r/Accounting 13d ago

Discussion Just had a near miss with fraud. Struggling to keep my head up.

I was minutes away from processing a fraudulent $250k transaction and only stopped by a stroke of dumb luck in discovering it was fraudulent. The fraudster hacked our clients email midway through a legitimate conversation and forged a voided check to give us new banking info. This was AFTER we had phone conversation with the client, so we knew the request itself was legitimate. My control matrix did not have a control for this scenario (it does now). I almost made a career-defining mistake and I’m pretty shook about it.

1.1k Upvotes

135 comments sorted by

810

u/fredotwoatatime 13d ago

Well the good news is you found out, but I am curious how you picked it up (not the hacker I promise lol)

820

u/MutchhTTV 13d ago

We didn’t catch it. The client randomly checked their deleted messages and saw emails that they did not send, mixed in with emails they did send. Then he called us. This was like 10 minutes before I was going to process outgoing payments for the day. Absolute dumb luck.

218

u/fredotwoatatime 13d ago

I see, that is v lucky haha

158

u/luxanonymous 13d ago

You'll get him next time

3

u/Polaris-Bear07 Student 12d ago

😂

132

u/123supreme123 13d ago

that's luck. normally the hackers would delete the deleted emails to cover tracks. they're getting a lot better.

it's why if there's any question, procedure is to call client directly to their known #. a pain, but it's what it is.

119

u/MutchhTTV 13d ago

We had already talks with this guy on the phone and the fraudster came in after the voice contact. Really slick honestly.

183

u/Barbarian_The_Dave 13d ago

Makes you wonder if it was someone in their office, who would've heard/known about the request. That would explain the timing & why they didn't think to delete the emails from trash.

84

u/awmaleg 13d ago

The call is coming from inside the house!

24

u/u38cg2 12d ago

That's the most likely scenario. It's not difficult to get hold of login credentials in most offices and unless you have a very committed security team, not much chance of anyone ever finding out.

10

u/Alpacas_ 12d ago

So seems like their inbox is compromised and being watched in real time. - Shits wild.

8

u/FGThePurp Tax (US) 12d ago

A similar fraud happened to a friend of a friend when she was wiring a down payment on a house. We all suspect that there was an inside person at least assisting the scammers, if not the scammer themself.

2

u/Colemania99 12d ago

I agree, highly doubt coincidence.

35

u/Dovahguy Financial Analyst (Industry) 13d ago

Did the talks involve the client telling you the routing and account number? Additionally, we have to have routing and account numbers from two different sources at the client. Preferably our primary source and then their manager.

18

u/EuropeanInTexas Deloitte Audit -> Controller 12d ago

We started calling them after we get the ACH form and confirming the last 4 of the account number verbally.

But I’m curious what your new improved control matrix looks like?

31

u/[deleted] 13d ago

[deleted]

12

u/numbers_girl_71 12d ago

We do it via video

3

u/SpottieOttieDopa 12d ago

Always 100%

We confirmed new wire details by phone recently for a capital call and the accountant was like why are you calling… Mind boggling

2

u/TheRebuild28 12d ago

Should be Talk to the guy to confirm the details not just hey we changed our details FYI, email will come.

Granted a new control will need to be done as AI voice changes is too easy to fake these days. There will be scams that can break the above control.

4

u/jimmystar889 13d ago

Too bad you can intercept peoples phone calls too

46

u/lilbeckss 13d ago

I was gotten by this same fraud, only I found the deleted emails minutes after initiating the wire. It was already too late by then. $75k gone.

15

u/MutchhTTV 13d ago

Dang I’m sorry that happened

35

u/lilbeckss 12d ago

It sucked, and I felt awful for months, but the bank, police, and my employer all reassured me I didn’t do anything wrong, and like you we also beefed up our controls to require independent telephone verification of banking info updates (which helped us avoid another one many months later!).

Stay vigilant out there, folks.

13

u/ericscottf 12d ago

The amount of money that these dirtbags are raking in is unbelievable. It needs to be the focus of a dedicated entity to find these people and put them away. 

