[SingCERT] Business Email Frauds

Published on Friday, 09 October 2015 15:00

[ Background ]

Several businesses have been tricked into transferring substantial amounts of money to fraudulent bank accounts, resulting in financial loss.

The scam works this way:

  1. The client contacts the supplier to request for a quotation for goods.
  2. The supplier and client then negotiates the price and date to pay for the goods.
  3. Upon confirmation, the supplier proceeds to issue an invoice to the client.
  4. At this point, the client will receive a fraudulent email from the scammer. The scammer will either claim that the previously issued invoice is inaccurate and a new invoice will be issued or issue an invoice before the supplier can do so. The supplier is also left out of the communication from this point onwards.
  5. The client then receives a new set of instructions to transfer the funds to the fraudulent bank account.
[ Impact ]

Both the supplier and client suffer a financial loss.

[ Mitigation Measures ]

  • Before sending emails, always check that the email address is correct. Double check against the company’s corporate website (if available), namecards, or email address from previous emails.
  • Before transferring the funds, call the supplier to confirm that the invoice sent is legitimate and valid. Check that the number belongs to the supplier as the phone number in the email may belong to the scammer instead of the supplier.
  • Do not click on any suspicious links in the email. If in doubt, call the supplier to confirm.

[ References ]