like this, please contact your local authority (FBI, Interpol, Chinese provincial police etc.) and let them know as much detail as you can, including the following

  • Header information from email messages
  • Identifers for the perpetrator (name, website, bank account, email addresses etc.)
  • Details on how, why and when you believe you were defrauded.
  • Actual and attempted loss amounts.
  • Other relevant information you believe is necessary to support your claim.
  • Reference to the man-in-email fraud.

For more information please see the FBI press release.