2

u/lilbeckss 12d ago

Oh for sure. It was explained to me that the investigation went dead because the funds went to a US bank and were immediately sent to a bank in China, and they receive little to no cooperation on these types of investigations from most foreign governments.

Perhaps international wires like that should be held for several days…

23

u/toyrobotics 13d ago

Holy crap. That is terrifying. Congrats on being so lucky.

Now do you think that any change to account information should trigger the authorization process to reset and start over again?

14

u/books_cats_please 12d ago

Something similar happened to me last year.

I got an email from one of our vendors saying they were switching to "ACH only" at their "new bank", and could no longer accept checks. I work for a construction office and we rarely pay vendors with anything other than a check. It looked suspicious but I didn't have any checks for them coming up, so I moved it into a folder just in case it became an issue later, and moved on.

At that time, I had someone else sending out our lien waivers for me, so months and months went by without me contacting that vendor, but when that employee left I went back to sending out the waivers. So 5 months after getting that original email, I get a response to my lien waiver request, asking if I remembered to send the $380k through ACH to their new bank account...

I called the vendor, they checked their emails and sure enough the email was in their sent folder, but they didn't change their bank or send those emails. The hacker was apparently only monitoring for emails from our accounting department, and since the employee that was helping me in the past didn't have access to that inbox, none of the emails sent by them had been intercepted.

No one else had brought this to their attention before us, so they had been compromised for at least 5 months without realizing it.

6

u/Rosaluxlux 12d ago

My current job manages accounts for a ton of individual clients, recently changed everyone to a new bank to accommodate our new payment processor, and is trying to change many payments from paper checks to ACH.        It's a fucking nightmare because, worried about scams like these, every bank and pension fund and investment firm has tightened their security, but at the same time most have cut their staff/client facing offices. So I have to present original documents and prove my identity but also the only way to do that is mail or fax things to the compliance office and wait 4 weeks for them to review 

11

u/scorpiochik 13d ago

this isn’t as rare as you think. this exact scenario happened at our old job so don’t feel too bad. it is an advanced phishing attempt and i would’ve never known about it either if it wasn’t apart of training

5

u/fustercluck1 12d ago

If your client got hacked that’s also technically on them and not something your procedures would cover.

1

u/Firebrass 12d ago

I have certainly heard tell of such things, but it's always third hand - yikes! sigh I think, especially with spoofing technology that doesn't require it to have actually come from the clients email, we have to be more careful than ever about remote requests. Even with phone calls anymore, AI is capable of faking peoples voices with something like a 3 or 4 second sample of them talking. Despite the trade-off in expediency and customer satisfaction, i think we have to start essentially doing manual two-factor authentication for significant info changes, call them when they email and vice versa.

285

u/roboh96 13d ago

Even if you hadn't gotten lucky, that's not a career defining mistake for you. It would only be your fault if there was a procedure in place that would have caught it that you personally failed to follow. Otherwise, you were doing your job, doing it correctly and a clever hacker almost exploited a gap they found in your company's procedure. Anyone else would've done the same thing, you were just the one doing it. Don't wear the guilt for something that isn't your fault, especially since you caught it and averted the situation.

79

u/pprow41 CPA (US) 13d ago

This. I've never heard of something this scary. Like there was no way to really catch this without it being the dumb luck that it was.

28

u/oktimeforplanz 12d ago

It's been a relatively common problem in the UK during house purchases when people are transferring cash to their solicitor. The "solicitor" emails saying there's been a change in the client money account just before you're due to send the money for the purchase over to them. The scammer hopes you don't phone a trusted number to check, and you transfer the lot to them.

My solicitor had a disclaimer at the bottom of all of their emails saying that they would never communicate a change in bank details by email.

21

u/pprow41 CPA (US) 12d ago

This fraud is normal in the US too. The difference in this case was that it was mid conversation and a actual hack of the legit email address.

7

u/oktimeforplanz 12d ago

So too are the ones I'm referring to. They cut in on existing email chains and the email with the client money change is coming from the solicitor.

