Hi Mike A friend of mine unfortunately had a similar case with a Chinese partner firm. The e-mail correspondence was intercepted - I suspected a trojan in the Chinese firm (or simply an employee of that Chinese firm going rogue, who knows...).
The forged mail was exactly as you describe it: The second e-mail stated, that the bank account information was changed. However in this case the forged mail clearly came from another e-mail, but it looked very close to the one from the Chinese partner. Unfortunately my friend didn't see it. He asked me to help investigate this as his e-mail account runs on a server I manage and from the mail logs I could show him that the forged mail came from another sender. Take a look at the mail headers and mail logs of the recipient server (if you can) to verify where the fraud mail came from. Compare the sending servers, the e-mail address itself can be easily changed as you may know. I am at this moment not aware of the current status of that case but I know police investigation (and also investigations on my friends Swiss bank) were ongoing. cheers, Claudio On Fri, Oct 7, 2016 at 2:46 PM, Mike Kellenberger < [email protected]> wrote: > Hi all > > I might be slightly off-topic here, because it's not a network issue, but > it might be of interest to some of you anyway and maybe you've had > customers which were affected as well. > > I don't know if this ploy is new, but after having two customers affected > within one week, I suspect it is. > > The customer receives an e-mail with an invoice from his supplier, which > he trusts and has worked with in the past. Shortly after this e-mail he > receives another e-mail from the same sender and in the exact same layout > stating that the company has a new bank account and that this account > should be used. > > The second e-mail is forged of course. We haven't beeen able to find out > where the original mail gets captured (most likely on the suppliers client, > because in one case, more than one customer of the supplier was affected). > > The fraudulent bank account was in UK in both cases, in one case the > amount was around CHF 6K, where the UK authorities did not get active, in > the second case it was a 6 digit amount... That case is still ongoing. > > The fraudulent bank account was already closed again in both cases when > the customer realized that his transaction had gone to the wrong account > (usually after the supplier asked if the money had not been transferred > yet). > > > Have you had similar cases? > > > Regards, > > Mike > > -- > Mike Kellenberger | Escapenet GmbH > www.escapenet.ch > +41 52 235 0700/04 > Skype mikek70atwork > > > _______________________________________________ > swinog mailing list > [email protected] > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog >
_______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
