Article by
‘Change of banking details’ fraud – where fraudsters impersonate legitimate suppliers in order to divert payments of invoices into their own accounts – continues to be prevalent and is becoming increasingly sophisticated. Companies need to be aware of this scam and how to implement the proper controls to prevent themselves becoming duped.
How does it work?
Fraudsters masquerade as genuine suppliers by sending forged or manipulated emails or documents to the target business. The fraudster informs the target that the supplier’s bank details have changed and that these new details should be used to settle any future invoices. The target updates their systems and so the next legitimate payment that is made, is then paid into the fraudster’s account. By the time that the actual supplier is chasing for payment, these sophisticated fraudsters have usually moved the money elsewhere and are incredibly hard to trace.
While the attack often comes from outside the business, increasingly they can also come from inside the organisation via a compromised employee email account. For example, a fraudster may hack into the account of an employee and search their emails for information on suppliers who are about to receive a payment. They could then use the compromised email account to request their finance colleagues update the supplier’s bank account details in the company systems, providing assurances that proper security checks had been undertaken.
What are the warning signs?
It is always worth looking out for anything unusual in email correspondence relating to bank detail changes. Any misspelled words or incorrect grammar should be regarded as suspicious, as should any unusual contact telephone numbers being listed or if email signatures look low resolution or different to normal. If the email address differs (even slightly) from the usual company email format, this should be considered grounds for further investigation. Although it is worth remembering that if the fraudster has compromised an employee’s email account and is targeting the company from within, the sending address won’t raise any red flags as it is a genuine email account, just under the control of a third party.
Ways to minimise your risk
- Verify all amendments to banking details with banks and suppliers before acting on them. Call an official, listed phone number from your supplier file (rather than referring to any recently received document/ emails) and speak to a known contact at the organisation when confirming. Do not amend any payment details until you are entirely satisfied that the request is authentic.
- Establish greater email security by requiring multifactor authentication to log in to systems.
- Where possible request original, signed invoices for large payments.
- Confirm that the name of the account holder on the banking system corresponds with the bank account number that has been provided.
- Ensure to shred any sensitive documents that may contain banking details rather than throwing them away.
- Make sure that staff and colleagues are aware of fraudulent schemes and receive regular training on how they can help minimise the risk to your business. With many going on annual leave at this time of year it can mean that staff are picking up requests to cover a colleague’s absence. However, if all staff are aware of the correct protocols, this doesn’t have to mean increased vulnerability.
By implementing these safeguards, companies can protect themselves against such fraudulent schemes. However, if you do become a victim of such fraud, it is important to inform the police as soon as you become aware of the scam. You may also want to discuss civil recovery/ asset tracing with our expert team.
Gateley Plc is authorised and regulated by the SRA (Solicitors' Regulation Authority). Please visit the SRA website for details of the professional conduct rules which Gateley Legal must comply with.