Fake Letters

One of the ways used by fraudsters to attack the customer is sending fake letters as if from the customer’s business partners.

The fraudsters send e-mails posing as customer’s partners. The sender’s address in such e-mails can resemble the real one, e.g., fake address kiev.office@testdomaln.com instead of kiev.office@testdomain.com (domaln instead of domain, but there can also be ofice instead of office, etc.). The letters contain requests to transfer funds using new details, and if fraudsters have access to information about the customer’s (company’s) transactions, the document can look quite convincing and arousing no suspicion.

Fraudsters typically behave as described below.

  • Fraudsters always have information about the nature of the customer’s and partner’s business because of controlling the correspondence between those. Fraudsters make thorough preparations for entering into correspondence and thus are able to mention the details of actually planned transaction.
  • Fraudsters, posing as representative of the customer’s partner, allege that the manager known to the customer is unavailable, and therefore the customer should engage in correspondence with other person – the name and e-mail address of the fraudster are provided.
  • Fraudsters can send a fake letter from the partner, stating that payment details have been changed. Such letter can bear signatures and seals, and letterhead can even contain actual name of the partner’s company, but beneficiary name provided in the payment details will be different.
  • Fraudsters will make every effort to hustle the customer into making payment to the new details rapidly. When asked about the reasons for changing the partner’s bank details or the country of the partner’s bank, fraudsters can mention a sudden company audit being conducted or accounts being frozen.
  • A payment made using the new details provided by fraudsters can be returned to the bank because of incorrect payment details stated or the destination account being closed. Then fraudsters will quickly provide other details for transferring funds.
  • If the customer inquires whether made payment is credited to the indicated account, fraudsters will stall for time, mentioning reasons for not crediting the funds, which hinder discharge of contractual obligations to the customer. Thus fraudsters gain time, required to withdraw funds from their account, and prevent the customer from becoming suspicious and cancelling the payment.

Sample arguments used by fraudsters to justify change of payment details (beneficiary name, account number, country of the beneficiary bank) are provided below.

  • “We changed the account number due to audit of our current account being performed by our bank. If you make payment to the old account, we will be unable to receive funds.”
  • “We have been informed by our bank that there are some problems concerning our account, and funds temporarily cannot be credited to it. Please address your payments to other account with our intermediary bank and do not use old details, since we will be unable to receive that payment.”
  • “Our account has been changed because our old account is currently under audit due to disputable issues we have with Chinese state authorities on tax matters. Our bank has informed us that we should not receive payments to our old account until audit is completed and disputes are settled. You should suspend making payments to the old account with Chinese bank and use new details of account with Hong Kong bank instead (the ones we sent/will send you).”
  • “Our account has been changed because of starting new reporting year in India. We were instructed by the bank that there were changes made and now we need to use 10-digit account number instead of 14-digit one. The export taxes have also been increased, and we decided to stop using the account with Indian bank. Therefore all payments are now routed to our new intermediary bank/intermediary partner in China.”
  • “Our account is closed because we/our intermediary partner cannot accept the payment due to payment amount restrictions set by the bank.”

Our recommendations

  • Check the sender’s e-mail address using the option “Show details”, “Original message”, etc., depending on your email client.

    Below is a sample fake letter with address line hidden


    and that with details shown


    Note, when details are shown, you can see the sender’s actual address kiev.office@testdomaln.com, instead of kiev.office@testdomain.com that would be expected. When replying to such mail, the reply will be sent to the fraudster’s address — that containing l instead of i. Unfortunately, not all email programs are able to show the sender’s address correctly, and this being the case, the fake address will be left unnoticed. To protect yourself against associated risks, follow our advice given below.
  • If your business partner asks you for changing banking details for payments, call the partner at the phone number known to you to confirm those details.

    Proceed like this also where you have doubts about authenticity of a letter received from the partner.