Beware this South African invoice scam

deesef

Expert Member
Joined
Mar 3, 2017
Messages
1,676
Good, I was just making sure your system was worth it, since you didn't mention phoning them originally.
Originally, it was used to eliminate problems due to finger trouble. However, it also doubles as a security check.
 

WAslayer

Executive Member
Joined
May 13, 2011
Messages
6,850
This actually happened to us not too long ago. One of the sales persons invoices were intercepted and unfortunately the client paid.

Had a look at the invoice they received and it was plain to see it was tampered.

Assuming his email wasn't compromised, the only thing I could fault us for was the fact that dmarc was not set to specify a reject on the mail as the spf check failed so was still allowed through the clients server.

It's actually funny how people don't properly check invoices. I'm also a culprit sometimes...

Edit: Just for interest sake, this was the IP address from which the scam mail originated: 196.35.198.116
DMARC is all good and well until the recipient mail server administrator is too lazy, or does not know, to make his mail server complaint with the DMARC standard..
 

Moto Guzzi

Expert Member
Joined
Apr 24, 2004
Messages
1,642
Beware this South African invoice scam

Carte Blanche recently highlighted the problem of invoice scams in South Africa, where companies and individuals are scammed out of large amounts of money.

This report follows the high-profile case where Goliath and Goliath and its subsidiary The PR Bailiff were scammed out of R285,000 by hackers who intercepted and altered their invoices.

How is this possible to happen, if we have 1st World banks with 1st world banking systems(digital)-((claimed)) for which we are milked dearly daily. Howcome I must visit SARS if I just change something on my banking details, and here comes a financial criminal and open accounts left right and centre over the world and have a splended day every day. Why must we put up with this-? Inside jobs/assistances perhaps-? Digital anitivirus systems are now going strong for how many years, as far back as I can remember, so why this going into the fairytale digital future with AI promoted and nobody can tell us what it actually is, we know about the robots.
 
Last edited:

krycor

Honorary Master
Joined
Aug 4, 2005
Messages
18,217
I'm surprised Microsoft has not implemented a feature that can look at a mailing address and alert you if it's similar but from a different domain or at least highlight when a new sender is replying to a thread or something, seems so easy I'll bet the competition has something like it.

Then again even if Ms did implement it I wouldn't know as our IT has me on office 06. I asked them are they not worried about having XP systems on their network working with the servers, no they say because the US army still uses it:ROFL: I didn't want to tell them that they are paying for security updates for it and it's not shared with anyone but them.

We’ve had something like this before where everything looks in order.. but it’s not. Ie email domain is correct but the relay used was wrong or something like that.

There are ways around this and it boils down to archaic business practices I hate to say. ie emailing executable distributions, invoices, etc are all about as secure as leaving you car unlocked without a tracker.

What companies should be doing is setting up an invoice host platform where clients go to to retrieve invoiced from on the company domain. That way standard safety procedures can be observed.. you also have 3rd party services that cater for this.
 

Praemon

Expert Member
Joined
Jan 11, 2007
Messages
1,469
Now if banks could just require two authentication factors or bank accounts - account name and number.
Unfortunately they created an expectation that the two tie up but it's not the case - they don't care what you supply as the account name - they just plain ignore it. They need to fix that ASAP.

Completely agree. They should show the account name after you enter the account number, but I suspect due to privacy concerns this isn't allowed. What I did notice is that Standard Bank now offers a free Verify Account option when doing EFTs which checks the name/surname of the account number, along with company registration/ID number. It is limited though and doesn't seem to always work well if you're just supplying the name, but all banks should offer this.
 

LazyLion

King of de Jungle
Joined
Mar 17, 2005
Messages
103,954
If only there some kind of legislation that prevented people from using fraudulent bank accounts, or that let authorities trace those bank accounts back to the owner.... but alas... Nobody's thought of that yet...
 

mercurial

MyBB Legend
Joined
Jun 12, 2007
Messages
40,102
Completely agree. They should show the account name after you enter the account number, but I suspect due to privacy concerns this isn't allowed. What I did notice is that Standard Bank now offers a free Verify Account option when doing EFTs which checks the name/surname of the account number, along with company registration/ID number. It is limited though and doesn't seem to always work well if you're just supplying the name, but all banks should offer this.
ABSA online banking platform has the same feature but it mostly is incorrect :-/
 

Sollie

Honorary Master
Joined
Apr 20, 2005
Messages
12,071
DMARC is all good and well until the recipient mail server administrator is too lazy, or does not know, to make his mail server complaint with the DMARC standard..
Or you introduce punycode ...
 