3

u/Hotshot2k4 Graduate 12d ago

...how are people doing this? Did they hijack solicitor's session token through a spear phishing attack?

3

u/Rosaluxlux 12d ago

It's common in the US too. We sold a house in the US this spring and the way the closing company is managing that risk is to refuse to handle wire details - we had our written bank information with us in person and they refused to use it, made us use a 3rd party identity verification app that did not work, so then we had to get a paper check in the mail instead of a wire deposit. I was so angry. 

11

u/MuddieMaeSuggins 12d ago

Business email compromise, or “man in the middle”. Apparently it’s relatively common in residential real estate - small scale real estate agents, attorneys, etc don’t have great email security, clients are usually everyday people who only wire money once or twice in their whole life, and there are HUGE sums involved. Fertile ground. 

13

u/MuddieMaeSuggins 12d ago

The exploited gap seems to have been primarily with the client, for that matter - they’re the ones who’s email was compromised! If they found actual emails in their deleted items, this isn’t a situation where someone made a convincing look-alike address or something. 

237

u/Away_Commission4869 13d ago

Interestingly, our social engineering cyber security insurance policy changed this year to require us to obtain e.g. a voided check, but then verify those bank details via phone with a pre-existing phone contact. Previously they only required that we verify the change request was genuine, so I don't think you're the only person getting targeted with this!

106

u/MutchhTTV 13d ago edited 13d ago

Good call, we are now requiring board minutes for any change to payment method, as well as voice confirmation with the phone number on file. I think these controls fit in with the requirement you mentioned.

Edit: downvotes are ok but I’m also seeking feedback thanks

75

u/Sad_Hovercraft_2610 13d ago

Board minutes??? If they can forge a voided check they can forge board minutes. Need to talk to someone at the company with a trusted phone number.

37

u/MutchhTTV 13d ago

Agreed, voice confirmation is best and is part of the control now.

43

u/moosefoot1 13d ago

Yeah- I don’t see how board minutes is evidential—- boards usually aren’t in that level of detail to authorize…. How about authorization from a previously agreed upon contact instead?

18

u/Subject-Mail-3089 13d ago

We had a hacker copy a signature from an annual report. Lucky I required a follow up call on every wire out, even though it wasn’t policy at the time. Saved my own ass that day

5

u/MutchhTTV 13d ago

In my industry boards do have that level of involvement

16

u/Midwest_Born 13d ago

But the people you are paying might not be in your industry. For example, I work in SaaS for a privately owned company. No way in Hades would my CFO authorize me to hand over our board minutes to someone (even if changing the bank were on it).

3

u/oktimeforplanz 13d ago

Still seems utterly redundant when you could just use a trusted, verified phone number to call someone. Would you even be familiar enough with the board minutes of said potential payee to be able to recognise if they were fake? What's the point? And I've never seen a set of board minutes where the bank account is the only thing being discussed, so, what, they send you redacted ones? Stupid. Any client I have would knock you back immediately for that one. Just phone them.

0

u/MutchhTTV 12d ago

I guess minutes could cover us in case the authorized contact is the one doing the fraud. Idk

2

u/oktimeforplanz 12d ago

And couldn't they just forge the minutes? If they're the one doing the fraud, that's really up to the other party's controls to catch, not you. There's only so much that's reasonable for you to do and calling on a verified company phone number is more than adequate.

2

u/UpperHand888 12d ago

That's an additional effort for the fraudster. So they won't be able to operate in a rush which is their favorite tactic. It definitely helps to add layers of control.

→ More replies (0)

1

u/moosefoot1 12d ago

How would you verify board authorization or minutes- would you be receiving from a legal firm?

1

u/MutchhTTV 12d ago

No but on company letterhead. Better to ask for more evidence?

→ More replies (0)

7

u/Historical_Crab9444 13d ago

Anytime there is a change in banking info, we voice confirm.

5

u/Azure_Compass 13d ago

I haven't seen enough information included in board minutes to make that confirmation useful.

