Another Dutch exporter scammed using a fake e-mail address
Business umbrella organisation evofenedex has again reported that a Dutch exporter has been scammed by typosquatters: fraudsters who register domain names that look very like brand names. Last year, we highlighted the case of Joris Snelten, CEO of Delta Wines. Delta lost thousands of euros after falling for a scam involving e-mails from a lookalike domain.
Although few stories make it into the media, identity fraud is an ongoing problem in the B2B sector. Embarrassment and the fear of image damage leads many victims to keep incidents quiet. But there's also a desire to sound the alarm, so that others don't get caught out by similar tricks. A defrauded exporter has therefore chosen to share their story anonymously through evofenedex. The company in question produces and exports horticultural fertiliser to more than ninety countries. Their troubles began when a Turkish agent forwarded a purchase order from a UK customer.
Blue-chip company asks to do business
In the words of the exporter's managing director, "It looked like a valuable order from a respected multinational. They wanted eight full containers shipped to a subsidiary in Uganda. We exchanged correspondence, and everything seemed to be going smoothly. We weren't suspicious, partly because the people at the other end clearly understood the market." After the bank and credit insurer had given the deal the okay, the exporter went ahead and shipped the containers. "A colleague happened to be near the multinational's head office in the UK at about the time the shipment was made. So he decided to call in to talk about the possibility of follow-up orders. That's when it came to light that the multinational knew nothing about the deal. They told my colleague that they'd never placed an order with us and had never heard of our contact."
Alarm bells ring
Naturally, the news set alarm bells ringing at the export company. The order correspondence was carefully re-examined. All contact had been with the same people at the UK company. No mail had been received from other departments, such as Finance or Purchasing. Suddenly, someone noticed: the e-mail domain used by their contact wasn't quite right. The name had one letter different from the multinational's real domain. Fortunately, the fraud was detected just in time to prevent five of the eight containers being delivered. However, the other three were worth the small matter of a hundred thousand euros.
On-line identity verification
Other evofenedex-affiliated companies have had similar experiences. And the use of a lookalike e-mail address to gain the victim's confidence is a recurring theme of the scams. In the electronic business world, there is clearly a real need for a reliable way of verifying a new contact's identity. Is your prospective customer really who they say they are? Esther Makaay, e-identity specialist at Connectis, explains, "In the Netherlands, there's currently only one eID system capable of confirming the identity of a company or other organisation. And that's eHerkenning. With eHerkenning, you can do business with other companies and with government bodies. Unfortunately, even eHerkenning wouldn't have protected this particular exporter, because there is no comparable system in the UK. Some other countries do have systems like ours, but not many."
At the European level, the eIDAS Directive is due to come into effect on 29 September 2018. All public bodies and private companies with public functions will have to support all EU-accredited log-in systems for on-line service delivery. That requirement will apply to Dutch service providers that use DigiD and eHerkenning. The aim of the directive is to make it safer and easier to do on-line business across Europe. Organisations with no public role will also be able to use eIDAS on a voluntary basis.
Caution essential for now
"For the time being, the only thing companies can do is take a cautious approach," says Makaay. "Apparently, the evofenedex-affiliated exporter has been accepting purchase orders by e-mail. Unfortunately, if you do that, you're always vulnerable to fraud, because an eID system is no help if customers don't have to log in or provide a digital signature. Identity verification – or, at least, confirmation that you are dealing with the same known customer – depends on operating a log-in or signing system. Hopefully, that's the way things will work in the future, and there won't be nearly as much fraud."
Want to know more?
Connectis has developed a useful website devoted to eIDAS.