Trending Content

A cautionary cyberfraud tale from the rental world

By Brock Huffstutler

September 5, 2023

Ideal Rent-All staff with trailer

One of the trailers Ideal Rent-All purchased from Croft Trailer Supply

It was a well-planned purchase: one new truck from FlowMark and three new Demco auto hauler trailers from Croft Trailer Supply — all items in stock and ready for pickup from the suppliers who both are located in Kansas City, Mo.

One all-inclusive trip to the Midwest took care of the merchandise pickup for the buyer, Ideal Rent-All in Mount Vernon, Wash. Payment was a breeze, too. Ideal Rent-All took care of FlowMark’s bill via the ACH (Automated Clearing House) transfer instructions provided by the company. Then, Ideal paid Croft Trailer Supply via the ACH instructions it had provided.

The transaction was complete with all parties satisfied, right? Nope. As it turned out, cyberthieves had struck again.

Unbeknownst to Croft Trailer Supply, hackers who were later found to have originated from Johannesburg, South Africa, had somehow gained access to some of Croft’s emails — including the string relating to Ideal Rent-All’s trailer purchase.

“They [the hackers] were in the background and were basically communicating like they were Croft,” says Michael McDaniel, Ideal Rent-All CEO, who had been corresponding with Croft Trailer Supply’s trailer coordinator exclusively via email.

“What wasn’t known at the time was that our trailer coordinator’s email had somehow been compromised by an outside source, or hacker, if you will,” says Mollie Bunkers, customer service specialist, Croft Trailer Supply. “The hacker started intercepting emails sent and received when the conversation between the two reached the point of purchase of the trailers from our company later in August [2021]. This hacker had set up an email that filtered all sent and received emails that were sent to our trailer coordinator to a third-party email, where he had the ability to completely change the email, then turn around and send it to whoever he was trying to scam.”

McDaniel says the hackers’ ability to use a known and trusted email address — in this case, that of the Croft trailer rep — was a critical part of the scam’s success. “That was key. I had never personally experienced this type of thing,” McDaniel says.

When McDaniel initially viewed FlowMark’s and Croft’s emails containing their respective ACH transfer instructions and executed the payments for the merchandise, “I was using my smartphone; had I been looking at them on a PC I’m pretty sure I would have spotted some things that were abnormal from the emails that came from my Croft sales rep,” he says.

Both Croft Trailer Supply and McDaniel knew something was off a little later when Croft submitted to Ideal Rent-All an invoice for the balance due on the trailers. McDaniel had already sent his ACH payment and considered the deal complete. Croft, of course, hadn’t received payment and billed Ideal as per their usual account-based structure.

Then came an instance where the same hacker tried to get payment from another customer of Croft’s. “This same hacker had tried to get payment from another company that we were building a trailer for,” Bunkers says. “He [the hacker] was filtering and intercepting the emails all the same, but the customer in this situation had already provided the information that the hacker was looking for, so he called and that is when we figured out that something wasn’t right.”

Reflecting on his incident, McDaniel says two particular aspects should have stood out at the time as red flags:

The demand for immediate payment. McDaniel says the demand for such quick payment upon closing of the sale was not necessarily in line with the communication he had developed with his salesperson from Croft Trailer Supply. “There were some noticeable changes in the rapport but, knowing how rental can be, at the time those were taken as quick responses to being busy,” Bunkers adds.

The fraudsters’ use of a legitimate U.S. bank. A post-theft investigation revealed that the bad actors requested the ACH funds be transmitted to a U.S.-based bank account from Minnesota. “With a U.S.-based account, you have to show ID and things like that, and that’s also one of the reasons where I thought it was OK to pay,” McDaniel says. “It wasn’t like the money was going via Western Union; it was going to an American, U.S.-based checking account.”

The damage had been done, but there were some lessons learned from the incident.

“When I analyze it after the fact and looking at the emails, I should have been more diligent and cautious,” McDaniel says. “Also, with the kind of dollar amount [associated with the sale], I should have been working off a PC and not my phone. I think then I would have noticed that [the thieves] had tweaked a couple of things that potentially would have caused alert. Then I probably would have made a call to Croft. But one of the reasons I had lowered vigilance over this was that I needed to make a wire transfer over to this other company [FlowMark]. So, it was just like two coincidences coming together — two sales to two people out of Kansas City.”

Two years after the theft, McDaniel admits to some frustration that little has been done by law enforcement to track down those responsible for defrauding both the buyer and seller in the transaction.

“I followed through with the government agency that you file fraud complaints with, but nothing ever developed,” McDaniel says. “I also filed a report with the local police department, but nothing ever materialized, not even a real acknowledgement that said, ‘We got your complaint.’ I thought that maybe they could have done something because it involved a U.S.-based bank account.”

As he recounts the experience, McDaniel is quick to add that he is delighted with the quality of the trailers he received from Croft Trailer Supply and credits the company for making good on the purchase in the aftermath of the fraud realization. “They’re really good folks. They didn’t charge us for the trailers,” he says.

For its part, Croft Trailer Supply says that since the incident, it has taken multiple measures to help ensure a similar situation doesn’t happen to anyone else.