For those of you who make or accept wire transfer payments, or have clients who do, you might find the details of this fraud scheme of interest (reported by one of our customers who was directly affected by it).

The scam works best within an industry with a few major vendors that are used by many customers, who can reasonably guess who their peers are. And where large wire transfers are the typical payment method. For example, in a real estate market within a particular region, one realty firm can reasonably identify others and guess that many of them use the same escrow vendor. Or in construction, where most major contractors within an area are likely to make large purchases from the same materials suppliers. (Or perhaps in the A-Shell world, where one reseller who pays MicroSabio by wire transfer may be able to identify others who do the same.)

The scammer works for one of the customers, or otherwise obtains access to emails received by their payables department from the target vendor. They then register a domain which is as similar as possible to the target vendor's real domain, perhaps replacing an i with an l, or a 0 with O, adding a dash, etc. Then they open a bank account providing details matching or similar to the target vendors, and using the newly registered domain as the contact. Then, using the vendor's emails as a model, they compose an official-looking email message to all of the likely customers of that vendor, stating that they have changed their bank and giving the new routing information for wire transfers.

Then they just sit back and wait for those customers to order products from the target vendor, get invoiced, and hopefully be foolish enough to wire the payment to the new bank. By the time the vendor starts following up on the late payment, the culprits are long gone with the money.

Typically the email message announcing the new routing address is often poorly composed, oddly punctuated, etc., which should be, and is, an obvious sign, along with the slight change in the email domain, that it is bogus. So most recipients, recognizing these signs, just delete the message, like most of us do with emails from Nigerian princes. The clever part is that it's deliberate: they want the sharper recipients to ignore/delete the message, rather than be uncertain/curious and start making inquiries which might raise some red flags. Instead, they're gambling that a small percentage of recipients are sufficiently distracted, inexperienced, gullible, whatever to fall for it before the target vendor recognizes what's happening and reports the problem to the bank/authorities. And the other clever part is the disconnect in time between when the victim unwittingly updates their wire transfer routing information and when it gets used. (Perhaps long enough to even forget the change having been made.)

There's no iron clad way to prevent it from happening, but if any of you suspect those conditions might apply to your business environment, it might be worth putting a reminder message on your electronic communications to your customers warning them to be a little more vigilant, that the vendor has no intention of making any changes in payment procedures, and in any case to confirm any such proposed changes by contacting the vendor via means independent of the contact information given in the message proposing the change.

Hi,
It is exactly like you described, one of my customers and a customer of them were victims of that scam 3 years ago, their customer paid around 50 thousand Euros thinking they were paying to my customer, fortunately their customer has insurance and recovered the money.
In our case, there was an additional detail, the scammers asked to make the transfer to a different account regarding to a real invoice they had attached in a PDF file.
So, the suspicious was that e-mails were hacked on one of the sides and the first measure was to change all the passwords.
But you're right, besides the apparently trustworthy information on the emails, the lack of accuracy on the message construction should have been a sign but, it wasn't.
Another unbelievable thing was that Loyds Bank in London didn't check any information to open the account for the scammers, all the details (name, address, VAT number) were correct and identifying my customer.
After that, my customer informed all their customers that any change on their bank account must be confirmed by phone.

I remember these were terrible days, I was in the day before to return to Brazil after a period in Portugal precisely to move this customer from their internal server to a Datacenter and, obviously, all the doubts came up if the Datacenter wasn't the culprit