Why should business be concerned?
Fraudsters are turning to more sophisticated methods of scamming people and businesses out of money, with businesses increasingly a target. A common tactic they may use are sending spoof emails impersonating a senior member of staff and trying to deceive employees into transferring money. The email usually requests an urgent payment is made outside of normal procedures, often giving a pressing reason such as the need to secure an important contract.
Criminals can also pose as regular suppliers to the company or organisation and make a formal request for bank account details to be changed. This is known as invoice fraud and fraudsters may trick a company into changing their bank account payee details for a sizeable payment.
Criminals who specialise in invoice fraud are often aware of the full details of the relationship between companies and suppliers – they know when regular payments are due and, equipped with sophisticated information, they make contact with finance teams within companies and pose convincingly as suppliers.
Similarly, through mandate fraud criminals convince firms to change a direct debit, standing order or bank transfer mandate by pretending to be an organisation the business makes regular payments to, for example a subscription or membership organisation or supplier.
CEO spoofing is when you get an email apparently from your company’s CEO, or some other senior member of staff, asking you to make an urgent payment outside of normal procedures. Sometimes the criminal manages to gain access to a company’s email system, but it’s also easy for a fraudster to manipulate the characteristics of an email, including the sender’s address, so that it looks genuine. When you transfer the money as requested, it goes straight to an account controlled by a criminal.
Four ways to stay safe from CEO spoofing:
- Always check any unusual payment requests directly, ideally in person or by telephone, to confirm the instruction is genuine. Do not use contact details from an email or letter.
- Establish documented internal processes for requesting and authorising all payments and be suspicious of any request to make a payment outside of the company’s standard process.
- Be cautious about any unexpected emails or letters which request urgent bank transfers, even if the message appears to have originated from someone from your own organisation.
- Contact your bank straight away if you think you may have fallen victim to CEO fraud.
Invoice fraud takes place when a criminal contacts your company posing as a genuine supplier and asks you to change the bank details you use to pay them. It’s not hard for criminals to investigate a business’s invoice details, even down to payment dates, to make their approach look more convincing. If you change the payment details stored on your system, the next time you pay an invoice to the genuine supplier, the money actually goes to an account controlled by the criminal.
Four tips to avoid invoice fraud:
- Always confirm any bank account details directly with the company either on the telephone or in person before you make a payment or transfer any money.
- Criminals can access or alter emails to make them look genuine. Do not use the contact details in an email, instead check the company’s official website or documentation.
- If you are making a payment to an account for the first time, transfer a small sum first and then check with the company using known contact details that the payment has been received to check the account details are correct.
- Contact your bank straight away if you think you may have fallen victim to an invoice or mandate scam.