The fraud involves a company being contacted by a purported supplier and informing it that the supplier’s bank account details have changed. New bank account details are provided and the company then makes payments to this “new” bank account. It is only when the supplier starts chasing for payment of outstanding invoices that the company realises that it has being making payments to a fraudster. The fact that a public body has now been targeted indicates that it is moving from what, up until now, have been corporate victims.
Although the overall technique is similar, the fraudsters use a variety of methods to communicate the change of bank details to the victims and persuade them that they are legitimate. Real examples have included:
- The use of an e-mailed letter that purported to be from a Director of the supplier and in which the “new” bank account details are given.
- Advising the victim of changes to other minor details initially by telephone, thereby building a rapport with the victim’s staff (normally one individual), before advising of the change of bank details.
So why is this type of fraud so successful and therefore dangerous? It is common in these circumstances that the fraudster gives the impression of having certain knowledge of the victims operations which are, on the face of it, confidential and thus give the impression of legitimacy. However, in today’s information age there is a considerable amount of information available in the public domain, for example, company websites listing major customers. However, the key reason that these frauds are successful is usually due to a fundamental lack of, or observance of, basic internal controls. Until such checks and balances are put in place and actively followed this worryingly prevalent crime will continue to be successfully perpetrated.
So how can you prevent you or your organisation from becoming a victim? The key is to have robust internal controls and that they are reviewed to ensure that:
- There is limited access and authority levels to change standing data, particularly in relation to cash outflows to the business.
- Senior personnel authority is required to change data and that reports of any changes made are provided to senior management on a regular and timely basis.
- Checks are undertaken to verify that instructions to make payments to different bank accounts are bona fide.
- There are sufficient segregation of duties to reduce the risk of one individual having access to all information to effect such a fraud.
However, none of these controls are effective unless implemented and enforced. For those who find this advice has come too late, the key to mitigating the damage from such a scam is to take professional advice and act as quickly as possible.