Beware this South African invoice scam

Jamie McKane

MyBroadband Journalist
Joined
Mar 2, 2016
Messages
7,000
Beware this South African invoice scam

Carte Blanche recently highlighted the problem of invoice scams in South Africa, where companies and individuals are scammed out of large amounts of money.

This report follows the high-profile case where Goliath and Goliath and its subsidiary The PR Bailiff were scammed out of R285,000 by hackers who intercepted and altered their invoices.
 

deesef

Expert Member
Joined
Mar 3, 2017
Messages
1,571
Years ago, I implemented a very simple system for my payments that protects me from this type of fraud. My reason for doing so was to prevent possible "finger trouble", but it makes banking that much more safe in general.

When I need to create a new beneficiary on my banking profile, I always transfer R5.00 as the first payment. I then get confirmation directly from the person or company that the R5 had been received. After that, I continue with transactions and payments on the detail that is already saved on my online bank profile.
 

supersunbird

Honorary Master
Joined
Oct 1, 2005
Messages
56,196
Years ago, I implemented a very simple system for my payments that protects me from this type of fraud. My reason for doing so was to prevent possible "finger trouble", but it makes banking that much more safe in general.

When I need to create a new beneficiary on my banking profile, I always transfer R5.00 as the first payment. I then get confirmation directly from the person or company that the R5 had been received. After that, I continue with transactions and payments on the detail that is already saved on my online bank profile.
How do you get this confirmation?
 

Sollie

Honorary Master
Joined
Apr 20, 2005
Messages
12,069
They aren't intercepting invoices... They're hacking email accounts...
Setting up forwarding rules, blocking email address ... all once in. May be hacking, phishing or even malware/keyloggers. Amazingly many of the malware that is hitting local businesses are not even reflecting on virus scans. It takes a day or two before the AV vendors pick up on it.

To add insult to injury, where such is noticed, the sender has to alert the recipient bank of the problem. To see how this plays out:
A at bank X pays an altered invoice to B-fake at bank Y under name C, not B-fake. B-real also has an acct at bank Y.
A realizes it after B phones him.
A alerts banks X and Y. He is told via bank Y he has to recall payment via his bank X once he has a SAPS case nr.
B-real also alerts bank Y, his and the fraudsters bank. Sends proof of altered docs. Y also tells him A has to do it via bank X once he has case nr.
SAPS-in-the-stix takes a day to issue a case nr.
By the time the bank Y inter-bank processes completes, the money is gone.

And we wonder why the bad guys win? Dinosaur paper attitudes in 2019.
 

acidrain

Executive Member
Joined
Jan 7, 2007
Messages
5,553
This actually happened to us not too long ago. One of the sales persons invoices were intercepted and unfortunately the client paid.

Had a look at the invoice they received and it was plain to see it was tampered.

Assuming his email wasn't compromised, the only thing I could fault us for was the fact that dmarc was not set to specify a reject on the mail as the spf check failed so was still allowed through the clients server.

It's actually funny how people don't properly check invoices. I'm also a culprit sometimes...

Edit: Just for interest sake, this was the IP address from which the scam mail originated: 196.35.198.116
 

Everyones-a-Wally

Honorary Master
Joined
Jul 18, 2008
Messages
52,204
Now if banks could just require two authentication factors or bank accounts - account name and number.
Unfortunately they created an expectation that the two tie up but it's not the case - they don't care what you supply as the account name - they just plain ignore it. They need to fix that ASAP.
 

acidrain

Executive Member
Joined
Jan 7, 2007
Messages
5,553
See it originated from https://bgp.he.net/ip/196.35.198.116
Spammer had an account with synaq.com
Did you contact IS or Synaq.com ?

No point as I do not have the original email received as proof. All I was sent was the small snippet in the mail header.

Not sure how far the client went with the info.

I have since on my side implemented dkim and dmarc hopefully any future attempts will be prevented.
 

Sollie

Honorary Master
Joined
Apr 20, 2005
Messages
12,069
Wasn't FICA specifically meant to help find and prosecute such scammers?
It was. But if you can buy an ID plus all the docs needed for FICA for a song? Remember, we live in South Africa.
 

gamer16

Honorary Master
Joined
Nov 3, 2013
Messages
13,778
I'm surprised Microsoft has not implemented a feature that can look at a mailing address and alert you if it's similar but from a different domain or at least highlight when a new sender is replying to a thread or something, seems so easy I'll bet the competition has something like it.

Then again even if Ms did implement it I wouldn't know as our IT has me on office 06. I asked them are they not worried about having XP systems on their network working with the servers, no they say because the US army still uses it:ROFL: I didn't want to tell them that they are paying for security updates for it and it's not shared with anyone but them.
 
Top