A MyBroadband reader was recently caught out by a complex scam involving the purchase of a Ford Ranger bakkie.
The dealership told the reader they would send the appropriate banking details for the payment via email, but this email was intercepted by a malicious party.
The banking details were altered by the scammer, and the scammer’s own bank details were sent to the reader.
It is worth noting that the email address the reader received the bank details from was not the same as the dealership employee’s real email address.
However, since the reader had never received an email from the employee before, they were unable to identify this.
The reader then made payment – unknowingly to the scammer’s bank account – and sent proof of payment to the fake email address.
The fraudster then edited this proof of payment to reflect the legitimate bank details of the dealership before sending it to the dealership.
Unlike before, however, the fraudster spoofed the “From” field in the e-mail so it looked as if it had come directly from the reader.
Because both parties believed the transaction had been completed successfully, it was several days before the dealership realised that they had not received any money for the vehicle.
The reader, who already had the vehicle in their possession, was forced to return it to the dealership.
However, the reader and the dealership later agreed to split the cost of the original purchase – meaning the reader ultimately paid 150% of the original price and kept the vehicle.
BusinessTech reported on a similar case in December where a businessman bought a motor vehicle from a different seller for a business project.
Speaking with Louis Podbielski, Case Law product manager at LexisNexis, BusinessTech found that the businessman was the victim of an identical scam.
“He did an EFT in response to an email that he received and was expecting from the car dealership,” said Podbielski.
“He took delivery of the Ford Ranger, with it later emerging that the transfer had gone into a fraudulent account. The dealership then claimed the R380,000 purchase price from him.”
“In this case, the court found that he should have verified the account number, before making the transfer and that he still owed the car dealer the money.”
A common scam
Rudi Dicks, director of cybersecurity at CheckMark, said this scam is unfortunately quite common.
“By far the most common failure point is a weak email account,” said Dicks.
“This is usually, but not always on the victim’s side. The attackers will gain access to this mailbox, often through guessing weak, or reused passwords to the mailbox or by conducting a phishing attack and manipulating the victim into providing credentials by asking them to log into a fake webmail login page.”
“From here the attackers will monitor the mailbox, sometimes for multiple months, waiting until an invoice for a large amount is delivered into the mailbox. The attacker will immediately delete the email after saving a copy and then go to work altering the banking details.”
“They will often even change the bank used. We’ve even seen instances where attackers alter scanned documents with photo editing software,” said Dicks.
Once altered, said Dicks, the mail will be placed back into the mailbox by mailing it from a similar or spoofed address, with a “reply to” address of their choice.
“This means that the address the victim receives the email from appears real, or very close to real, but once they reply it goes to a free mail address.”
“We’ve seen instances where multiple emails are sent back and forth between the victim and the attacker, with the attacker impersonating the business that the victim intended to trade with (the seller),” added Dicks.
“Some of these attackers are exceptionally well researched, or will have been following email conversations over a long period of time so that they can easily fool the victim into believing they represent the seller.”
Dicks said that the customer isn’t always the victim, however.
“Where the end client hasn’t been the victim, we’ve seen a focus on smaller businesses that conduct large single or repeat transactions such as car or boat sales, or small law firms and financial institutions that transfer large amounts of money,” said Dicks.
“These small businesses often don’t have very sophisticated security or adequate awareness training and make for ideal targets.”
Dicks said there are several ways users can protect yourself from such attacks:
Make use of multi-factor authentication (MFA)
“This is by far the easiest and most effective thing you can do to protect yourself from most types of email fraud,” said Dicks.
“When you have MFA enabled on your mail account you will be notified as soon as someone else tries to log into your account and they wont be able to do so successfully even when they have your password.”
Dicks said this protects users from falling victim to a phishing attack or password reuse.
He said that implementing MFA is not difficult, as often you’ll only need to authenticate every few weeks or when logging in from a new device.
“Many people I speak to are not aware that they have free access to MFA when making use of Office 365 and Gmail. Check with your mail provider whether they offer this service.”
Educate yourself and staff
Dicks said there is lots of information online about cybersecurity, and end-users should spend time educating themselves on the more popular scams.
“Consider it an investment because you will probably be dealing with cybercrime for the rest of your life,” said Dicks.
“For companies, there is excellent staff awareness training that will teach every computer user about this and many other common scams and attacks so that staff are empowered to identify attacks and respond appropriately.”
Pick a strong password
Dicks said that good password practices are a great way to avoid being scammed.
This includes picking a strong, unique password that you don’t use anywhere else.
It is also recommended that you change this password regularly.
Use a reputable mail provider
“Although it is less common, we’ve seen mail servers compromised directly, giving attackers access to the mailbox and the entire server through exploitation of vulnerabilities,” said Dicks.
“If you make use of a mail hosting provider, make sure that you can trust them with your information and that they follow best practices.”
He added that if you are hosting your email on-premise, make sure that only the required minimum resources are available to the internet and that the patching of your servers is taking place regularly and successfully.