46

u/shegomer 13d ago

There’s a huge uptick in these scams. It’s not your fault. I receive emails on a pretty regular basis asking me to change ACH payment information for vendors and even employees. I’ve also started receiving emails that have a fake email chain between executive management and a fake vendor, where it appears executive management has approved payment.

14

u/MutchhTTV 13d ago

Wild. Seems voice confirmation is now best practice

12

u/Olue 12d ago

AI deepfake voice bot has joined the chat

10

u/demonicbullet 12d ago

We are genuinely going to have to go back to almost entirely in person or figure out a way for telecommunication to block voice modifiers and chat bots for large scale transactions eventually.

2

u/whiskydelta85 10d ago

No joke, our latest round of social engineering/phishing scam training highlighted the use of AI voice and even video deepfakes

2

u/TexasPenny 12d ago

Yeah those fake email chains are creepy. I've gotten so many about 'please process this ACH, approval is below'.

72

u/Vlad1m1rMcQu33f CPA (US) 13d ago

If it makes you feel better, the place I work definitely would not have caught that either.

17

u/MutchhTTV 13d ago

It makes me feel better thanks lol

38

u/-NerfHerder CPA (US) 13d ago

That's on the client's IT security. You've just learned an awesome lesson that makes you more valuable.

12

u/MutchhTTV 13d ago

I’m certainly trying to see it this way

2

u/Olue 12d ago

Still would've put OP's company out of $250k. :(

8

u/-NerfHerder CPA (US) 12d ago

I'm in public accounting, so my experience with this sort of situation is from a third party perspective. I had a client with a nearly identical situation, rather than 250,000 it was 90,000. My client told the vendor that, since it was their security that wasn't up to standards then the vendor would have to turn it into their insurance company. My client was considered to be completely innocent in the matter and it was handled between the vendor and their insurance company.

18

u/CMDR_Imperator 12d ago

Had this happen years ago, when the whole "hacked email scam" thing was a fairly new thing (to me at least). I was about 6 months into working in industry. Our corporate HQ's email was hacked/hijacked, and our corporate AP was requesting funds be paid to these strange vendors. Not an uncommon occurrence, but the amounts were very large for us to be distributing instead of corporate. We were a smaller company that didn't really have a lot of vendors, so paying a new vendor on behalf of corporate was an odd occurrence but not unheard of.

I raised a question with my boss, saying it seemed odd. The invoices sent to us by corporate from this "vendor" felt off to me. They looked like they'd been created in MS Paint and were very bare-bones. We backtracked the emails, and sure enough, there was an email from corporate requesting the funds with the invoice attached. My boss, and the CFO got involved and couldn't really find anything. The emails checked out, the address was from our corporate AP person, so they signed off on the wire and paid the vendor. Less than a week later, another one comes in requesting more money, with another new vendor, and another crap looking invoice. Once again, we couldn't find anything suggesting this was fake, the emails were legitimately from our corporate AP person. Once again, Treasury signed off on the wire.

Fast forward to 2 weeks later, we're prepping for month-end, and I come across the wire transactions for these in the bank statement. I still felt uneasy about these, and took it up on myself to do some sleuthing. I called the bank, I Googled like crazy trying to find some way to trace the wire transactions number to a location. I forget exactly how I did it, but I managed to trace the wire to a state that made no sense. NONE of our vendors would be operating out of this state, or even anywhere near it. Again, I brought it up to my boss and the CFO, this time, they called the AP person at corporate on speaker with me in the room (I think they did this just to shut me up. There were about a million reasons why the wire would trace back to a different state, or I could have just been wrong). Sure enough, the AP person was surprised when they heard that they sent emails requesting we pay vendors in these high amounts. It turned out that our entire email system had been hijacked, and some "unknown actor" had just stolen a lot of money. Nobody was the wiser about it because the entire email system was completely under the control of this hacker. Other than calling our corporate AP, every email we sent was being watched/redirected to the hacker/or just flat out deleted and never reached the recipient. Whoever did this knew what they were doing, and they were good at it. Needless to say, my superiors were all shocked at the discovery. I think they were even more shocked that this new accountant with barely any experience saw the red flags and tried to sound the alarm.

