Dubai businessman loses Dh360,000 to email hacker

Mystery suspect stalked victim online and impersonated his suppliers before pocketing the deal

Image Credit: Arshad Ali/Gulf News
Abdul Hamid
14 Gulf News

Dubai: A Dubai businessman has urged traders to be alert after an email hacker posed as his suppliers online to embezzle almost Dh360,000.

Abdul Hamid, a Pakistani heavy machinery dealer, said the hacker intercepted his UK suppliers’ emailed invoices for orders worth about £65,000 (Dh358,882).

Hamid instead received ‘invoices’ with the hackers’ banking details and wired the money to the UK as instructed in the emails that appeared genuine.

The ‘invoices’ and bank accounts still carried his suppliers’ names while the fake documents and messages were sent from email accounts virtually indistinguishable from those of his suppliers.

After withdrawing Hamid’s payments, the hacker vanished and his real suppliers’ original emails started coming in.

Meanwhile, trusting Hamid’s track record as a customer, the suppliers had started procedures to ship the goods to Dubai.

But they were soon inquiring about ‘delays’ in payments.

Hamid insisted the money had gone through and even sent copies of his bank’s confirmation.

The shocking truth unfolded when Hamid and his suppliers eventually got in touch over the phone.

“They were perplexed and wanted to know why I had sent the money to a different account this time. I said ‘because you told me to.’ We only realised our email accounts had been hacked after we verbally went over the recent emails between ‘us’ — the suppliers said they had never sent those messages,” Hamid said.

“I was stunned. The hacker had been stalking me online, waiting until I reached a price agreement with the supplier. He then sent me fake invoices and emails posing as the supplier, so he could get the money instead.”

Hamid was on the verge on transferring about Dh551,500 in another deal when he realised the scam.

He said he has reported the incident to Dubai Police and asked his Dubai bank to follow up with the British banks he wired the payments to.

He added that he has also requested the British banks and a UK financial fraud watchdog to alert customers and help track the hacker.

“How could the [UK] banks have accepted my wire transfers into accounts bearing the name of companies that don’t have an account with them? If the beneficiaries’ account name and account details don’t match, please confirm before crediting the account.”

Hamid said there needs to be more digital security against hackers as many documents nowadays are emailed instead of shipped between countries.

“Please don’t accept invoices over email, always ask for a fax — it’s the safest way as there’s no one who can come in the middle. And confirm everything by phone.

“I learnt this the hard way and I don’t want others to suffer what happened to me. Some people cannot afford a loss like that, it could be someone life savings,” he said.

“You don’t know how many weeks or months a hacker will stalk you, learn everything about you and your business partners.

“In my case, he seemed to have the same style of writing and tone. He didn’t even seem in a rush to scam me.”


  • Farhan

    Mar 5, 2013 6:16

    Always use LC (Letter of Credit) and LG (Letter of Guarantee) when doingtrade. This will help you overcome such malpractices, with a nominal feethe banks charge.

  • Dr. KB Vijayakumar, Ph.D.,

    Mar 5, 2013 4:53

    No bank in UAE is willing to take the responsibility for fradulenttransactions which it should in the normal course. If that is done thenthe customers are safe. But UAE has a different set of laws that thosein other countries and therefore it is difficult even to take the banksto Court. But in India, if there is a fradulent transaction invariablylthe bank has to bear the loss. The basic logic is that unless the CardHolder uses it himself, it is not a transaction that he has made.Similarly in the case of a cheque, unless it is signed by the accountholder, it is not valid as per law and the loss is that of the banks';however cleverly it may have been forged. This is the sanctity ofrelationship between the customer and the banker.

  • Edwin Joseph

    Mar 5, 2013 3:31

    I had multiple incidents where my email was hacked and my clientsadvised to transfer our outstanding amount to some account in China& Malaysia just before the dates of due payments. However since ourclients refused to do this transfer and referred the issue to us toverify the authenticity of this request, we were saved. Or else, in thenormal course the due payments amounting to around AED.500,000 shouldhave been syphoned.

