A surprisingly simple but increasingly common fraud activity is a change of bank account details purporting to be from a supplier and followed by fraudulent invoices.
As fraudsters continually develop and apply new methods to circumvent controls, it is essential that all organisations assess the effectiveness of controls in relation to the administration procedures for changing supplier bank account details on invoice payment systems. It is also important to ensure that mitigating action is taken where necessary to minimise any fraud risk, for example, by independently verifying with the supplier the change to supplier details before actioning.
The result of such scams can have a multitude of repercussions, such as impacting resource levels, causing conflict within the organisation and reputational damage. The results of these consequences could be significant financial loss, job losses, costly disciplinary/investigation processes, legal fees, disfavour with key stakeholders and loss of public confidence/trust.
Now prevalent in the public, private and not-for-profit sectors, criminals are researching the suppliers engaged with organisations through reviewing public domain information such as published tender awards or supplier lists.
, Associate in the Fraud & Bribery team, comments: 'It is essential that all organisations assess the effectiveness of controls in relation to the administration procedures for changing supplier bank account details on invoice payment systems.'
A number of cases have been identified where the bank details of legitimate suppliers and contractors have been changed on organisations’ finance systems in order for payments to be diverted to bank accounts controlled by fraudsters. For example:
- a local authority processed two amendments with a resulting loss of £500,000;
- the Olympic Development Agency lost £2.3m and Skanska, working on the landscaping for the Olympic Park, lost £86,000 as a result of a payments being diverted into the fraudster’s account;
- in the NHS approximately £1.5m of fraudulent transactions have been paid to fraudsters through supplier bank account amendment requests. The payments have ranged from a few thousand to £864,000.
The typical fraudster’s approach is that genuine creditors and suppliers receive a telephone call from a source purporting to be from a legitimate organisation to which the supplier delivers goods/service to obtain information (at least):
- bank account details;
- contact name(s) and details;
- supplier code;
- purchase order number(s);
- last invoice(s) paid;
- outstanding invoice(s).
Shortly afterwards, the organisation will receive a letter, fax, e-mail or telephone call purporting to be from the legitimate creditor/supplier. These will contain the correct headers, logos, addresses and company information, notifying a change of bank details from the existing genuine account to that of the fraudster’s. Payment is then made and swiftly moved from the fraudulent account.
Where an organisation publishes a list or register of high-value contract suppliers and contract information on their website, any requests for changes in payment details from those listed should be closely scrutinised. In addition to hard copy (on letter-headed paper) an email should be requested and vice-versa.
As part of standard procedures creditors/suppliers should be independently contacted using original/existing contact details held on file rather than those given when requesting the change.
Additionally, it is worth checking other public domain details. If possible, further confirmation should be sought from a known contact within the supplier organisation before making changes.
to download our detailed factsheet.
Fraud & bribery