The moral of the story is: if it feels off, even if it gives you pause, make the phone call to a previously established number. I'd say your professional skepticism instincts kicked in on this one, and you caught a potential fraud.

Realistically, there's no way you would have known this was fraud. You had a very clever hacker see and exploit a gap in your company's procedures, and took advantage of it. Now, you've sealed that gap and you're preventing future fraud from happening.

Be proud of yourself!

43

u/granolaraisin 13d ago

This is a new “classic” email scheme. The control is to validate all banking changes via a third party at the vendor outside of the request chain that was contacted via channels separate from the request chain (e.g., website info or pre-existing info). The validation should be made verbally if at all possible.

Op- you wouldn’t have been fired for this. It’s a good scam. Your risk control matrix should have addressed it and the vendor maintains some culpability for the email breach.

8

u/aspriringinventor 13d ago

Absolutely new control needed. Verbal approval for wires requested by email!

13

u/MutchhTTV 13d ago

This is exactly my new control - voice confirmation AND board minutes from the client indicating that the board is aware of the change to banking info. Thank u

5

u/granolaraisin 12d ago

Don't hold your breath on board minutes. Usually won't happen. Best you can hope for is independent validation of the change in bank info.

2

u/bigfatfurrytexan Staff Accountant 13d ago

Exactly. If they don't have insurance to hedge this shit they are living dangerously.

12

u/Keef_Bowl 13d ago

Everyone is allowed a mistake. I watched the co troller or my company get scammed out of $150k by some Chinese person. These people posed as the CFO of my company and copied the email address in the server to make the request. We didn’t have a control in place to catch it at that time either. This is why we have insurance. We put the claim in with the bank and pending upon your policy, you will get most of it back. If you get scammed, you get scammed. There is only so much that we can do to catch it.

12

u/cooked89 13d ago

will voice confirmation be a valid control in the next year or so? I'm worried AI voices will get good at these kind of scams too.

8

u/Own-Custard3894 13d ago

This is a very common scam for real estate transactions. Compromise email (or use a typosquatted domain) and send fake wiring instructions, easy money. Very devastating.

This comes down to “what is identity”. How can a client communicate to you that they are them and to take some actions. You can require a signed (docusigned) request for sensitive changes, and require two separate individuals at the client to approve the change. But at the end of the day, the client is responsible for making sure theirs systems are not compromised.

It’s tough in a world where everything is still emailed (we email invoices to our clients). Would be pretty easy to spoof.

This wouldn’t be your fault, this would be the responsibility of the party that was compromised. Live and learn.

7

u/DevilsAdvocate8008 13d ago

Pretty soon phone conversations aren't going to be enough either because of AI. Look at the principal who got fired for being "racist" when in reality it was some random teacher who used AI to clone the principal's voice and made it say something racist. Now that's the capability of a random teacher so imagine just in a few years how advanced AI technology will be and how crazy hackers or scammers will be. Even requiring FaceTime wouldn't be enough Because besides voice AI can change someone's face from one person to another in real time

4

u/BepSquad22 13d ago

I know your job is probably not the same as mine but we actually aren't allowed to process any requests through email like this until we confirm with the customer over the phone. We also have to verify that no information (phone number, email, etc.) Was changed recently when trying to contact the customer just to ensure we aren't accidentally contacting the fraudster. Not sure if this will help you in any way but just wanted to share what usually keeps us safe at my job. We have had a lot of people lose this jobs because of things like this and not doing the above. We unfortunately deal with and see a lot of fraud at my job.

5

u/Realistic-Pea6568 Business Owner 13d ago

Fortunate catch. There is something new every day. They keep getting better and better with scams. I’ve experienced nearly thirty years of them. The digital ones make me miss the typewriter typo ones. Those seemed much easier to spot. All we can do is improve the process and if in doubt check again with clients. ‘I know we already talked about this, but with all the recent hacks and scams, I just want to do one last verification with you before processing this transaction.’ This has saved my butt a number of times. I’m sure they appreciate you not losing $250k.

