$250,000 in cash, vanished.
Two companies, on two continents, confused and bereft.
How had this happened?
If you are in ecommerce operations —and you source products from overseas or send product orders (POs) via email— then you know that this scenario is the stuff nightmares are made of. Because the money didn’t just disappear randomly. It was taken. Through supply chain cyber fraud.
It all started with a smart process that had a tiny, imperceptible gap right in the middle...
The real incident I’m referring to is still under investigation, so we can’t use any real names. For the purpose of this story, let’s call our merchant “coolluggage.com” and their supplier “Xflight.cn”. Cool Luggage builds custom bags at a plant in China. These bags are then shipped to the US via a freight forwarder. We’ve been working together for a few years now and all communication is done through email and the occasional WhatsApp note.
The system we’ve got in place looks a little something like this. (This system plays a crucial role in the rest of this tale!)
- Cool Luggage sends a PO via email to Xflight.
- Xflight confirms the details back via email, starts production and collects a 30% product down payment.(The majority of vendors in China require payment be made via wire transfer.)
- When production is complete, Xflight notifies Cool Luggage via email.
- Cool Luggage notifies the freight forwarder so they can arrange pickup and ocean transport to the US.
- The product shipment is picked up for transport.
- The remaining balance of 70% is due, again via wire transfer. (
You spotting the potential weak link yet?)
- Cool Luggage waits about 30 days for the products to arrive, clear customs and be sent to the warehouse to fulfill their e-commerce orders.
Before “the incident”, these two companies went through these same simple steps every few months with very few issues.
Until the summer of 2020. That’s when a horror began to unfold.
An unexpectedly large order and business as usual...
During the summer of 2020, we put in a large order worth about $250,000 for production. A couple of weeks before the finish date, we received an email from Xflight confirming the finish date and asking for freight booking. We hit “reply all” to the confirmation and included the freight forwarder contacts in our answer.
At that time our contact at Xflight reached out to tell us they had switched banks and asked us to send the wire to their new banking service. As an operations precaution, we never send a large wire without sending a small test wire first, so we updated the wire information and sent the test. A few days later Xflight emailed us: they hadn’t received the wire.
It turned out our bank was blocking it. Delayed payment could cause all sorts of issues so we got on the phone to find out what was going on. It turned out that the payment was held back because our bookkeeper thought it was strange that the new bank had a different company name. Instead of the new name, she used Xflight c/o ABC company and the wire was rejected. Apparently, it needed to just say ABC Company.
(In case you are wondering, yes our bookkeeper had excellent instincts. Something weird was afoot. But because everything had worked out so smoothly in the past, we pushed through with the wire...)
Meanwhile, in a warehouse, far far away...
While we were working on this test wire, the goods were picked up and put on a ship as per step 5. To keep things moving, our CEO sent a message to the CEO of Xflight with concerns about the test wire and change of company name. The message wasn’t answered.
The rest of the shipment moved forward with communication from the original email chain. We changed the name on the wire transfer in order to get the test wire to go through. But our CEO still felt something was wrong, and told Xflight we would not send any wires that were not explicitly addressed to Xflight.
That’s when Xflight sent us new wire information for yet another new account. This time, the account had their name on it. They also sent us a commercial invoice for the shipment, noting the new wire account.
When the shipment was picked up we received notification that the other 70% was due and sent a wire transfer for the rest of the money.
All $250,000 had been wired.
But to whom?
The banks were sensing something...
There was something else: the bank in China was holding the funds for release by the bank in the US. Banks have measures in place when something doesn’t look right and apparently they also noticed something was off. Sadly, we didn’t really know what was going on. We just worked with the banks, showed our commercial invoices and set up the new wire accounts to match. Business as usual, right? Wrong!
At this point, both our bank and bookkeeper and the bank in China felt something was off. Still... the manufacturer assured us that everything is present and accounted for and sent us the documentation to prove clearance. But the CEO of Xflight had still not replied to messages… (I tell you, something about that kept worrying us…)
Throughout the whole affair, the account rep for Xflight was attentive and communicative. She assured us that everything was good. A few weeks later, the shipment arrived in the US, got inspected, cleared customs with no issues and moved on to the warehouse…
And that’s when the truth of this story began to unfold.
“Where’s the payment for the products we sent you?”
A few days after the shipment arrived, we received a message on WhatsApp from our manufacturer asking where payment was.
They had not received any payment on the order. Zero. Zilch.
We checked the bank to see if the wire went through. (It had.) After a number of WhatsApp notes and emails, all of us felt increasingly confused.
That’s when our CEO — who in addition to being a great businessman was also a pretty great detective— started digging deeper to figure out what happened.
He started with the banks. All of that information looked ok.
