Another Dutch exporter scammed using a fake e-mail address

Business umbrella organisation evofenedex has again reported that a Dutch exporter has been scammed by typosquatters: fraudsters who register domain names that look very like brand names. Last year, we highlighted the case of Joris Snelten, CEO of Delta Wines. Delta lost thousands of euros after falling for a scam involving e-mails from a lookalike domain.

Although few stories make it into the media, identity fraud is an ongoing problem in the B2B sector. Embarrassment and the fear of image damage leads many victims to keep incidents quiet. But there's also a desire to sound the alarm, so that others don't get caught out by similar tricks. A defrauded exporter has therefore chosen to share their story anonymously through evofenedex. The company in question produces and exports horticultural fertiliser to more than ninety countries. Their troubles began when a Turkish agent forwarded a purchase order from a UK customer.

Blue-chip company asks to do business

In the words of the exporter's managing director, "It looked like a valuable order from a respected multinational. They wanted eight full containers shipped to a subsidiary in Uganda. We exchanged correspondence, and everything seemed to be going smoothly. We weren't suspicious, partly because the people at the other end clearly understood the market." After the bank and credit insurer had given the deal the okay, the exporter went ahead and shipped the containers. "A colleague happened to be near the multinational's head office in the UK at about the time the shipment was made. So he decided to call in to talk about the possibility of follow-up orders. That's when it came to light that the multinational knew nothing about the deal. They told my colleague that they'd never placed an order with us and had never heard of our contact."

Alarm bells ring

Naturally, the news set alarm bells ringing at the export company. The order correspondence was carefully re-examined. All contact had been with the same people at the UK company. No mail had been received from other departments, such as Finance or Purchasing. Suddenly, someone noticed: the e-mail domain used by their contact wasn't quite right. The name had one letter different from the multinational's real domain. Fortunately, the fraud was detected just in time to prevent five of the eight containers being delivered. However, the other three were worth the small matter of a hundred thousand euros.

On-line identity verification

Eshter Makaay

Other evofenedex-affiliated companies have had similar experiences. And the use of a lookalike e-mail address to gain the victim's confidence is a recurring theme of the scams. In the electronic business world, there is clearly a real need for a reliable way of verifying a new contact's identity. Is your prospective customer really who they say they are? Esther Makaay, e-identity specialist at Connectis, explains, "In the Netherlands, there's currently only one eID system capable of confirming the identity of a company or other organisation. And that's eHerkenning. With eHerkenning, you can do business with other companies and with government bodies. Unfortunately, even eHerkenning wouldn't have protected this particular exporter, because there is no comparable system in the UK. Some other countries do have systems like ours, but not many."

The future

At the European level, the eIDAS Directive is due to come into effect on 29 September 2018. All public bodies and private companies with public functions will have to support all EU-accredited log-in systems for on-line service delivery. That requirement will apply to Dutch service providers that use DigiD and eHerkenning. The aim of the directive is to make it safer and easier to do on-line business across Europe. Organisations with no public role will also be able to use eIDAS on a voluntary basis.

Caution essential for now

"For the time being, the only thing companies can do is take a cautious approach," says Makaay. "Apparently, the evofenedex-affiliated exporter has been accepting purchase orders by e-mail. Unfortunately, if you do that, you're always vulnerable to fraud, because an eID system is no help if customers don't have to log in or provide a digital signature. Identity verification – or, at least, confirmation that you are dealing with the same known customer – depends on operating a log-in or signing system. Hopefully, that's the way things will work in the future, and there won't be nearly as much fraud."

Want to know more?

Connectis has developed a useful website devoted to eIDAS.

Comments

  • Monday 25 March 2019

    About SIDN

    Register for IDnext 2019

    Thumb-logo-IDnext

    The number-one digital identities event

    Read more
  • Wednesday 17 April 2019

    DNSSEC

    Trust anchor installation for new root KSK

    Thumb-secure

    Prevent websites becoming unreachable

    Read more
  • Tuesday 23 July 2019

    About SIDN

    Parenting by Barbie?

    Thumb-Barbie-doll-portrait

    AI AI Barbie explores the relationship between parents, children and smart toys

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.