  • Syed Ahmed Ali

    Mar 5, 2013 3:20

    How can the bank credit the account when the details dont match, or may be the fraudster registered a company/shop with the same or identical name and opened a new bank account wih that name...very strange by the way...

  • ali fakha

    Mar 5, 2013 2:18

    I am really wondering how a professional business man can transfer bigamount like this without even making a telephone call to reconfirm withthe supplier before sending the payment. No bank will credit any accountif the account details are not matched with the transferring bankdetails. I just had personal experience for even small amount less than4000 dhs when a iussed a cheque to my friend where the bank employeesknows me and him personally and still not accept to deposit this chequein his account , why just becasue I wrote his name abed while his nameabdul . while family name are same . imagine less than 4000 dhs and fortwo letters , local bank refused to accept. So how a big amount likethis?

  • Ali

    Mar 5, 2013 2:09

    100% case of someone close to the victim - most likely a short term relationship - a girl on the side. Informally for long time people have been saying via comments , articles ,emails that there is group ofwomen from Indian subcontinent in our good city whose sole activity isto trap rich men by posing as educated businesswomen or executives andstart personal relationship then,stalk them,use black magic,stealdetails from their mobile (cotacts ,bbm pins,emails) do a emailforwarding on their email so all their emails are auto forwarded tothese women and then either blackmail or steal. The fact thief was in norush meant she had eye on his every move and was assured she has histrust or trust of someone very close -son,brother,cousin involved inbusiness. My advise to the victim is scan every one in office who isinvolved in purchase process and recent relationship of such employeeswith girls - you will for sure get your money back inshaallah.

  • Vinod

    Mar 5, 2013 1:14

    Please note that proper networking with firewall , Aniti-virus server client security , proper awareness will avoid from fraud emails. Even there might be exact websites like ISP site but the URL will be different so the best method is have a good IT person at your firm whocontrol the complete IT to the best . Hackers cant attack when thingsare done right at your end . In todays world before you transfer moneymake sure you are 100 % passing to right direction as even email id canbe made with same domain in different hosting servers using MX recordtransfer from one server to another. So use best email server forhosting email if your organization server is not 100 % secured.

  • bassam

    Mar 5, 2013 11:48

    When you send legitimate payment, the bank will never credit it untiland unless all the details are accurate 100%, but strangely it acceptsfraud payment when the beneficiary name and account number don't match!You need to have anti-spam at your email server to make sure that emailoriginator's IP address and RDNS matches (only emails originated fromauthorised email server are accepted).

  • nazeer

    Mar 5, 2013 11:34

    Yes, I have come across this kind of transaction and lost almost AED1m. We have already taken up this issue with our bankers. Businessmen should be more vigilant and make a system for transferring payments and not only depend on the email accounts. In another instance, I had almost transferred few thousand dollars through western union when the mail of my client was hacked, he has urgent requirement and asked to send the money in a different name as he could not go to the western union by himself. While was about to send this, I had got a call from my client for some other reasons, but i told him that i am transferred money, he was shocked that he didnt ask for any money and he is not in thailand, but in a different country. That call saved me. But my partner had already lost a million dirham as I said before.

  • Faiyaz Moda

    Mar 5, 2013 11:12

    There are two major ways hacker can obtain your mail login information. One of them is by using all kinds of viruses, trojans and spyware applications.Secondly, if you are using too simple password he can simply guess it. Any way, if you change all your domain mail passwords to more complicated ones, the hacker most likely never will have access to your mail.Here is the tool you can use:" ".I can recommend everyone to use strong passwords, regularly change them and secure your computers with anti-virus.

  • Load more

Latest Comment

Always use LC (Letter of Credit) and LG (Letter of Guarantee) when doingtrade. This will help you overcome such malpractices, with a nominal feethe banks charge.


18 March 2013 17:44jump to comments