Who takes the hit

reideng

eddddy said:

reideng said:

One of my customers whom we have been dealing with for some time now received our usual email with a word doc. containing our invoice but it had been altered between us sending and them receiving, what had been added was a different sort code and account number. 

Has the customer sent you back the modified word doc?

TBH, I'd be amazed if a scammer was this stupid - but if you have the modified doc, maybe look at "Last Modified By" and "Last Modified" date and time for the doc to see if it shows anything useful.

(Depending on your version of Word this info might be under 'File>Info')

Hi yes we got it back and it had been "modified by windows user" containing the hackers bank sort code and account number which googled came up with prepaysolutions.com which is a bank

Thanks for your help

stragglebod

So did your customer receive two emails, a genuine one from you plus the fake? Or just the fake?

davidmcn

reideng said:

Sandtree said:

davidmcn said:
Does that make a difference? It's trivial to forge any of them (until you go as far as e.g. a securely-signed pdf).

OP, have you ever given the customer your bank details by any other method? At least some e.g. law firms now say "we won't send you our bank details by email", or at least provide explicit warnings that this sort of thing goes on so be sure to double check e.g. by phoning.

It depends what you think has happened... certainly wont make any difference to any “professional” scammer but may deter an opportunistic person who doesnt know how to doctor PDFs etc (a much easier task now that Word etc opens them).

I personally havent heard of anyone blocking a legitimately sent email, doctoring the attachments and then sending it onwards to the original recipient but that is the only scenario where if both parties are being fully honest this could have happened. It seems more likely either a wrong invoice was sent in the first place or the correct invoice was received and then doctored by the customer. I am guessing this is a B2B relationship and so potentially the person the OP is talking to is being honest but they have an employee thats the culprit. 

The first step is obviously to ask them to forward (not reply) the original email to you and then you need to double check a) that the header details tie up with your email records and b) look at the meta data of the word file to check created on, last updated on, last updated by etc to see if it sheds any light on the matter.

We are both small companies 6 and 8 staff and are just around the corner from each other and have been invoicing each other for a few years with the invoice and the email stating a change of bank details and asking to be paid BAC's next day should have sent up a red flag

I'd be inclined to agree with you. If I were asked to change the account details for a regular supplier, I'd be double-checking.

reideng

reideng said:

eddddy said:

reideng said:

One of my customers whom we have been dealing with for some time now received our usual email with a word doc. containing our invoice but it had been altered between us sending and them receiving, what had been added was a different sort code and account number. 

Has the customer sent you back the modified word doc?

TBH, I'd be amazed if a scammer was this stupid - but if you have the modified doc, maybe look at "Last Modified By" and "Last Modified" date and time for the doc to see if it shows anything useful.

(Depending on your version of Word this info might be under 'File>Info')

Yes they sent it back to us and I checked it and found it had been modified buy "a windows user" He was kind enough to leave his bank details which led us to Prepaysolutions.com who are looking into this,  thank you for taking the time to comment

Also forgot to mention that for a few days after this happened this customer only( and no one else), was unable to send emails to us, they just did not arrive in our in box

reideng

stragglebod said:

So did your customer receive two emails, a genuine one from you plus the fake? Or just the fake?

Just the fake

JamoLew

You could set up a dummy/fake email address and send a pretend invoice to that account

Then check that email account and see what arrives

If might help you identify if the emails are getting intercepted FROM you or TO the customer

Also you could ask the customer to do something similar -- you need to identify who has/where the breach is

theonlywayisup

reideng said:

reideng said:

eddddy said:

reideng said:

One of my customers whom we have been dealing with for some time now received our usual email with a word doc. containing our invoice but it had been altered between us sending and them receiving, what had been added was a different sort code and account number. 

Has the customer sent you back the modified word doc?

TBH, I'd be amazed if a scammer was this stupid - but if you have the modified doc, maybe look at "Last Modified By" and "Last Modified" date and time for the doc to see if it shows anything useful.

(Depending on your version of Word this info might be under 'File>Info')

Yes they sent it back to us and I checked it and found it had been modified buy "a windows user" He was kind enough to leave his bank details which led us to Prepaysolutions.com who are looking into this,  thank you for taking the time to comment

Also forgot to mention that for a few days after this happened this customer only( and no one else), was unable to send emails to us, they just did not arrive in our in box

A friend had similar.  She has a business and her client was emailed (from the bonafide email address) with a quickbooks invoice with altered bank details.  There was also a trail of conversations to/from said client and the scammer but none appeared in her mail.

Log in to your mail provider (hers was Ionos) and check the rules that have been set up.  Hers had a rule for mail from x client to go to a forwarding email address and the replies to be filed in a notes folder.  All of this was visible on the mail server but not on her inbox on her PC.  It was established that her email had been hacked and the scammer had set up an 'intercept' and was invoicing clients. 

reideng

theonlywayisup said:

reideng said:

reideng said:

eddddy said:

reideng said:

One of my customers whom we have been dealing with for some time now received our usual email with a word doc. containing our invoice but it had been altered between us sending and them receiving, what had been added was a different sort code and account number. 

Has the customer sent you back the modified word doc?

TBH, I'd be amazed if a scammer was this stupid - but if you have the modified doc, maybe look at "Last Modified By" and "Last Modified" date and time for the doc to see if it shows anything useful.

(Depending on your version of Word this info might be under 'File>Info')

Yes they sent it back to us and I checked it and found it had been modified buy "a windows user" He was kind enough to leave his bank details which led us to Prepaysolutions.com who are looking into this,  thank you for taking the time to comment

Also forgot to mention that for a few days after this happened this customer only( and no one else), was unable to send emails to us, they just did not arrive in our in box

A friend had similar.  She has a business and her client was emailed (from the bonafide email address) with a quickbooks invoice with altered bank details.  There was also a trail of conversations to/from said client and the scammer but none appeared in her mail.

Log in to your mail provider (hers was Ionos) and check the rules that have been set up.  Hers had a rule for mail from x client to go to a forwarding email address and the replies to be filed in a notes folder.  All of this was visible on the mail server but not on her inbox on her PC.  It was established that her email had been hacked and the scammer had set up an 'intercept' and was invoicing clients. 

Thanks I will check this out by the way our client uses Quickbooks and as you say an intercept must have been set up