Think you’re too smart for mandate fraud?
If you’re among the 57% of UK businesses who say they’re aware of mandate fraud (also known as invoice fraud) you may feel confident that it couldn’t happen to you. But before you put a tick in the box and move on, and for the benefit of the 43% of businesses that aren’t aware, consider this scenario.
You’re having some building improvements done and one of the people in your project team receives an email, seemingly from their contact at the construction company, with an attachment about a construction industry accreditation scheme.
A few days later the finance manager receives an email from the construction company reminding him that a payment will shortly be due and noting that the company’s bank details have changed. The manager sends an email to another contact at the construction company to query the change and receives confirmation that it is correct. He adjusts the accounting system, and the payment for this month and the next go through.
Six weeks later the construction company contacts the accounts team to ask why it hasn’t received its last two payments.
Mandate fraud occurs when someone is persuaded to change the details of an existing bank mandate so that invoice payments go to a criminal’s account instead of the intended creditor.
There’s also a variation called CEO fraud where a relatively junior member of staff receives an email from a director or equivalent demanding that they urgently transfer money to a certain bank account for a specific reason. The average amount lost in this way is £28,000, although when a financial controller at a global healthcare products company was persuaded, through several calls and emails with someone they believed was a senior director, to transfer money to accounts in Hong Kong, China and Tunisia, the total loss was £18.5 million.
Fraudsters have become very sophisticated in several different ways, and the supplier scenario above shows how easy it is to be taken in.
What happened in that example – based on a real-life situation – was that the innocuous attachment in the first email (with the address disguised to appear genuine) contained a Trojan virus which allowed the fraudster access to all email traffic. This enabled them to pick up details of the accounts personnel and also to hijack outgoing email.
So even when the finance manager tried to double-check the request, the query never reached the construction company because the fraudster was intercepting his messages.
One solution would have been for the finance manager to make a phone call to his contact. Indeed, this is one of the best ways to prevent fraud (as long as you use a number you know to be genuine rather than one picked up from an email involved in the exchange). It’s all too easy, though, for busy people to bypass this step: “Well, it was Friday afternoon and Andy’s never available on the phone then, and anyway I wanted a record in writing that I’d made the appropriate check.”
The answer is to put in place formal controls to govern behaviour whenever a request is made to change bank details or to transfer money to a new account. Controls which you should consider include:
- Confirm the sender’s email address is exactly as you would expect it to be.
- Validate any request through a separate means of communication, using contact details you know to be correct.
- Ensure dual authorisation is required for any change to payment details.
- Make an “open source” check on the bank’s sort code to see if its location makes sense with regard to the supplier’s address.
While it’s virtually impossible to prevent every possible fraud, the above steps, combined with maintaining up-to-date anti-malware software, should eliminate any mandate fraud that doesn’t involve collusion within the company.Talk to Barnes Roffe today