News Release — Victoria, BC – Financial Crime Investigators are urging members of the business community to take steps to protect their finances and business practices after receiving reports of a series of similar frauds which have each led to significant losses. These frauds, which appear to target service professionals such as lawyers, accountants and purchasing managers, use “man-in-the-middle” style attacks to undermine otherwise legitimate transactions.
In each of the frauds that have come to our attention, the fraudsters have managed to subtly insert themselves into an email conversation stream involving the potential victim – who is often a service provider – and the victim’s clients. Over time, the fraudsters have been successful in intercepting all communications, and play the role of the service provider to the client and of the client to the service provider. The result of these “man-in-the-middle” attacks has been more than a million dollars of losses in two files alone. It is not yet clear how the fraudsters are inserting themselves into the communications, so our Financial Crimes Investigators are issuing a public warning to businesses.
“Man-in-the-middle” Fraud Examples
In one file, fraudsters were able to get into the email chain between a lawyer and clients overseas. The lawyer believed himself to be communicating with his clients and his clients believed they were communicating with their lawyer, when in fact, both were communicating to the fraudsters themselves. Believing himself to be following his clients’ direction, the lawyer forwarded significant funds to an out-of-country bank account only later to discover that the request to do so was false.
Upon examination of the emails, investigators discovered that the fraudsters had created an email address that differed from the legitimate email address by one character. For example the lawyer’s email address was in the format of: email@example.com, while the fraudster’s email address: firstname.lastname@example.org. That difference of a single character – a dot between the names – led a significant financial loss. It has still not been determined how the fraudsters were able to insert themselves into the email chain, nor know how the fraudsters determined how to target the parties involved.
In a second example, a purchasing manager for a local business was in the process of ordering a large piece of equipment for that business. In this case, scammers again were able to insert themselves in the communication chain using an email address that differed from the provider’s by one character. As a result the purchasing manager sent a significant amount of money to two separate bank accounts on direction of who he thought was the legitimate supplier, when in fact it was on the direction of the fraudsters. The result was the business paying for a large and significantly expensive piece of equipment that never arrived.
In a third file, a lawyer received a call from his accounts payable person to confirm an email, presumably from the lawyer, in which he requested the transfer of a significant amount of money to an offshore account. Similar to the two files above, the fraudsters had been able to insert themselves into the email chain through an unknown means, ultimately utilizing an email address that differed from the legitimate lawyers address by one character. The confirmation call was a lucky break for the business and provides a key example of practices businesses can put in place to help protect themselves from these types of frauds. No funds were lost.
“It is common business practices to rely solely on email communication when dealing with instructions pertaining the transfer of money, in doing so, you are at significant risk of financial loss. It is incumbent upon businesses to take steps to protect themselves,” Financial Crimes Det. Sgt. Derek Tolmie said. “That’s why we’re issuing this public notification: so they can do exactly that.”
What you can do to protect yourself
When conducting business by email, especially if those transactions involve sending large sums, establish a check-in protocol with clients to confirm the transactions are legitimate. Examples of this protocol can include a telephone conversation, a face-to-face meeting, or a code word or phrase agreed upon well in advance.
Regular monitoring of accounts and other finances can detect frauds before they become a concern.
Where possible, create an internal check-in process to ensure that request the transfer of funds are indeed legitimate.