Up to September 2020, there were 61 attempts of payment diversion fraud against the NHS. Nine of these were successful. This resulted in a loss of £1.5m for the institution.
Payment diversion fraud often involves cybercriminals posing as trusted entities to take scheduled payments. Incidents have risen over the pandemic, as home working has made people more vulnerable to falling for it.
“As the pandemic coursed through the country and beyond, the opportunities for companies and people to be manipulated has been rife and played upon,” says Neil Williams, deputy head of complex crime at Reed Solicitors. “As we’ve been forced to stay away from others, so has our opportunity to question and query enquiries which have urgency at their heart. Uncertainties have been played upon, and well.”
So, with payment diversion fraud on the rise, what do companies need to know, and how can they avoid it?
Types of payment diversion fraud
There are a few types of payment diversion fraud, including mandate fraud and fraudulent bank communications.
Mandate fraud is when a person contacts you. The fraudster usually does this by email or phone – pretending to be a client. They may ask you to change their bank details or supply other information. Any payment made to this ‘client’ afterwards will go to the criminal’s bank account, and not the actual client.
Criminals can also hack into the email of a client or supplier and send false payment instructions. This can seem more genuine to the victim.
Another version of this fraud is fraudulent bank communications; the criminal claims to be a bank for instance. They may get you to reveal account security details, enabling them to make a payment out of your account.
Omid Tissier, economic crime and ethics manager at ICAEW, says the increase in payment diversion fraud is a ‘worrying’ trend.
“Criminals will hack into the system of the supplier, or they will create a domain name that is very similar to the supplier. When you receive an email from them, you don’t notice that the email address is ever so slightly different,” says Tissier.
Accounts payable teams are often processing a lot of payments. In situations where those teams are working from home, individuals may not go through the same level of checks that they would in the office. “There’s a very good chance of getting caught out, and I think a lot of businesses have been caught this way.”
How can businesses avoid it?
To learn to dodge an attack, employees first need to know how criminals work and the techniques they often use in this kind of fraud.
“Training staff is important so that they’re aware of these types of fraud and scams and give emails more than one glance,” says Tissier. “There’s often a couple of signs that you can pick up on. The email address might not look the same as you expected or the way an email is written may be different to previous emails.”
Often, these messages will appear out of the blue. Suddenly a payment is urgent, a password is about to expire, or specific account details need verification. “That’s quite often the technique used when they’re pretending to be HMRC, saying you need to take action now. Otherwise, you’re going to get into trouble. They’re trying to pressure you and scare you.”
Businesses also need to have adequate checks in place to try and avoid fraud when it happens. This could be a double-check system before any bank details are changed. Phone the supplier to make sure you have the correct details or compare a previous invoice with a new one to make sure they match.
Williams adds that in a post-pandemic world, it’s even more crucial to be vigilant. “The critical advice now is question, question, question. As we have to work away from the office, we are more ready to accept that the person at the end of a phone is who they say they are, but while life has changed, procedures haven’t.
“Your bank will not be calling from a mobile and will not give a deadline for compliance to request unless you’re genuinely late for payment. Therefore, if instinct suggests it’s not right, it probably isn’t.”
What to do if it happens to you
If it happens, stop any further payments immediately and follow your business’ fraud procedure. This could include reporting the incident, being alert for any suspicious or unusual activity and changing any passwords that might be compromised.
If you shared any bank account details, contact your bank to freeze the account or look for suspicious activity.
For more information, click here for the National Crime Agency’s PDF which explains what you need to know about payment fraud and how to protect yourself.