Dear David,
We got scammed! My company recently received a large product order from a known client. After ordering, the client asked for a delivery address change – no big deal. Thirty days later, when we did not receive payment, my client confirmed they did not actually place the order. I filed an insurance claim but was denied. What happened, and why didn’t our insurance cover the loss?
Dear Scammed,
Unfortunately, your company was a “purchase order scam” victim. For everyone’s benefit, let’s explain how purchase order scams work. Initially, bad actors email businesses misrepresenting themselves as trusted clients looking to place an order. Bad actors build rapport with sales agents and place large orders on credit. Then, immediately preceding shipment, bad actors insist on changing the shipping address. If met with resistance, bad actors apply pressure. For example, bad actors may claim they will suffer unbearable hardship or that your business relationship will be damaged. Sales agents usually mail the order, but as soon as it arrives a mule forwards the product to the bad actor’s true location. Thirty days later, when payment is not received, the victim learns the order was fraudulent. Fortunately, by changing a few internal processes and securing the right insurance coverage, you can significantly reduce your company’s risk.
First, since bad actors send emails misrepresenting themselves as trusted clients, it is important to verify the sender is who they represent themselves to be. To verify the sender’s identity, hover over their email display name with your mouse. Hovering over the email display name will reveal the sender’s true email address. When an email display name does not match the email address, it should raise a red flag.
Second, since the last-minute address change is vital to the scam’s success, verify the new address belongs to your client. First, input the new address into a search engine. This helps because bad actors regularly ship to storage facilities or single-family homes with no connection to your client. Next, regardless of what you find, call your client using a known phone number. Since bad actors may be intercepting your client’s email, or spoofing their phone number, it is critical that you place the call using a trusted phone number.
Finally, before becoming a victim, consider conducting a pre-loss insurance program diligence review. In this case, an advocate may have suggested securing an optional social engineering fraud endorsement with limits tailored to your risk tolerance. Second, an advocate may have reviewed your crime policy for computer fraud coverage. Third, an advocate may have examined if this cyber peril would trigger non-affirmative (silent) cyber coverage. Many “all-risk” insurance polices cover perils, unless excluded. Thus, if your policy does not expressly exclude a cyber peril, coverage may apply. Since cyber threats and insurance coverages keep evolving, it is crucial to understand what your policy covers, what your policy excludes, and what limits apply.
In sum, proactively identifying and investigating red flags may prevent you from becoming the next purchase order scam victim. However, even if you do become a victim, having appropriate coverage in place will reduce your company’s overall financial exposure.
