Lately a number of bullion dealers worldwide have experienced a marked increase in the number of targeting phishing and fraud attempts, specifically aimed at defrauding both bullion dealers (retail and wholesale) and their customers. Jewellery dealers are also being targeted. These are more sophisticated attempts than the usual bulk spam mail attempts that most people see daily. Without going into too many details of the particular attack vectors, the attackers are attempting to identify supplier-customer relationships, and attempting to trick customers, both retail and wholesale, into redirecting funds to illicit bank accounts. The main source of information for the attacks I'm aware of appear to be through bulk email account hacking, and hackers trawling through hacked email accounts looking for users with high value online spending. Email hackers then target the user's future purchases, setting up email forwarding rules that monitor for emails from particular senders (e.g. an online order confirmation email), and then quickly sending a forged email to the customer with new payment instructions that attempt to divert funds to the hacker when they've detected you have placed an order. This is known as a "man in the middle" attack. Dealers are also being directly targeted with hacking attempts - the latest method seen this week is an emailed order with an attachment that contains a trojan file, asking the dealer to open the attachment to read the "gold order" - directly targeting the bullion dealer in an attempt to steal passwords, banking details, and whatever other information could be gleaned. Several dealers spoken to have received such emails in the last week, often emailed to specific individuals at the company - again, usually sourced from compromised email accounts of customers that have previously dealt with said company. So how can you protect yourself? 1. NEVER click on links or attachments in emails without verifying the sender - the email may contain a keystroke logging trojan. These come in many forms - browser scripts, browser add-ons, executable files - just don't click on links from people you don't know, and if you do know them, take a moment to check that the email is from the correct email address. It's not uncommon to see an email like "[email protected]" impersonated by something like "[email protected]" - if you don't open up the sender's details to view the email address, it will just look like any other email from Bob's Bullion. 2. Change your email passwords regularly. If you see a media report about a public email service being hacked that you use - or any other service where you use the same password that you use for your email, change it. It's not uncommon for one service to be hacked, and if you've used your email address there as the user ID, and the same password you used there is also your email password, a hacker can access your email account without it actually being the subject of a hack attempt in the first place - they just need to get your email address and a password from elsewhere, and they will test to see if it's also your email password. So unique email passwords are a really good idea. 3. Use two factor authentication on your email. If your email service offers this feature, e.g. using Google Authenticator or similar, activate it. If a hacker does obtain your password, it is useless to them without the second authentication device, such as your phone. 4. Check your mailbox settings, and see if there are any unexplained email rules set up to forward or delete emails - this is a sure sign that someone has accessed your mail account and is listening in. 5. Most importantly in relation to this issue, ALWAYS verify unusual email instructions by telephone - if you receive an email asking you to send a bank wire to a different account, or to use PayPal instead of a bank deposit, to send bitcoins to a different address - call and verify. This simple step seems like common sense, but is rarely done. Question and verbally confirm any change in payment instructions you receive via email. Every case I've been told about so far involved the hacker attempting to get money wired offshore, e.g. to Malaysia or the UK, which usually immediately alerts people to the scam, but there have been successful frauds pulled off, usually where the supplier is in one country and the customer in another, so wiring funds to "our other office" doesn't seem so farfetched. 6. Don't store large quantities of metal at home - for now most of these scam attempts appear to be southeast Asian in origin, so it's not some hacker sitting in Sydney or New York doing this that could come into possession of a delivery address - but there are always risks associated with home storage, and more people on this forum have lost metal stored at home than have ever had it stolen from a dealer or storage facility. Don't think that you can hide in the herd - it's ridiculously simple to write scripts that can trawl through purchased or hacked lists of passwords to see if they are valid for email accounts, and then run automated searches for known keywords like bullion dealer email addresses - a list of tens of thousands of stolen passwords can quickly be whittled down to a handful of active email accounts that belong to bullion customers. Protect your email, and stay safe!