FRAUDULENT FUND TRANSFER VIA EMAIL HACKING AND BENEFICIARY ACCOUNT CHANGE

Two nights ago, just before midnight, a friend of mine—an in-house lawyer at a Korean bank (let’s call it Bank K)—sent me an email asking if I could recommend a Vietnamese lawyer to assist one of his clients. The client had fallen victim to a scam involving a fund transfer to a beneficiary account at a Vietnamese bank (let’s call it Bank V).

According to him, based on instructions received via email from their client, Bank K had issued a SWIFT MT103 payment order to transfer USD 1.5 million to a beneficiary account held at Bank V.

Upon receiving the MT103, Bank V noticed that the beneficiary’s address didn’t match the name on the account, so they queried the discrepancy with Bank K.

Bank K forwarded the query to their remitting client, who then confirmed the beneficiary’s address via email.

Bank K relayed the confirmation to Bank V, and Bank V proceeded to credit the beneficiary’s account.

Later, when the real intended beneficiary informed the client that no funds had been received, the client discovered that their email had been hacked.

The scammers had gained access to the client’s email account and altered both the beneficiary’s name and account number in the payment instruction sent to Bank K. The account details were changed to another person’s name and number—an account controlled by the fraudsters.

When Bank K requested address confirmation, the hackers again intercepted the communication and changed the beneficiary’s address to match the fraudulent one already provided.

My friend told me that the remitting client is now looking to hire a Vietnamese lawyer to sue Bank V for opening an account for the fraudster.

Mr. Old Man replied that unfortunately, I don’t know any sharp lawyer to recommend. However, Bank K, being a party to the transaction, should actively support its client in taking urgent steps to prevent the scammers from withdrawing or further transferring the stolen funds. Specifically, Bank K should:

• Authorize the director of its Hanoi branch (which I know exists) to work with Bank V to report the case to Vietnamese police and courts,
• Request a freeze on the fraudulent beneficiary’s account and any accounts that received subsequent transfers (assuming any funds are still there),
• And help the client retain appropriate legal representation to move things forward.

That said, Mr. Old Man also gave a reality check:

1. The chance of recovering the funds is very slim, because once the funds are credited, scammers immediately try to withdraw or transfer the money to other accounts—often before the bank even receives a freeze request from the police or a court order.
2. The chance of the remitting client winning a lawsuit against Bank V—accusing it of opening an account for scammers—is extremely low, if not zero. Fraudsters are not so foolish as to use accounts in their own names. In most fund transfer frauds, scammers either purchase existing accounts or pay people to open new accounts with banks, registering contact information (emails, phone numbers, etc.) provided by the scammers so that they can control and operate the accounts remotely.

LAST BUT NOT LEAST

This case is a textbook example of Funds Transfer Fraud. Here, scammers hacked the client’s email to either issue fake transfer instructions or intercept and manipulate genuine ones—changing the beneficiary details so that they would receive the funds instead. The account holder (the real client) remains unaware until the actual beneficiary reports that they haven’t received the payment.

Email-based fund transfer scams aren’t new. Vietnamese banks regularly warn customers about hackers breaking into email accounts and stealing sensitive data.

Banks have documented cases where clients mistakenly sent money to the wrong beneficiaries due to email hacking. These hackers illegally accessed the emails of clients or business partners and altered the beneficiary information in the attached payment documents. Clients often request help from their banks to recover funds from overseas counterparts, but success is rare, since scammers usually withdraw the money immediately, or because foreign recovery procedures are complex and time-consuming.

These scams target not only individual clients but also businesses.

Banks and companies that accept instructions via email, fax, or other electronic means must implement safeguards to prevent hackers from altering account names and numbers.

There are many preventive measures to combat fund transfer fraud. For instance:

• Enforcing proper KYC to ensure the legitimacy of beneficiary accounts in MT103 messages,
• Verifying that the transfer order is genuine,
• Preventing fraudsters from taking over legitimate accounts or opening new ones using stolen identities or proxies.

Back when Mr. Old Man was still working at the bank, there were cases where businesses had to send payment instructions by fax or email (with originals to follow later). In such cases, I insisted on using a test key arrangement for each transfer order, and would personally call the responsible contact at the client’s company to confirm and verify key details (amount, account number, beneficiary name, etc.).

_________

Mr. Old Man, July 2024

P.S.

(*) Names of the banks have been abbreviated since the case has not yet been publicly disclosed.

(**) In the days of telex-based international banking, a test key was a coded security feature used to authenticate messages and ensure both content integrity and value accuracy. Mr. Old Man was once in charge of this task early in his banking career.