Victoria police are warning local businesses of a scam that’s resulted in two businesses losing more than a million dollars.
The “man-in-the-middle” scam targets service profesionals such as lawyers, accountants and purchasing managers to undermine other legitimate transactions.
In the scam, fraudsters subtly insert themselves into an email conversation stream involving the potential victim — who is often a service provider — and the victim’s clients.
In one file that Victoria’s financial crime investigators worked on, fraudsters were able to insert themselves in an email chain between a lawyer and a client overseas. The lawyer believed he was communicating with his client and vice versa, when they were actually both communicating with the fraudster. The lawyer believed he was following his clients’ instructions, and forwarded significant funds to an out-of-country bank account. It was only after he transferred the funds, when he realized the request was false.
Investigators later discovered the fraudsters had created an email that differed from the lawyer’s email address by one character. For example, the lawyer’s email address was in the format of firstnamelastname@webdoman.com, while the fraudster’s email address was firstname.lastname@webdomain.com. Investigators are still unclear about how the fraudster was able to insert themselves into the email chain.
In another incident the purchasing manager of a local business sent money to purchase a large piece of equipment, that never arrived.
“It is common business practices to rely solely on email communications when dealing with instructions pertaining the transfer of money, in doing so, you are at significant risk of financial loss,” said financial crimes Det. Sgt. Derek Tolmie. “It is incumbent upon businesses to take steps to protect themselves.”
Police said businesses that conduct transactions involving the sending of large sums of money, should establish a check-in protocol with clients, such as a telephone conversation, face-to-face meetings, or a code word, to confirm transcations are legitimate. Police are also encouraging businesses to regularly monitor accounts.