Next, he looked through all the documents to figure out where things went wrong. He kept coming back to the bank name change for the first wire transfer. When he followed that back to the email from Xflight noting the change in banking, he noticed that our contact email@example.com had sent him an email from firstname.lastname@example.org. Further, it was inserted into the email in the middle of production noting the shipment ready date as the “reply to” address (step 3).
Someone had gotten into the email servers for our manufacturer and hijacked the communication string at the exact point where money would start to be transferred. (They’d waited just long enough so that the product would still be delivered and we wouldn’t catch on until it was too late.)
The relationship between cyber fraud and timing
The entire key to this cyber fraud game was timing. We wouldn’t pay until goods were released, and the manufacturer wouldn’t release them for pickup to anyone but our agents, so the fraudsters knew the timing for this very sophisticated game they were playing.
During the course of a later investigation, it was determined that they also bought a domain that looked a lot like ours: coollluggage.com (note just the extra “l” blends with the other two) and
were communicating with the manufacturer as our CEO, including using our logo in the footer of their emails.
Both domains used in this fraud were so close to the original that when you were just replying to an email, you wouldn’t really notice the change. That’s exactly what they were counting on. Logos and signatures were all duplicated. At a glance, everything looked in order. And so as the fraudsters were emailing us to give us new banking information and to get the wires cleared, they were also replying to the manufacturer masquerading as us and asking for more time to pay.
This is another key piece of their fraud scheme so that they could avoid Xflight holding the shipment at customs for nonpayment and exposing themselves before the wires had cleared.
What happens now?
It’s hard to describe just how devastating this loss felt. A moment of well-meaning inattention had cost a quarter million dollars.
Just imagine what that feels like.
But this wasn’t the end. After we realized this was fraud, all the documentation was turned over to international investigators. Since the fraud occurred crossing US, Chinese and Malaysian borders, no single country’s entity was in charge of the investigation. This made everything even more complicated: to even stand a chance, we’d need three international government departments to cooperate. (That’s a hard enough task to do within the same country!)
So where does this leave us? According to the bank, the money is gone. The manufacturer is out the payment for the order. Everybody’s angry, frustrated, downright sad. Well… Everyone except for the fraudsters who now have a quarter of a million dollars. (Of course, we hope that Interpol is closing in on them as we speak.)
All this begs the big question: How do you prevent any of this from ever happening to you?
Seven steps you should take right now to protect yourself against supply chain fraud
Learn from our errors in judgement and follow these seven steps:
- Pay special attention to email addresses.If you communicate via email, never hit “reply all”: you never know what addresses could be hiding in there. Instead, always put fresh email addresses in.
- Invest in a good spamblocker for your domain and your email systems. This will help filter out some of the fraudulent emails.
- Encrypt your messages.
- Practice constant vigilance. If something seems “off”, call, text or WhatsApp your manufacturer (outside of email servers). Reach out to them via a method fraudsters wouldn’t know about.
- Keep alternative means of contact. Always have contact information for your key suppliers outside of their primary email. This can be their phone number, an alternative (verified!) email address or even their LinkedIn or Facebook account.
- If a manufacturer changes banking information, call someone at the company and verify what’s going on. Don’t make any assumptions about the change. Making a change is not uncommon, but getting confirmation from someone that the change is legitimate is vital.
- Invest in a closed loop system for the supply chain. If you’re using an ERP, that system likely already sends the POs but what about the rest of the communication? The hijackers could have inserted themselves in the situation even with an ERP sending the POs.
There will always be bad actors out there whose entire reason for being is to find new creative ways to steal your money. Being vigilant can help you protect your money and your communication for supply chain systems.
But what do I do if the worst happens and I think I’m a victim of supply chain fraud?
If you think you’re in a similar situation to the one we found ourselves in, take the following steps:
- Take immediate steps to identify and isolate the source of the attack. Go through all past communication and work to identify where things may have gone wrong. (Just like our CEO did by spotting the discrepancy in email addresses.)
- Immediately limit access to all data. The less people can access it right now, the better.
- Notify authorities immediately. Tell them of the nature and severity of the attack.
- Notify your bank. Make sure your account is secure and work with your bank to add any extra security measures or precautions.
- When appropriate, notify other potentially affected suppliers. Remember: the fraudsters were pretending to be us to the manufacturer and pretending to be the manufacturer to us. So warn everyone that may need to know.
- Follow the disaster recovery and risk communication plan. Make sure all the steps are implemented. (Don’t have a plan? Put one in place right now.)
- If appropriate, and with your prior written approval, notify the appropriate Cyber Crime Division. The FBI Cyber Crime unit only covers fraud inside US borders but, depending on your situation, you may want to involve them.
- Immediately validate that all firewall and anti-virus software is updated to the latest release.
While you can’t guarantee that a cyber attack will not occur within your supply chain, a well-managed supply chain can make it more difficult for an attack to succeed. The actions outlined here can assist you in preparing to respond to such a risk when and if it occurs.