24 February 2014

Cyberspace November 2013

Having just finished International Business Transactions in my LLM course I’ve been looking at the practical methods of transacting overseas compared with the theory. Paying for goods and supplying goods using documentary letters of credit seems a pretty sensible, if cumbersome way of doing business with someone who you don’t yet trust. Once you do have a clearly good business relationship then you can dispense with all that and just use email and direct bank transfers. Or can you?

In Factory Direct Fencing Pty Ltd v Kong AH International Company Limited [2013] QDC 239 (27 September 2013) the Supreme Court of Queenland considered this very problem. Fencing had been purchasing fencing supplies from Kong for a time, and all was going well. Orders and invoices were exchanged by email, and payments were made by SWIFT transfer to the supplier’s bank in Hong Kong. Kong’s employee’s email address was junfumetal@yahoo.cn, but later emails arrived from junfu.metal@yahoo.cn. Fencing used the address glenn@fdfefencing.com.au, but after a time emails came from glenn.fdfencing@ymail.com. In each case the latter address turned out to be a fraudster impersonating both parties.

The fraudster emailed Fencing from the fraudulent address, giving him a bull story about why the banking details needed to be changed. The address was such that it wasn’t obvious it was a different address, and the tone of the email (despite having some clear warning signs) was more or less in keeping with previous correspondence. Any reply from Fencing went to the fraudulent address, and the fraudster was able to provide assurances as neccessary. It seems that the fraudster had had access to Kong’s email account, as he clearly had knowledge of the transactions and was able to use similar language to that used in previous correspondence, strengthening the impersonation.

Emails sent by either party were effectively intercepted and modifed before being on-sent with details to effect the fraud. This man-in-the-middle scam requires some skill and luck, but can only occur if at least one of the parties’ email account is compromised so that the requisite knowledge can be gained.  Perhaps unsurprsingly, the forensic expert found that the IP addresses shown were allocated to Nigerian entities, although the court noted that these can be spoofed as well, so the emails could have originated in China.

Kong shipped the goods and Fencing paid into the fraudulent bank account, but when Kong didn’t receive payment it refused to authorise the release of the goods to Fencing, and the fraud came to light. The purchaser had paid on fraudulent invoices into the fraudster’s account. The court held that the vendor was not liable to the purchaser.

There are lessons to be learned here.  Don’t use a public email domain like Gmail or Yahoo. It’s neither hard nor expensive to get your own domain. Remember that Gmail differs from Yahoo in that bill.bloggs is the same as billbloggs with Gmail, whereas at Yahoo they are different addresses. Yahoo also now recycles abandoned email addresses, which makes impersonation much more likely  You might consider not including your name in the “from” address - only the actual email address is transmitted and a change will be obvious.  Confirm critical changes by two methods. Ask for confirmation via fax or over the phone. Each of those could be fraudulent as well, but getting it “right” twice is less likely than getting it right once.  Don’t “reply” to an email if you’re not positive about the sender. Create a new email from your own address book (but watch out for systems that auto-add addresses as soon as you receive an email).