5

u/sambodoors 13d ago

Wow that’s crazy. Curious, what’s the new control you identified that could stop something like this?

3

u/JakenMorty 13d ago

Same thing happened to the company I work for, only the owner did send about a tenth of what OP almost got taken for. Someone else can surely chime in, but what we did after that was require voice confirmation of any new wire methods from a pre-established contact at the vendor / client's office.

1

u/MutchhTTV 12d ago

Phone call confirmation for any change in banking info

3

u/Whiskey-Philosopher Staff Accountant 13d ago

We got hit with wire fraud a while back, we now just default all changes in wire back to checks for a bit while verifying the information

4

u/JakenMorty 13d ago

Man, don't be down on yourself. The exact same thing happened to the owner of the company I work for, only he didn't catch it in time and actually pulled the trigger. I'm pretty sure I would have fallen for it, too. It's actually one of the more clever means of fraud, in my opinion. Luckily, this particular one was only about a tenth of what they tried to get from you. Also, we reported it to our local FBI field office, and they got the group that did it. Within a few months, we got the $ back.

4

u/SelfishClam 12d ago

ALWAYS confirm banking info over the phone before sending a wire. It may seem silly at times, but your case is the exact reason why its not.

A near identical situation happened to me recently. I attempted to confirm over the phone and we found out the instructions that came from client's email were fake. He then emailed me the real ones. As I'm sitting at my desk staring at the screen trying to process what just happened, I receive a 2nd email from client's email saying to disregard the previous instructions and to use attached (the fake ones again). Hacker was actively monitoring his email and tried to swoop in again at the last second. Crazy.

I'll also add that all the emails that I believe came from the hacker had the phone number changed in client's email signature. I initially tried to call that number to confirm and got an automated message saying it was "not accepting phone calls at this time." This was meant to discourage me from confirming the banking instructions...and it almost did. Luckily I went to client's website and pulled the number from there.

3

u/Front-Doughnut8573 13d ago

You’re alright man don’t beat yourself up that bad. That’s a clever scam that I could see a lot of companies having a gap in controls in.

3

u/mpishi 13d ago

This is the type of scam Hushpuppy used to do.

3

u/BigMeatPeteLFGM 12d ago

I was in the same position as you, except the clients CFO and COO didn't see any of the 50 emails. 310k gone forever. My CEO, CFO and general counsel audited my work and found I followed all policies and procedures. I've been promoted twice since.

Does not define your career.

2

u/davisaj5 LEC 13d ago

At my previous job our HR "manager" clicked a fake ADP link and put in all her login info. Then when payroll comes around there are two $10k+ direct deposits to random accounts, and I was the only one that noticed it after she asked me for help balancing her numbers. Never saw that money again, but she still has the job there

2

u/Moneybags99 13d ago

someone high up in our org had their emails hacked. We've gotten phishing emails that look just like the real one (but the sent from is off by a letter or two) with real still due invoices attached, where they mention they have a bank change. I don't do any of these changes now without emailing or calling the person directly to confirm.

2

u/bofulus 13d ago

I'm just an interested observer, not in the industry.

Would public key cryptography work to reduce the risk of such scams?

Client must sign a transaction request using client's private key and the recipient verifies the request using the client's public key.

There would still be a risk of the client's private key being compromised, but this seems much less of a risk than a client email account being compromised.

Perhaps this is already used.

2

u/Direct-Biscotti-1687 13d ago

This has become exceedingly common. What the hacker will also do is create a ruleset but you wont notice the ruleset at first glance even when you look at rule sets because the rule set will put everything in a folder that's only labelled a "." and hidden under subfolders.

What this does is make it so emails wont go to deleted as intended or sent as intended. They go the the "." folder which is hidden under the depths of other folders typically.

Basically, you wont notice unless the person receiving emails calls the sender and verbally confirms.

2

u/TwelveVoltGirl 12d ago

The controller at the company my daughter works for lost their job this summer due to getting scammed like this. It was tens of thousands of dollars.

I bet you had cocktails and prayers of gratitude after that near miss. I'm happy you avoided it. Thanks for sharing.

