Man-in-the-mail Fraud

11 apr 2021
Thom Dieben
These last couple of months, we have been working on various cases of so-called “man-in-the-middle" or “man-in-the-mail” (MITM) e-mail/invoice fraud.

MITM fraud: prevention is better than the cure

The phenomena exists for quite a while now (mostly abroad) and in various variations but apparently fraudsters have now set their sights on the Netherlands to launder the fruits of this lucrative type of fraud. The cases we have seen are probably just to tip of the iceberg. All the more reason to zoom in on this type of fraud. What is it? How to prevent it? And what to do if you have become a victim of this type of fraud?

What is it?

MITM e-mail/invoice fraud exists in various shapes and forms but the outcome is always the same: payment for an invoice is made to another party than intended. How did this happen in the cases we are now seeing? Imagine that party A and B are in business and have been communicating about the need to pay A’s invoice to B. At some point, hackers manage to obtain access to this e-mail correspondence (the methods in which they do so differ and will not be discussed here further, common are spear-phishing, spoofing, inside job etc). Having obtained access, the correspondence is often monitored by the hackers for some time to find out more about the parties and who needs to pay whom. Once the hackers know how the business relationship works, they take over communication for one of the parties with a slightly modified e-mail address. Usually there is just a single letter difference which makes it very difficult to spot the fraud. For example: becomes (both e-mail addresses look identical but in the latter the “l” in fraudulent has become a capital i).

Now that the hackers are actively part of the e-mail conversation they ask for the payment on an existing invoice to be made to a different bank account than usual (for example, because the company allegedly changed banks etc.) Sometimes an invoice (or payment reminder) is forged to include the new bank account. Having had access to genuine e-mail correspondence, the hackers are able to use the same email signature, stamps, stationary, etc and they often also mimic language and style normally used by the party they are claiming to be. For this reason, the bank account change or fake invoice is often processed without further questions.

Whatever the method, the new bank account is not in the name of party A or B but party C. Usually, party C is a “money mule”, i.e. someone specifically recruited by the fraudsters to receive and immediately transfer the money onwards. Criminals like to use money mules to help launder proceeds derived from online scams and frauds since they add layers of distance between the crime victims and themselves, which makes it harder for law enforcement to accurately trace money trails.

What we see in the recent cases we have been working on is that the bank account of the “money mule” (party C) is registered in the Netherlands with a Dutch bank. This even though none of the parties has any link whatsoever with the Netherlands. The reason for this is probably simple: Dutch banks do not (yet) check the name of the account holder mentioned in the wire transfer request with the actual name of the account holder. So despite these names not matching, the Dutch bank will still process the wire transfer. The use of Dutch bank accounts in an otherwise international case also has another advantage: it makes the fraud more complex for law enforcement authorities to investigate. All parties involved (A, B and C) are in different countries and thus different jurisdictions. Authorities in each country will have to cooperate by means of Mutual Legal Assistance (MLA) to investigate the fraud which is time consuming and complex. Fraudsters know this.

When the fraud is detected, it is often too late. The money has been withdrawn in cash or transferred to bank accounts in other countries. The owner of the bank account turns out to be a “money mule” with little funds to offer financial redress. In the meantime, the counter party insists on payment of the invoice as it never received payment.

How to prevent it?

As with any type of fraud, prevention is butter than the cure. Here are some ways to mitigate the risk of becoming a victim of this type of MILM-fraud we are now seeing:

  • Take the necessary precautions on an IT-level. Various parties offer soft- and hardware solutions that make this type of fraud much more difficult to succeed;

  • Don’t use the reply(-all) function, instead use the e-mail addresses in your own contact list.

  • Be vigilant. Be particularly wary of requests to transfer payment of the invoice to a different bank account than usual, when an invoice payment is all of the sudden said to be “particularly urgent”, or where the payment method otherwise differs from the ordinary.

  • Verify orally (e.g. phone call) with your contact at the invoicing company whether bank accounts have in fact been changed. Don’t call the number in the e-mail as this may have been spoofed as well. Use the telephone number on the company’s official website.

  • Check the bank account number. An International Bank Account Number (IBAN) always has the same structure. The first two letters indicate the country where the bank account is held. For example, a Dutch IBAN is “NL 99 BANK 123456789” and NL stands for the Netherlands. Be extra vigilant when it follows from the IBAN number that the bank account is not held in the country where your contracting party is based.

What to do if you have become a victim of this type of fraud?

  • Always contact all banks involved in the transaction immediately, inform them of the fraud and ask them to reverse the transaction if possible and if not freeze (remaining) funds on the Dutch bank account. It is not uncommon that the Dutch bank will have already (partially) halted further transactions because they do not fit the account holder’s transaction profile and the client has been asked for clarification. If the bank receives a report of fraud during this period, chances are that the account and funds will remain frozen for a longer period until the authorities get involved and/or civil law based asset recovery measures (e.g. prejudgement attachment) can be put in place by you.

  • File a criminal complaint. Preferably in all relevant jurisdictions but in any case in the Netherlands. The Dutch authorities will as a minimum investigate the Dutch account holder giving you some idea as to whether the money is still there, if not where the money went to etc. Furthermore, Dutch banks are very reluctant to share information with you without a formal criminal complaint. A criminal complaint will therefore also be the starting point of any asset recovery discussion with the bank. Finally, “money mules” are in almost all cases liable for some if not all of the damages you have suffered. If the amount involved is smaller, they may offer (some) financial redress. Dutch criminal law provides for a low cost and easy process to join a criminal case as a civil party;

  • Where necessary, seek legal advice on whether you are still obliged to pay the invoice to the invoicing party, whether you have a claim against others involved (inc. the banks) etc. Depending on the law applicable to the underlying contract and the circumstances of the case (e.g. did the hack take place on your end or at that of the invoicing party?) the (case) law may be on your side.

Nieuws & Publicaties