A fake invoice scam is currently wreaking havoc in our Belgian neighbors. The media in the flat country have reported a series of scams that have sometimes caused victims to lose tens of thousands of euros. The scam is particularly difficult to detect.
Money embezzled and account number changed
It all starts when a couple hires a company to renovate their roof insulation. Once the work is done, the couple receives an invoice by email. So far, nothing seems amiss. They rush to pay the amount of €5,028.31.
Despite the payment, the couple receives a reminder with a €125 surcharge for unpaid invoices a few weeks later. After contacting the contractor who renovated their roof, they realized that the money never arrived in their bank account. The couple then realized that the account number on the digital invoice had been changed. In fact, the money ended up in an unknown bank account, rather than the contractor's. Moreover, the invoice is identical to the version sent by email. The invoice "leaves their house, correct, with two account numbers," and "arrives at my house, with the ING account erased and only one account number," explains the victim of the scam. A similar mishap happened to another Belgian couple, who ordered a new car from a garage. They paid €46,000 by bank transfer after receiving an invoice by email. Here again, the invoice was falsified and the money arrived in another bank account. In both cases, a cybercriminal managed to intercept the email to modify the invoice's contents. One of the couples affected by the scam contacted the police. Federal police officers told them that "people like us received payments of 20,000, 30,000, or 40,000 euros several times a week."
A banking intrusion at the origin of the attack
As Olivier Bogaert, a cybersecurity specialist, explained to our colleagues at Vif, the scam was likely orchestrated by hackers located abroad. To determine their targets, the cybercriminals simply spied on the bank accounts of Belgian citizens. Indeed, the expert indicates that there have been intrusions into the computer systems of banks in Belgium. Once in the system, they searched for interesting information.
The cybercriminals then infiltrate the computer system of a supplier or contractor. Once in the company's mailbox, they change the account number displayed on invoices. This is particularly dangerous and lucrative for hackers. Note that the fake invoice scam also concerns paper documents sent by mail. Here again, criminals can intercept invoices to change the bank account number.
Almost impossible to detect
As ESET's Director of Public Affairs, Benoit Grunemwald, explains, "it is almost impossible to detect a fake invoice with the naked eye or using simple technologies." To "avoid scams, we need to combine human insight, detection tools, and rigorous processes." While "for an individual, the volume of verification can be managed manually, for businesses, verification must necessarily be automated.".
Before making a transfer, we strongly recommend comparing the number on the invoice with the one displayed on the contractor's website or Facebook page. If in doubt, contact the company using a number you already know. The one on the invoice may also have been falsified. If you have already made the transfer, contact your bank immediately.
Source: Le Vif
0 Comments