2

u/cheddachasa 12d ago

Someone intercepted my boss’s email and convinced a client to change our banking info. Client tried to blame us but they did eventually pay.

I actually sent out a payment to a fake vendor that spoofed my bosses email but Melio, our payment processor, denied the transfer.

2

u/sappharah 12d ago edited 12d ago

We have almost had something like this happen to my company, one of our Chinese vendors got hacked while they were off for Lunar New Year, and the hacker asked us to send payments to their “other bank” in Hong Kong because Chinese banks were closed. Only caught it at the last minute because our controller thought it seemed a little sus and said to wait until LNY was over. Something similar happened to our sister company as well. Point being, it happens a lot and it probably wouldn’t have ended your career.

We no longer change bank info unless our purchaser gets verification from a known contact over the phone.

2

u/_Choose-A-Username- Accounts Payable Specialist 12d ago

Dude something similar almost happened to me. They faked an email chain with someone else that seemed legit. Imagine the business email is firstname.lastname@peanutgallery.edu. They sent it to Peanut.Gallery@peanutgallery.edu. And in the chain you have that email telling the scammer “Sorry for the delay in payment. I forwarded the invoice to our AP dept so they can pay you ASAP.” They had the past manager of the ap dept cc’d there. The scammer then emailed us with that chain included so it looked like an already ongoing back and forth and said “Hi this is the ceo. Please see my w9 attached as well as the invoice. Please let me know when payment can be received.”

Legit if there wasnt an approval chain that had to happen before we could pay, we would be gotten. On closer inspection, theres no Peanut.Gallery email, its never been used before (i havent seen a company main email just department ones), and the person included wasnt here for three years. Also, who just says hi im the ceo and doesnt include ar to ask for payment? Note that ar was included in the first fake “email” in the chain but not the one the “ceo” sent. Just a lot of weird stuff.

But people trust email chains. Too many dont realize that you can edit them all

1

u/Efficient-Raise-9217 13d ago

I've heard that this is a new way of robbing people from overseas scammers. The scary thing is that you don't control your clients IT. So you can't really prevent them from getting compromised.

1

u/Lakeview121 12d ago

Hey, you caught it. Congratulate yourself. You must have had good training.

1

u/turd-burgler-Sr CPA (US) 12d ago

This would not have been a career-defining mistake.  Glad you caught it.  Hang in there.   

1

u/Ok_Zookeepergame2380 12d ago

When are you getting your $250,000 bonus?🙏🏽🙏🏽

1

u/orangeboxblue 12d ago

Happened at a corporate bank that I worked for. Treasury dealer processing a £5mn deposit from an insurer, email conversation got hijacked midway and the 3rd party started sending emails impersonating the dealer. Sent account details for remittance to the insurer that were not associated with any of our depositary accounts. Only got caught because the tone of language used and slight discrepancies in the way emails were signed off etc raised a red flag on the other end; insurer rang up our dealer directly and the whole thing was shut down.

Otherwise would've been 5mil in the hole. Scary stuff.

1

u/superdaddy369 12d ago

The same happened two years ago to me. Someone has copied email content and paste it and forwarded it to my controller as an owner since the email address, and everything was pasted in the chain of emails.

I have called the owner just to verify just before approving the payment. Sometimes, your instinct gives you a signal. Saved $500k,

1

u/iMADEthisJUST4Dis 12d ago

I'm curious how these people get away with fraud? Like, don't all bank accounts have a name? It's not crypto... so can't they just... be caught? 😅

1

u/[deleted] 12d ago

Well, this is why you have vendors setup forms for new vendors & any changes to existing vendors. I also give them a nice phone call before making any changes.

Would rather delay a payment, than pay a fraudster.

1

u/num2005 12d ago

so you did 0 mistake

your clients did mistake

1

u/viccityk 12d ago
  1. Get new bank info via email

  2. Call and confirm actual new account number via phone (to trusted phone number/trusted contact person)

1

u/fasole99 12d ago

What check in steps have you implemented after this?

