It's not chicken feed: Million-dollar meal deal for livestock sabotaged by hackers... and, er, exchange rates

Six-week investigation delay shrank payment by 13%

Cow photo via Shutterstock

A $1.2m shipment of livestock feed went awry when "hackers" intercepted and tweaked emails with payment details, eventually costing the cheeky buyers an extra $161,000 after exchange rates moved during the legal fallout.

The sunflower meal traders ended up in dispute when the buyers refused to pay a shortfall caused by forex rates moving after unnamed hackers allegedly forged vital payment emails. The amount of time it took to figure out what had happened – less than a month – was enough to leave the sellers with a 13 per cent shortfall on the purchase price, which had been unintentionally converted from dollars to sterling and back again thanks to the email forgery.

Although neither firm was named, arguments about payment for the $1,167,900 of meal ended up being dragged through both private arbitration and the public court. Company "K", the buyer, cheekily claimed it had fulfilled its end of the sale contract by sending payment to the buyers' bank – even though it actually landed in the hackers' account.

A strange tale, this shows the effects of a business email compromise attack. The facts stated below are all from Mr Justice Popplewell's High Court judgment.

Emailed plaintext invoices? Well, it was a few years ago

Firm "A", the sellers, agreed to sell K the $1.2m meal cargo in 2015, loading it aboard the Palau-flagged general cargo ship MV Sea Commander (IMO number 8203660; not the Polish-registered bulk carrier of the same name).

All seemed to be going routinely: A invoiced K on 2 November 2015, telling the buyers to send their cash payment to a Citibank account in New York, complete with a SWIFT number and a payment reference. That invoice was forwarded through agricultural goods broker Vicorus at 15:05 CST the same day.

K, however, denied in court that it received the email forwarded by Vicorus. Instead, said K, it received a forwarded invoice at 15:50 CST, appearing to come from Vicorus, with payment details for a London branch of Citibank. This, it was said, was the hackers' doing.

Some routine to-ing and fro-ing was intercepted as well, with a second invoice in which the date had been corrected and "contained payment instructions for remittance via Citibank NA's New York branch in favour of Citibank NA at its London branch", ruled Mr Justice Popplewell, who added that the new reference number included the string "sheikmancons".

Having been hoodwinked by whoever was tampering with the emails, K paid the fake account. A SWIFT confirmation was, it was said, also intercepted and tampered with (sent at 20:16 CST on 5 November 2015 with one set of details; received at 20:28 CST with another set of details) to falsely show that the money had gone to the right account.

Exchange rate malarkey

The London account was held in the name of Ecobank, which the judge emphasised had not committed any "fraud or wrongdoing" itself. Being received into a London bank account, albeit the wrong one, the USD sum had been converted into sterling on arrival. This turned the $1,167,900 into £768,372.45.

A and K eventually agreed to ask the various banks to move the fraudulently obtained cash into A's rightful account. Ecobank, however, "approved the debit from their account of £674,831.46", which Citibank explained was a smaller sum because the pound-dollar exchange rate had moved in the 20 days that passed while everyone figured out what had happened. The money was withdrawn from Ecobank's account on 24 November and eventually made its way into A's account on 18 December. What landed was $1,006,253.07, around $161,000 short of the original payment for the sunflower meal, which the bank put down to exchange rates again. Aggrieved at the shortfall, A took K to arbitration, demanding the remainder of its $1.2m.

Having lost both the arbitration and an appeal, all heard in private, K appealed again to the High Court, arguing that under their contract "the obligation was only to pay the price to the seller's bank, who were the seller's agent to receive payment".

"Of course," said Mr Justice Popplewell, "a payment to a bank account is not strictly speaking a payment to the payee. The relationship between a bank and its customer is that of debtor and creditor, and the payment itself is to the bank not the customer as such."

The judge added, however: "It is commercially impossible to transfer funds to a bank which are intended for the benefit of a customer without identifying the beneficiary and the destination account by branch and account name and number."

K lost its appeal, though Mr Justice Popplewell sent one legal point of argument back to the arbitrators to sort out. ®

Sponsored: Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019