$250,000 in cash, vanished.
Two companies, on two continents, confused and bereft.
How did this happen?
If you are in ecommerce operations —and you source products from overseas or send product orders (POs) via email— then you know that this scenario is the stuff nightmares are made of. Because the money didn’t just disappear randomly. It was taken. Through supply chain cyber fraud.
But before we get into the painful lessons of cyber fraud —and into the vital topic of fraud prevention— let’s start at the beginning.
The real incident I’m referring to is still under investigation, so we can’t use any real names. For the purpose of this story, let’s call our merchant “coolluggage.com” and their supplier “Xflight.cn”. Cool Luggage builds custom bags at a plant in China. These bags are then shipped to the US via a freight forwarder. We’ve been working together for a few years now and all communication is done through email and the occasional WhatsApp note.
The process we had in place looks something like this. (This plays a crucial role in the rest of this tale!)
Before “the incident”, these two companies went through these same simple steps every few months with very few issues.
Until the summer of 2020. That’s when a horror began to unfold.
During the summer of 2020, we put in a large order worth about $250,000 for production. A couple of weeks before the finish date, we received an email from Xflight confirming the finish date and asking for freight booking. We hit “reply all” to the confirmation and included the freight forwarder contacts in our answer.
At that time our contact at Xflight reached out to tell us they had switched banks and asked us to send the wire to their new banking service. As an operations precaution, we never send a large wire without sending a small test wire first, so we updated the wire information and sent the test. A few days later Xflight emailed us: they hadn’t received the wire.
It turned out our bank was blocking it. Delayed payment could cause all sorts of issues so we got on the phone to find out what was going on. We learned that the payment was held back because our bookkeeper thought it was strange that the new bank had a different company name. Instead of the new name, she used Xflight c/o ABC company and the wire was rejected. Apparently, it needed to just say ABC Company.
(In case you are wondering, yes our bookkeeper had excellent instincts. Something weird was afoot. But because everything had worked out so smoothly in the past, we pushed through with the wire…)
While we were working on this test wire, the goods were picked up and put on a ship as per step 5. To keep things moving, our CEO sent a message to the CEO of Xflight with concerns about the test wire and change of company name. The message wasn’t answered.
The rest of the shipment moved forward with communication from the original email chain. We changed the name on the wire transfer in order to get the test wire to go through. But our CEO still felt something was wrong, and told Xflight we would not send any wires that were not explicitly addressed to Xflight.
That’s when Xflight sent us new wire information for yet another new account. This time, the account had their name on it. They also sent us a commercial invoice for the shipment, noting the new wire account.
When the shipment was picked up we received notification that the other 70% was due and sent a wire transfer for the rest of the money.
All $250,000 had been wired. But to whom?
There was something else: the bank in China was holding the funds for release by the bank in the US. Banks have measures in place when something doesn’t look right and apparently they also noticed something was off. Sadly, we didn’t really know what was going on. We just worked with the banks, showed our commercial invoices and set up the new wire accounts to match. Business as usual, right? Wrong!
At this point, our bank, bookkeeper and the bank in China all felt something was off. Still… the manufacturer assured us that everything was present and accounted for and sent us the documentation to prove clearance. But the CEO of Xflight had still not replied to messages… (I tell you, something about that kept worrying us…)
Throughout the whole affair, the account rep for Xflight was attentive and communicative. She assured us that everything was good. A few weeks later, the shipment arrived in the US, got inspected, cleared customs with no issues and moved on to the warehouse…
And that’s when the truth of this story began to unfold.
A few days after the shipment arrived, we received a message on WhatsApp from our manufacturer asking where their payment was.
They had not received any payment on the order. Zero. Zilch.
We checked the bank to see if the wire went through. (It had.) After a number of WhatsApp notes and emails, all of us felt increasingly confused.
That’s when our CEO — who in addition to being a great businessman was also a pretty great detective— started digging deeper to figure out what happened.
He started with the banks. All of that information looked ok.
Next, he looked through all the documents to figure out where things went wrong. He kept coming back to the bank name change for the first wire transfer. When he followed that back to the email from Xflight noting the change in banking, he noticed that our contact email@example.com had sent him an email from firstname.lastname@example.org. Further, it was inserted into the email in the middle of production noting the shipment ready date as the “reply to” address (step 3).
Someone had gotten into the email servers for our manufacturer and hijacked the communication string at the exact point where money would start to be transferred. They’d waited just long enough so that the product would still be delivered and we wouldn’t catch on until it was too late.
The entire key to this cyber fraud game was timing. We wouldn’t pay until goods were released, and the manufacturer wouldn’t release them for pickup to anyone but our agents, so the fraudsters knew the timing for this very sophisticated game they were playing.
During the course of a later investigation, it was determined that they also bought a domain that looked a lot like ours: coollluggage.com (note just the extra “l” blends with the other two) and were communicating with the manufacturer as our CEO, including using our logo in the footer of their emails.
Both domains used in this fraud were so close to the original that when you were just replying to an email, you wouldn’t really notice the change. That’s exactly what they were counting on. Logos and signatures were all duplicated. At a glance, everything looked in order. And so as the fraudsters were emailing us to give us new banking information and get the wires cleared, they were also replying to the manufacturer masquerading as us and asking for more time to pay.
This was another key piece of their fraud scheme to avoid Xflight holding the shipment at customs for nonpayment and exposing themselves before the wires had cleared.
It’s hard to describe just how devastating this loss felt. A moment of well-meaning inattention had cost a quarter million dollars.
Just imagine what that feels like.
But this wasn’t the end. After we realized this was fraud, all the documentation was turned over to international investigators. Since the fraud occurred crossing US, Chinese and Malaysian borders, no single country’s entity was in charge of the investigation. This made everything even more complicated: to even stand a chance, we’d need three international government departments to cooperate – a hard enough task to do within the same country!
So where does this leave us? According to the bank, the money is gone. The manufacturer is out the payment for the order. Everybody’s angry, frustrated, downright sad. Well… Everyone except for the fraudsters who now have a quarter of a million dollars. (Of course, we hope that Interpol is closing in on them as we speak.)
All this begs the big question: How do you prevent any of this from ever happening to you?
Learn from our errors in judgement and follow these seven steps:
While these steps don’t guarantee prevention, they are a simple way to minimize the chance of going through something like that. (Adding additional —and regular— ops processes can also help.)
There will always be bad actors out there whose entire reason for being is to find new creative ways to steal your money. Being vigilant can help you protect your money and your communication for supply chain systems.
If you think you’re in a similar situation to the one we found ourselves in, take the following steps:
While you can’t guarantee that a cyber attack will not occur within your supply chain, a well-managed supply chain can make it more difficult for an attack to succeed. The actions outlined here can assist you in preparing to respond to such a risk when and if it occurs.
Kathleen Sullivan Garman has been an Ecommerce Operations Leader for 20+ years, helping dozens of companies set up the right backend processes. She’s currently running ecommerce operations at Remaker Labs (the masterminds behind CarryHitch).
As Pipe17’s Ecommerce Operations Advisor, Kathleen provides valuable input to our product team and advises customers on best practices. Kathleen is an avid snow skier and scuba diver and would rather be under the ocean than above it. She volunteers as the executive director of Mended Hearts of Spokane, a cardiac charity.