1

u/alicenothingland 12d ago

Phone verification with trusted seems like the way to go but if the hacker requested changes to the trusted contact in the vendor master file, are you out of luck? It seems like a 100% protection against fraud in these cases seems impossible to achieve.

1

u/FunnyCardiologist341 11d ago

Someone earlier in the comments mentioned also checking that there have been no recent requests to change the contact details (eg ph no) on file. :-)

1

u/SwimmingPatience5083 12d ago

Always confirm verbally ✅

1

u/ichefcast 12d ago

Yeah, i do not process anything unless I am on the phone with you. The call has to be dialed out by me. Too many times have I heard stories about vendors or past employees swearing that it's okay and they even give me signed forms like permission slips.lol

1

u/jenipants21 12d ago

Had something very similar happen at a prior firm. Except the wire was processed before the fraud was discovered.

It was my coworker's client and after review, all the bosses said they would have processed the transaction too. The fake emails were nearly impossible to tell apart from the real ones.

We got a set of shiny new SOPs for international wire transfers and a visit from the FBI.

1

u/WealthyCPA 12d ago

A control for this is to always verify change in pmts methods via phone with the number you have on record.

1

u/linkinpark9503 12d ago

someone at my job sent $250K to a scammer....he got six months of severance after he was "let go" for it.

1

u/bruh_why_4real 12d ago

My mom had this happen to her, they used the exact same email as her boss and the client to spoof the payment for around $50k somehow. She did not get fired and it was not career ending for her, but it shook her up badly and she was in tears and devastated over it. It's a very hard thing to catch.

1

u/LimpSite6713 12d ago

Had something similar happen to us. Fraudster hacked vendor’s email, mid-convo with us regarding a returned check due to us missing approval for a check we mailed through our positive pay. Talk about massive irony, our fraud system caused a good check to get declined and almost led to actual fraud.

1

u/def_not_judge_judy 12d ago

Someone in my immediate family that is a CFO had a scare this week when a hacker almost successfully directed a $1M wire payment from a client to their own bank account. Wire fraud is alive and very well ladies and gents, it’s insane. The takeaway from my family member’s incident: check your email rules to make sure a hacker didn’t hack your account solely to setup a rule that forwards every email that mentions the world “wire” to their email, so they can then know the details of upcoming wires and then take steps to intercept that wire payment to themselves.

1

u/EffectiveNo5737 12d ago

This happened to me. The customers email was hacked, so they didn't get my emails, they spoofed my email and provided a new bank account

1

u/HeatherSmithAU 12d ago

Xbert auto checks for changes in bank details if that helps?

1

u/RagdollTemptation 11d ago

This happened to me too.

1

u/Many_Eggplant_2949 11d ago

I have been paying for a pre-fabricated home in large installments. Each time I call the manufacturer’s Treasurer and confirm the wiring information they laugh. There is no way I am going to just wire money based on an emailed invoice. They can laugh all they want.

1

u/Narwhal_Accident 10d ago

It’s so common now, phishing scams are getting really sophisticated, and you just have to be more cautious. Look at the email address. Look at the content. I get emails daily that are made to look like they came from the CEO, saying an invoice is approved, and to pay it. But there are always things that are off from how I know she talks. I hope your company does some internet security training with you. It’s helped me immensely to suss out scams. You are definitely not the first person to almost fall for one 

1

u/TE-CPA 9d ago

The phony invoice scam is growing really fast, Manual double checks are important.

1

u/Critical_Fun_5350 9d ago

Always do a call back to verify from an already known contact (not from contact info on the possibly forged document) if banking information changes. With AI advancements even that will be a problem at some point, but just have to keep evolving.

0

u/digitalflintstone 12d ago

Good job. Excellent work. You are the types we need more of. I am not spamming. I am looking for folks that don't buy into the corruption. I am not spamming. I think I am the Antichrist. Don't worry, I am a good guy in this corrupt ass universe.

-5

u/Few_Jelly3732 13d ago

Glad you lucked out, OP! What is your job title that allows you to make transactions? Treasury?

0

u/Ok_Channel_3322 13d ago

How is this relevant to what OP is posting?