As an online business, you may be asked to provide your banking details to a new customer to facilitate payment via wire transfer. Is it safe to share this information? In most cases, this will be a legitimate ask by a trustworthy company. Wire transfers can save you money by eliminating the exorbitant fees charged by credit card companies. Nevertheless, there are lots of scammers out there who would love to get their hands on this information to try to take your money.
Let's walk through a typical scenario designed to obtain products fraudulently.
Scammers will generally contact your business by email or phone. They avoid using email forms on your website since these can be designed to log the IP address of the sender (which scammers don't want to share). Therefore, one way to reduce your chances of getting scammed is to not publish a contact or sales email address on your website. This will also help reduce the email spam you receive. This is not foolproof since scammers can often guess what email addresses you may be using, for example sales@yourdomainname.com is commonly used. For this reason, you might want to use less predictable email addresses.
The scammer will usually use a non-business (free) email address such as somebusiness@gmail.com. These initial emails often contain huge red flags. Phrases like "do you take credit cards", "do you accept checks", "do you accept bank transfers" etc. They may want to know about your shipping terms. They will often ask mundane product questions whose answers can be easily ascertained just by looking at your website. They often indicate that they would like to place a large order.
The next email is often instructing you to proceed with a large order, something like "Kindly prepare an order for 100 widgets and send me the order confirmation including your banking information where we can send the payment". They generally don't negotiate the price or terms. Their "business address" is often a PO box or a unit within a larger facility. They will often try to arrange their own shipping and make arrangements to pick up the goods directly. If you are shipping the product, their shipping address will generally be a freight-forwarder or a third-party business of some kind.
It is possible that the scam is just designed to obtain your banking information so that they can use this to forge checks under your company's name. Never send your banking details at this point without thoroughly vetting the "customer". In situations where the scammer attempts to take possession of products, they will try to obtain goods that they can easily resell. Something for which there is a large market and which can be sold over the internet or to shady distributors. Ideally, they want a product that cannot be traced back to your company or brand.
The scammer will generally not order directly from your website. Instead they will phone in the order or send you an email with the order details. This is done to prevent your ordering system from collecting their IP address.
If you search Google Maps for a fraudulent "customer's" business address or mailing address and enter "Street View", you generally won't see their business name on signage or on the buildings where they claim to be located. Look for other ways to try to validate this business, such as a Website, Google My Business Listing, Facebook page, X account, etc. If you find GMB or Facebook listings, read the reviews for these to look for indications of people being scammed. Most legitimate businesses have a website, if you don't find one or if you find one that looks unprofessional, these are huge red flags.
One of the techniques used by scammers is designed to trick you into believing that funds have been wired to your account. This can be done by mailing a fraudulent check to your bank. Banks are supposed to contact you when this happens but sometimes they just go ahead and deposit the check into your account. When you see the funds have gone into your bank account, you assume that these were received via a bank-to-bank transfer. Wired funds are generally pre-cleared and irrevocable so you assume it is safe to ship your product. However, since the funds were actually received via a check, it can take a week or more for the check to clear. Before shipping large orders to new customers, always contact your bank to ascertain how the funds were received and how long it will take before the funds are cleared. Also confirm that the name of the payor matches that of your customer, since fraudsters often deposit bogus checks in the name of third party companies that are also being scammed.
Another huge red flag is when the payment is for a greater amount than what was originally ordered. The fraudsters may indicate that they are pre-paying for future orders. Later, they will try to get some funds transferred back to them before the original check bounces.
After depositing a bad check into your account, the scammers will put pressure on you to ship their order by claiming that they need the goods urgently. If you are the least bit suspicious about the validity of the business, never release any product until your bank confirms that the payment cannot be retracted.
One way to help protect your company from being the victim of a scam is to avoid giving out your banking details before performing some due diligence. Here is a form developed by one of our customers.
Rather than simply emailing your banking details to your prospective customer, you direct them to a form like the one shown above. This has several advantages:
When the customer completes the Banking Details Request Form, this will send an email such as the following:
Notice that this email not only provides the details submitted by the prospective customer but also their Geo Location as determined by sender's IP address. If this location does not coincide with the customer's address, this is another red flag. Nevertheless, be aware that VPNs can be used to spoof the customer's IP address so, while this can be a negative indicator, don't trust it as a positive indicator.
At this point your company should use the information provided to perform due diligence and decide whether it is safe to send your banking details to this customer. This form assumes that you already have billing and shipping details for the customer, which was gathered when their order was placed.
Since email is notoriously insecure, this may not be the best way to send the customer your banking details. Notice, in the form above, the vetting email included text and a link to send to the customer. This link was generated and included in this email so that it can be encrypted. When the customer clicks on the link, they will be shown a page on your site such as the following (redacted) form:
You might assume that a lot of coding was required to implement this solution. In fact, only about 70 lines of PHP code needed to be hand-written to implement the procedure outlined here. If you are interested learning how this solution was implemented in GenHelm, follow Implementing Banking Detail Sharing in GenHelm.