Make sure your payments can’t be intercepted

0

I was recently approached by a client with an interesting case that on the face of it looked like a simple debt collection. Our client owns a business in the concrete trade and had sent a client a progress invoice for $7500. The client received the invoice and paid it by the due date, which was great. 

The only issue was that the money never arrived in our client’s account. After some investigation, it was found that the client’s email had been hijacked and the invoice was intercepted, modified with different bank account details and then sent on to the client.

However, our client hadn’t set up their client in their internet banking. Their client made a manual one-time payment matching the invoice that they had received from our client’s official email address.

The issue with this is that although there is definitely a very dishonest element involved with the substitution of the invoice’s payment details, the payer paid the monies into the wrong account themselves.

And that puts the banks in an interesting position. If their own systems are hacked or compromised internally, they have policies and insurances that protect their customers and will almost always cover any losses. 

In this situation a private individual or company’s systems have been compromised and more often than not they will be using either free or inexpensive software or email systems that have minimal protection and abilities for tracing data breaches.

These types of scammers know this well and also know that police are often not resourced to launch a lengthy and very expensive investigation for a single incident. And mostly these scammers are based overseas with New Zealand accomplices so there are also jurisdiction issues at play.

From a debt collection perspective it is a very sticky situation. The “debtor” can prove that they paid the invoice as it was presented to them, so there is no ill  intention or lack of capacity to pay. And the “creditor” can prove that they have not received the money. The issue lies in the invisible conduit between the two parties, which in my experience is a very expensive thing to unravel.

We cannot pursue a debt if it is disputed with a valid dispute and a “debtor” being able to show a cleared funds payment that matches an invoice with a time stamped email from the right address certainly meets that criteria.

We have seen less hi-tech versions of these scams that involve accounts or sales staff changing the bank account details on invoices, or having clients pay them direct to take advantage of “staff pricing”. In these situations, the employer company is unable to pursue their customers as an authorised representative of the business accepted the payment, unless they can prove that the customer was knowingly involved in the deception.

In the UK there are numerous instances of county court judgements ordering payers to pay again when they have been a victim of this scam.

Like most of my advice about credit management, the best cure here lies in prevention. It can be an arduous and time-consuming task to change a company’s banking relationship. It isn’t something decided in the morning and executed in the afternoon, especially when there are lending and guarantees / mortgages involved. 

My tips are that, if a supplier relationship is going to be a long-term one, or with a high value supplier, then ask for a deposit slip or a confirmation when you are setting them up in your payment system, and question any bank account changes by phone not email. When a company is sold, or there is a management change, then reconfirm that the bank account details haven’t changed or, if they have, ask that these be confirmed in a method other than email.

It’s always better to check twice rather than pay twice.

Just a thought.

Share.

About Author

Nick Kerr

Nick Kerr is Area Manager BOP for EC Credit Control NZ Ltd. He can be reached at nick.kerr@eccreditcontrol.co.nz

Comments are closed.