What is it?
Bank mandate fraud (also known as creditor fraud, payment diversion fraud and supplier account takeover fraud) is a huge fraud risk; simple to perpetrate and simple to prevent, yet it is still happening as you read this. Changing a company’s account should be a rarity –
it’s disruptive and costly so should not be a regular occurrence and therefore, any request should be treated with suspicion.
If you’re tempted to stop reading now because you’ve heard it all before, please do read on as many who think they had it covered are still getting hit, across all sectors.
The fraud involves the changing of details for suppliers’, customers’ (or sometimes employees’, especially if a significant payment, say a rail ticket advance or bonus is due) accounts in order to divert payments. Fraudsters rely on the payee (company) name not being checked by the banks; in most cases, only the sort code and 'account number' are checked by the receiving bank. Requests are received by ‘phone, letter or email to update account details; such requests must be monitored, checked and properly authorised before changes are made.
It’s not hard to get details given the wide and on-line availability of publicly announced contracts, the transparency agenda and publication schemes, corrupt insiders and/or social engineering to gain information from unsuspecting employees.
Often there is an urgency created, pressurising the recipient into taking action and perhaps not giving the request enough thought and checking; any type of pressure, aggression or urgency should be viewed as highly suspicious. The requests are often targeted at times when staffing is tight (holiday periods), usually very plausible; documentation is usually professional (easy these days) and, if by phone, with well-researched detail, or emails sometimes routed in such a way as to look as if it’s already gone through some internal checking.
What can you do?
It’s little more than education, education, education. Staff should be made aware of the scam, how easy it is to commit, and more importantly, why the controls and checks are crucial. As a minimum:
- staff should be wary of providing sensitive company information, in particular contract and account information including contact names, references etc;
- ensure clear and reliable points of contact for handling and changing sensitive information
- think about using a password between the points of contact (held securely!) – re-visit your IT security and clear-desk policies;
- call-back and email using records already held in your system (not in the request) and corroborate this with publicly held information (bearing in mind the fraudster may create incorrect details on the internet).
Be aware it may be a long game…the ‘Oh we’ve changed bank accounts” approach still works sometimes, but the fraudsters, as ever, are evolving. We have witnessed ‘phone calls simply saying they are taking over as account manager, seeking to get a date in the diary simply to have a coffee and put a face to a name. This is followed by a seemingly trivial call about the contract or a “How’s it going – is everything okay on the contract?”, so by the time they tell you about a change of bank details, you may have spoken with them three of four times and feel you know them. Easy.
What if it does happen?
Given the speed of payments, money may shift very quickly indeed, and bear in mind, usually banks will only refund if they are at fault, plus the correct organisation will still need paying:
- if it’s not too late, do not continue with the transaction;
- report your suspicions to both your bank and that whose details have been provided, plus the police (fraud by false representation does not require money to be lost, the intention is as valid, plus there may be other offences such as money laundering that could come into play);
- preserve the evidential trail (hard copy and IT), and urgently seek professional advice.
If you require a review of your existing controls, or assistance in investigating losses, please do not hesitate me: email@example.com