Sollie

Honorary Master
Joined
Apr 20, 2005
Messages
12,071
If only there some kind of legislation that prevented people from using fraudulent bank accounts, or that let authorities trace those bank accounts back to the owner.... but alas... Nobody's thought of that yet...
There is. But it gets complex very quickly. The work from home opportunity? Congrats - you became a mule. The lawyer doing debt collection? He just became an unwitting mule. Your mom/grandma/aunt/uncle that met that person online - he needed help a he's abraod and cant bank, can he use their acct for a deposit or his staff does not get paid (add a myriad of ploys).

I suggest read up on money laundering in South Africa. BEC and romance scam links.
 

Little Mac

Honorary Master
Joined
Jul 18, 2008
Messages
53,191
Completely agree. They should show the account name after you enter the account number, but I suspect due to privacy concerns this isn't allowed. What I did notice is that Standard Bank now offers a free Verify Account option when doing EFTs which checks the name/surname of the account number, along with company registration/ID number. It is limited though and doesn't seem to always work well if you're just supplying the name, but all banks should offer this.
Even easier, just have a unique account name tied to the number. If a business can give you their number, they can give you the exact letter-for-letter account name. It's not rocket science.
 

Happy Days

Expert Member
Joined
Feb 14, 2017
Messages
1,033
Thanks. My bad.

/Edit: Examples:

realname.co.za reålname.co.za reaⅼname.co.za realname.co.za realnamе.co.za


Spot the real one.
Can't see the difference between the last three. And since they aren't active links, no way of verifying with Firefox.
 

mercurial

MyBB Legend
Joined
Jun 12, 2007
Messages
40,102
One thing that I hate that ABSA introduced at ATMs, is that it now displays your first name in a massive font, so everyone close to you at the ATM knows your name.

WTF
 

Sollie

Honorary Master
Joined
Apr 20, 2005
Messages
12,071
Can't see the difference between the last three. And since they aren't active links, no way of verifying with Firefox.
No need for it to be active. Copy the last string with CTRL-C, goto serach, CTRL-V, search for it in the page. Why does it not match the string before it? The first 2 were obvious to show what I'm doing. One one is the real realname.co.za

Thanks for confirming the point of the exercise and being the guinea pig. ;)

I'm sure a lot other member here are equally confused. Now to just put this into perspective, a senior IT security officer at a EU bank fell for something similar last year.

We are quick to call people stupid, victim blame. A lot of the victim blaming is based upon ignorance.
 

Sollie

Honorary Master
Joined
Apr 20, 2005
Messages
12,071
If only there some kind of legislation that prevented people from using fraudulent bank accounts, or that let authorities trace those bank accounts back to the owner.... but alas... Nobody's thought of that yet...
Here you go, what I was talking about.

https://www.abc.net.au/news/2019-07-25/woman-caught-up-in-6-million-dollar-love-scam/11345298

The offenders, believed to be residing in South Africa, then deposited $6 million into her bank account on June 11.
 

hungrymamba

Expert Member
Joined
Sep 7, 2018
Messages
1,058
Always one step ahead these thugs... No matter what tech, law there is... They always find a way. But people are also stupid at times, easy targets.
 

Little Mac

Honorary Master
Joined
Jul 18, 2008
Messages
53,191
One thing that I hate that ABSA introduced at ATMs, is that it now displays your first name in a massive font, so everyone close to you at the ATM knows your name.

WTF
Nedbank's mobile app by default shows your balance in massive font on the landing page. Just what the doctor ordered for those moments you need to do your private banking on the gautrain or bus.
 

Little Mac

Honorary Master
Joined
Jul 18, 2008
Messages
53,191
Always one step ahead these thugs... No matter what tech, law there is... They always find a way. But people are also stupid at times, easy targets.
Actually they have become lazy with the banks and other institutions being so lax.
 

mercurial

MyBB Legend
Joined
Jun 12, 2007
Messages
40,102
Nedbank's mobile app by default shows your balance in massive font on the landing page. Just what the doctor ordered for those moments you need to do your private banking on the gautrain or bus.
These people are so fkn stupid, it's astonishing.
 
Top