AWARENESS IS A SAFETY

How a Legitimate Invoice Turned Into a Six-Figure Scam

A real-world case of email interception fraud in shipping

This case shows how even an experienced company can become a victim of a classic but highly sophisticated invoice-redirection scam.

Background

An established shipping company with a long operating history chartered a vessel for a project and ordered bunker fuel through a well-known broker.
All communication was done via email, as usual in the industry. The fuel supplier was invoicing through the broker, and there was no direct contact between the buyer and the bunker company.

An invoice was received from what appeared to be the broker’s email address against order made by customer. Everything looked normal.

The First Red Flag (That Was Missed)

A few days later, an email arrived within the same email thread, stating that the supplier’s bank account was temporarily unavailable due to an audit and asking the buyer to hold payment until updated bank details were provided.

The email:

  • Looked identical to previous messages
  • Had the same sender name
  • Appeared in the same conversation thread

What went unnoticed was a tiny change in the email domain — visually almost impossible to spot.

The Scam in Action

Soon after, a revised invoice arrived:

  • Same amount
  • Same service
  • Same structure
  • Different beneficiary name and bank account

Believing the change to be legitimate, the company made the payment.

Days later, the “supplier” claimed the funds had not arrived and asked the company to recall the payment due to “extended audits.”
The company complied, successfully recalled the funds, and then—following new instructions—sent the payment again to another bank account.

Bank Warning — Ignored Under Pressure

The bank later sent a SWIFT message questioning the payment because the beneficiary name did not match the original supplier.

Under pressure from daily emails threatening penalties and interest for non-payment, the company validated the payment, trusting the ongoing correspondence.

The Truth Comes Out

Only after a direct phone call to the real broker did the situation become clear:

  • The broker was also being deceived
  • Fraudsters had inserted themselves into the email chain
  • Both sides were communicating with fake domains differing by 1–2 characters
  • The fraudsters controlled the narrative on both ends

The payment had been redirected to accounts fully controlled by criminals.

Attempted Second Scam

After discovery, it became clear the same fraudsters attempted the exact scheme again:

  • A fake invoice for a much larger amount
  • A fake email domain mimicking another broker
  • A forged “official letter” claiming bank details had changed

This time, the payment was not made because the pattern was already recognized.

Key Takeaways

This scam did not rely on hacking systems or stealing passwords. It relied on:

  • Email domain spoofing
  • Thread hijacking
  • Social engineering
  • Pressure and urgency
  • Trust in routine processes

Lessons Learned

  • Never accept bank detail changes by email alone
  • Always verify changes via phone or known contacts
  • Check email domains character by character
  • Be extremely cautious when urgency and threats appear
  • Banks questioning payments is a signal — not a formality

This type of fraud is common in shipping, logistics, construction, and any industry with large invoice payments and intermediaries.

If it happened to an experienced company — it can happen to anyone.

Leave a comment