It looked innocent enough. A seafood services company in the Pacific Northwest received an email from a vendor with a change to payment instructions on an outstanding invoice. Delivery had arrived as promised but, the vendor explained, “due to an audit that is ongoing at our bank,” the vendor would be sending a revised invoice and revised payment instructions.
The problem was that the vendor’s email had been hacked. The fraudsters were able to see a delivery had been made and invoiced, and they then set up an email account almost identical to the vendor’s. Using that fraudulent account, the fraudsters sent an invoice — one that looked the same as the original — with the fraudulent payment instructions. Then they followed up repeatedly, requesting payment status.
“They put polite but insistent pressure on us to submit the payment quickly,” said the seafood company’s CFO.
The fraudsters also sent emails to the vendor. The emails appeared to be from the seafood company and told the vendor the payment was in the works. The vendor responded to those emails. From that point until payment was received by the fraudsters, neither the vendor nor the seafood company ever communicated directly. The hacker was always in the middle.
Dual custody wasn’t enough
The fraudulent invoice and payment instructions, supported by legitimate receipt of product slips, import slips, and purchase order were reviewed by the seafood company’s accounts payable department. Despite dual custody and a review of the documents by five individuals, the documentation was so realistic that payment was wired to the fraudster.
“In retrospect, the eleventh-hour request for payment-instruction changes should have been a red flag,” said the seafood company’s CFO.
Caught five days too late
Five days after payment was made, the real vendor sent an email asking, “Where’s our payment?” The seafood company reviewed the payment they had made and, working with the legitimate supplier, determined they’d been victims of fraud. The seafood company immediately contacted Wells Fargo about recalling the wired funds — a dollar amount over six figures — but payment had already been disbursed by the fraudster’s bank.
“We’re fortunate it wasn’t a lethal blow to our business,” the seafood company’s CFO said. “It could have been so much worse.”
New security measures
In the aftermath of the fraud, all employees of the seafood company received fraud awareness training, and all new employees are now required to participate in a fraud awareness webinar. The company also put in place new wire approval procedures that require additional layers of authentication when vendors are new, payments exceed a specified amount, or payment instructions are revised.
“I think it would be very difficult for it to happen here again,” the CFO said.
For more information, contact your Wells Fargo representative or fill out the Contact Us form on this site.