In the last months, I’ve seen a general rise in banking detail scams. This scam involves a real relationship between parties, where one party is hacked and notifies the other about a change in bank details. Following such notifications, payments are sent to a fake bank account and money is lost.
In general, what happens usually is that one email account is hacked by the attacker, usually in the finance department. After such hack, the attacker sends an email to the other party, usually one of the attacked party’s clients, stating that either they have a problem with accounting or have changed their bank account, and requests that all new payments shall be routed there.
This might be done by email spoofing, meaning registering a similar domain (such as BUSlNESS.com instead of BUSINESS.com, or using unicode characters) and sending a real email from there, or by hacking a domain and using it to gain access, later deleting the incriminating emails.
These attacks may cost millions to victims and are quite impossible to trace. However, there is one thing you can do to protect yourself, and that’s adding a simple section to your future agreements with suppliers and clients.
The “Change of Contact and Banking” section is my suggestion to you. In this section, the banking details appear in the agreement between the parties, and any change of such details shall require either physical presence by both parties, or videoconferencing where two parties can hear and see each other, where they have prior acquaintance. Meaning, that this adds another layer of security that ensures that no change of bank details will be made via these hacks.
My suggested wording is : “The parties’ payment and banking details are as stipulated hereinabove. any change in such details shall be made either via (i) physical meeting between the CEOs of both parties, which shall be coordinated and videotaped; or (ii) videoconferencing by both CEOs, after their identity was verified by both parties, where the exchange of details shall be documented as well. Any change of details shall require the notification to both parties’ legal departments and shall require a notice of at least 7 days. Such notice shall suspend all pending payments until such confirmation is made“.
In more sensitive cases, I suggest that a better mechanism of double verification shall be made, which includes both an exchange of cryptographic keys and on-premises identity management solutins.