Fraud Alert - 5 key tips
Filed under:
This is a reminder that instances of bank fraud are rife at present, and have been for at least a couple of years. The fraudsters are using very plausible and effective methods to dupe businesses.
I keep hearing of people who have been caught out, usually for thousands but often tens of thousands of pounds. Because of the way it is done, there must be people who have been caught out for even larger sums. According to UK Finance almost 43,000 business fell victim to this scam in 2017, losing an average £5,500 each.
Read on for what should you look out for and what can you do about it.
What to look out for
Typically what happens is that an accounts department receives a notification of a change of bank account for a frequent supplier. If actioned, the next payment to that supplier will result in payment to the fraudsters account. The payment is authorised and thought be valid because it is for a known supplier and known purchases. Payments may be quite large. Funds are very difficult to recover once this point is reached. .
Another example might be an urgent request from the managing director to the financial controller/ finance manager for a transfer of funds to Company x, quoting bank details. The email may be very plausible, in good English, employing the kind of phrases typically used by the managing director, and referring to a known event or situation, such as the conference the MD is at. Emails requesting confirmation get believable responses.
This is an example of a “man in the middle” attack, where the fraudster has gained access to email accounts. They may even be able to access both sides of the email correspondence, such that they can intercept both the MD’s and accountant’s emails so neither sees what the other has written, so the usual warning signals don’t get through. They have been reading correspondence and are able to mimic the styles of the participants.
How do you protect yourself against this?
1 – Ensure that the accounts department has a clear process to deal with payments, new suppliers, and new bank accounts, that each person involved knows well;
2 – The process should include an independent check on new bank accounts. For example, an email request should be checked by phone to a responsible senior person in the organisation, ideally someone other than the person making the request;
3 – For obvious reasons, don’t do the ‘independent’ check using the contact details provided in the original request. It could well be the fraudster. Find the contact by a different method so as to bypass the fraudster. The website address and phone number in the email are not independent;
4 – Be alert. These frauds work because they appear to come from people you trust, carrying on normal business. There will still be clues. The fact of a new bank account. A sense of heightened urgency might be another clue. An odd phrase in a sentence. Of course, the kind of manager who makes everything urgent and critical means that clue won’t be there. It just makes the accounts department’s job harder;
5 – Employ two-factor authentication for password setup and change passwords occasionally. Easy passwords are a route in, including to the email server.
Please don’t think “process” is just more unnecessary bureaucracy. Think about how you’ll feel when £50,000 has just been paid out to the wrong people.
A safe approach will keep you wealthy.