A client of Harney Partners came very close to losing $200,000 to some clever and agile perpetrators. This cautionary tale reminds us that we all must remain vigilant against fraud, especially in these times when many of us are working remotely and standard workflows and communication plans have been altered accordingly.
One of our team members is serving as the Chief Financial Officier (CFO) of a sizeable real estate company with many properties under management. The tenant of multiple properties received an email from someone impersonating the Harney team member and directed the Controller and Accounts Payable Manager to change the bank account information for multiple rent payments. The perpetrator registered the phony domain “harneypartner.com” in the hopes that no one would note the missing “s” in the domain name… and they nearly succeeded.
The Controller was not tipped off by the phony email address, but rather by subtle differences in the fonts used in the email signature. He contacted our team member, as acting CFO, regarding the email and we discovered the phony domain name and email address.
Harney Partners conducted a search of the phony domain and found that it had been registered to an address in a light-industrial area near Toronto, on the very morning the first email appeared.
The impersonators even followed up with the tenant over the next couple of days, asking them to acknowledge the requested change in payment instructions; however, no action was taken and the tenant’s Controller sent an email to the entire accounting department mandating that all changes to financial/banking information must be approved verbally.
The perpetrators then showed they had access to the tenant’s email server and became even craftier in their attack.
A new A/P clerk working for the tenant never received the cautionary email from the Controller mandating verbal confirmation of all changes to financial/banking information, and two days later, she received the same request to change the bank accounts from the imposter. The new A/P clerk, exercising proper diligence, sent an email to her A/P Manager asking for confirmation of the change.
Her A/P Manager replied by email not to make the changes but did not call with those instructions, and the manager’s email never made it the A/P Clerk. Instead, the A/P Clerk received an email from the imposter posing as her boss, the A/P Manager, using a second deceptive domain name similar to the tenant’s actual domain, which was also registered mere moments before the email appeared. This phony email from the imposter A/P Manager approved the change and the A/P Clerk issued payment as instructed. The tenant, not recognizing the problem, took no further action.
A week later, the Harney Partners team member at the real estate company was verifying receipt of ACH rent payments on the due date and found that three anticipated payments totaling $200,000 were missing, so he contacted the tenant. It was then that we determined through immediate investigation that the ACH payments were sent to unknown bank accounts at TD Bank in Toronto.
Fortunately, the fraud was caught early enough that the banks were able to reverse the ACH transactions, and the full $200,000 in total payments was refunded; but within only a matter of hours, this transaction would have been irreversible.
In an odd way, the attempted fraud is a tribute to human ingenuity. The perpetrators not only set up phony domains to impersonate legitimate domains and email addresses but also had sufficient access to intercept and delete emails from the tenant’s servers. They copied specific details, such as signature blocks, in the emails that made their fraudulent messages appear authentic. They were persistent in attacking from multiple avenues and nearly found success.
It is important to remember that robust internal controls are necessary for business and most employees adhere to those controls. In this case, the AP Manager could have prevented the attempt by calling the AP Clerk instead of only replying by email. Although at times these controls may seem a nuisance and may take a little more time, we can assure you that it took much more time to reverse this attempted fraud.
For more information, please contact us.