Vince Tickel is Chair of Academy Group 1 and sits on the Academy’s board of directors. Among his external business interests is Hunter Sourcing, a Hertfordshire-based importer of premium packaging products and promotional items that are developed or designed in the UK and primarily manufactured in China. These might be the sort of luxury packaging boxes, gift bags or tins that fill stores at Christmas, or promotional items produced for a particular campaign or event. Or, as in this case, teddy bears.
While teddy bears weren’t a regular type of order, Vince explains that Hunter was able to fulfil the order for 20,000 bears using a long-standing Chinese supplier that specialises in so-called “plush” goods.
The order process proceeded as normal. The suppler quoted the cost, terms were agreed and manufacturing began. As with all their manufacturing orders, Hunter carried out quality control checks during the manufacturing process and once the production run was complete, they paid the supplier a 10% deposit with the balance – some $70,000 – due on what’s known as a ‘bill of lading’, a standard form of transaction in international trade.
“The bill of lading was emailed from the supplier in China with a note saying that they had changed banks and including the new bank transfer details,” Vince says. “The company name had also changed, but in China this seems to happen quite regularly so it’s wasn’t particularly unusual that might actually happen.
“We sent them an email. They had the bill of lading, the right documents, the right cost – everything has to be attached to these emails. We even emailed them back just to make sure that the change of details was correct and they said it was. So we transferred the balance and waited for our bears.”
Except the good were never shipped because the supplier was never paid. The money Hunter had wired simply disappeared.
Hunter had fallen victim to a sophisticated scam that hinged on the fact that their supplier’s email account had been hacked. The correspondence between the two parties had been intercepted by the criminals, the attachments removed and altered and then sent on to their legitimate destinations. As part of the fraud the supplier declared that they had changed bank accounts and were now with a new bank and requested payment into that account. This was queried on several follow up emails and confirmed as correct. Meanwhile, the manufacturer in China got an email purportedly from Hunter saying that the payment would be made in two weeks.
So the first the company knew about this was when Hunter received an email from their supplier two weeks later saying that they still hadn’t received payment for the order.
“We got back to them and said ‘we’ve already paid you. Here’s all of the correspondence.’ But they came back and said ‘this isn’t an email from us…’”
“You’re sort of left there thinking what on earth could we have done? The money’s gone into this other account and been swept straight back out again.”
“I have to say, looking through the paperwork, I had to stand back and say it was fantastically done. They had set this up like a sting operation. I’ve never come across anything like it before.“
So could it happen to you? As Vince says, we take electronic communication for granted today, but how do we know that an email we receive from a contact or supplier is really from them?
“You think you’re secure, but the people you’re dealing with possibly aren’t,” Vince says. “So it’s all very well a business owner, MD or FD being wise to the potential for fraud, but how many people working for them would even be able to spot something like this? The weak link isn’t the bank end, it’s at the end of who you’re paying.”
To make matters worse, Hunter’s insurance didn’t cover this type of loss – and in any event, Vince has since discovered that any insurance against frauds like this would likely be so full of exclusions and disclaimers as to be worthless.
So the onus is on business owners to protect themselves. At Hunter, that means that any change to a supplier’s details have to be evidenced by two separate pieces of communication, one digital (eg via email) and one by a phone call or another form of physical contact. All new suppliers are also carefully checked and their identities and financial details confirmed.
“It’s like breaking into a house,” says Vince. “You don’t go in through the front door if there’s a broken window at the back. The broken window was our supplier, somebody we had dealt with for a long period of time and trusted. And these scammers sat there, watched and waited.”
“Hunter is a five million pound business,” Vince adds. “It’s operated by experienced, intelligent people. But I read all of the files of all of the emails going backwards and forward and I wouldn’t have spotted it. There was nothing to make you stop and think, ’hold on – have we got this covered?’ And I wouldn’t be surprised if many, many, other businesses haven’t got this one covered either.”
The only thing we now do and I strongly recommend this to everyone is when you have a new supplier to pay or an existing one changes banks do not rely on electronic communication alone pick up the phone and double check.
What about you? Do you KNOW this couldn’t happen to your business? Ask you accounts department what they would do if a supplier says we have changed bank accounts via email …do they accept it because if so this could happen to you.