Case Study: The Seventh Order – A True Story Of Fraud And What Could Have Been Done To Prevent It
Here is a tale about third party fraud against two parties to a business deal that almost ruined their relationship. The practical takeaways from this tale can be valuable lessons in protecting your business and your business relationships. Some facts have been modified in order to protect the identity of the parties involved.
It all started innocently enough.
Our client, the seller, manufactures certain products abroad and sells them in the U.S. and elsewhere.
His customer, a large U.S. distributor of the product, had already successfully placed six orders without incident. A typical high-tech transaction — order placed by email, invoice generated by email, payment wired, and products shipped. So far, so good.
Then came the fateful seventh order.
When payment did not show up on time after our client shipped the products, the upset seller called the customer and the call went something like this:
SELLER: Where’s our money?
CUSTOMER: We paid!
SELLER: No you didn’t!
CUSTOMER: Yes we did! I have proof of funds wired.
SELLER: And my bank says we have nothing from you.
CUSTOMER: Well the money is gone from my bank, that’s for sure. And I sent it directly to your account in Singapore exactly as specified on your invoice.
SELLER: Singapore?! We don’t have any bank accounts in Singapore!
Long, uncomfortable silence.
Turns out that an impostor managed to hack into the seller’s account and obtain enough information about the customer to be able to send an email to the seller pretending to be the customer.
In the email exchange between the impostor and the seller, the impostor was able to coax enough deal specific information out of the seller to be able to then turn around and contact the customer pretending to be the seller.
Whereupon the impostor, posing as the seller, asked the customer to wire the payment for the seventh order to an account in Singapore.
The impostor’s account, of course. Not the seller’s.
And the customer, thinking that no one but the seller could have sent such a detailed invoice, paid it.
At which point the lawyers were brought into the picture.
In retrospect, a little more diligence on the part of both parties could have prevented the fraud.
- The sales person for the customer was named Brian. But when the impostor first emailed the seller, his return email address misspelled the name as Brain rather than Brian.
- The customer always communicated using the url of the company which contained the customer’s name, like this: email@example.com; whereas, the first email from the impostor was sent from Yahoo, like this: firstname.lastname@example.org
- Every email from the seller to the customer had a unique signature block at the bottom including pictures of the seller’s line of products. There was no such signature block at the bottom of any of the emails from the impostor to the customer. Just the name of the CEO of the seller without anything else.
- And, of course, each of the prior six invoices sent by the seller to the customer requested payment to a single bank account in a country nowhere near Singapore either geographically or culturally. After six straight invoices to only one account, a seventh invoice suddenly asking for payment to a completely different account in a completely different country should have set off an alarm.
Fortunately, we were able to negotiate a mutually satisfactory settlement that set the relationship back on course and involved mutual cooperation with the appropriate investigative authorities to try and catch the impostor, settlement of the disputed sum, and even two new orders.
Both our client and the customer learned some valuable lessons about doing business via email and how to avoid fraud in the future.
This case study highlights the need for due diligence even with existing business relationships.