Recent online crime figures from Get Safe Online and Action Fraud reveal that fraud, including cybercrime, cost the UK economy almost £11 billion in 2015/16. For small and medium-sized businesses, much of this is a result of invoice, ‘vishing’ or spoofing fraud. Ensuring your staff are vigilant, and know how to react if they have suspicions about a transaction, could protect you from financial loss. Brendan Harper outlines the most common types of fraud and how to protect against them.
Invoice Fraud happens when a company or organisation is tricked into changing bank account payee details for a sizeable payment. Criminals pose as regular suppliers to the company or organisation and will make a formal request for bank account details to be changed.
Fraudsters make contact with the organisations finance teams, posing as suppliers. Payments are made to them and the fraud is often only discovered when the legitimate supplier chases for non-payment. At that point, recovery of the funds paid is rarely successful. Following some of these simple steps will protect against invoice fraud:
- Ensure that all staff who process supplier invoices and who have the authority to change bank details are vigilant. They should always independently check changes to supplier names, addresses and invoiced amounts back to alternatively sourced points of contact.
- Establish a designated point of contact with suppliers to whom your company or organisation makes regular payments. Raise all invoice issues and concerns with this person.
- Check the logos. Logos on counterfeit invoices are often blurred and these invoices often contain account details to which the payment should be made.
- If in any doubt, HOLD the payment until you are 100% satisfied that it is going to the right person for the right amount.
Telephone Fraud is being used increasingly by criminals to deceive organisations into revealing financial information or to encourage the transfer of funds into a bank account held by the criminal. This type of fraud is known as ‘Vishing’.
Posing as a supplier, a police officer, or bank staff, criminals will make an attempt to obtain bank account details or will ask for bank payee details to be altered so regular payments normally transferred to a genuine supplier account are instead made into their own account.
A variation of this fraud involves the criminal posing as a senior bank official or police officer investigating internal fraud at your company bank. They will try to persuade a member of staff that in order to protect your organisation’s fund, all money must be transferred to a ‘secure’ account. They are advised not to give the bank a reason for the transfer in case the teller is involved in the internal fraud. Remember:
- Do not assume that every telephone call is an honest one. Criminals may already have enough information about you or your company to appear genuine.
- Be wary of requests for financial information and alterations to bank transfers.
- If you are suspicious, do not be afraid to terminate the call.
- Remember that caller display IDs can be manipulated to disguise the origin of the call. If in doubt, call back using an independently verified number.
We have seen an increase in the volume of Spoofing Fraud reports in recent months. This has resulted in substantial financial losses for several businesses that have fallen victim to this type of fraud.
A company, often with multiple offices, is targeted by a fraudster who purports to be the CEO of the company and often claims to be based in another country. The fraudster contacts a finance officer requesting payments to be made into bank accounts under the pretence of a highly sensitive acquisition, merger or property purchase.
Initial contact appears to primarily be made via email from an address similar to the one the CEO would use, although the suspect will telephone to complete the fraud if required. In addition, the fraudster may also introduce a second fraudster, who poses as a lawyer or regulator. With a strong social engineering element, the fraudster often requests that they, as the CEO, are not contacted further by the financial officer as they are busy. Alternatively the fraudster may picks occasions when the real CEO is on holiday, therefore preventing the officer from checking the validity of the request.
- Review internal procedures regarding how transactions are requested and approved,
- especially those in relation to verification.
- Check email addresses and telephone numbers when transactions are requested.
- If in doubt request clarification from an alternatively sourced email address/ phone number.
- Don’t be afraid to question details when being tasked to transfer money at short notice.
- Ensure management are receptive to queries about unusual transactions and encourage staff responsible for payments to question senior staff about unusual transactions, even if this is a bit frustrating.
For more advice and information on how to protect your business from fraud, contact Brendan Harper or Howard Shaw, Head of Anti-Corruption and Whistleblowing. Further information about types of fraud and latest advice can also be found on the Action Fraud and City of London Police websites.#Fraud cost the UK almost £11bn in 2015/16. #SMEs must educate staff to be vigilant to avoid invoice, ‘vishing’ or spoofing fraud. Click To Tweet