Most people tend to think that financial fraud involves scrupulously planned and highly sophisticated attacks on corporate infrastructures. In many cases, they’d be right. However, these same people tend to view fraud through the eyes of the cinema goer. They believe in the romantic notion of financial theft popularised by the likes of Leonardo DiCaprio in films such as ‘Catch Me if you Can’.
The reality is far different. Fraud always leaves behind a victim, whether it’s the taxpayer (because a public institution has lost money), or an individual, when private companies fall victim to a con.
And it’s not a sporadic phenomenon. Over the past few months KPMG’s forensic team has examined 11 new cases and become aware of at least 13 more where businesses and public sector bodies are becoming the victims of a new – and very simple – scam. Of the various instances identified, some have been in the retail industry, but telecoms suppliers, manufacturers, providers of leisure services and public sector organisations are amongst the victims, too.
The fraud works like this: a company receives an official looking letter on company letterhead advising of a change in banking arrangements for one of their suppliers. It states that all future payments should be settled to a new bank account and those details are shown in the letter. The hope is that the organisation updates their files so that subsequent payments are made to this account.
The problem is that many organisations amend a supplier’s details and do not realise there is a problem until they are chased for payment by their supplier.
A number of well known organisations have been tricked in this way and the amounts involved are significant - cases seen by KPMG’s forensic team range in value from just over £30,000 in a single transaction to a total of £5m.
The cases coming to light usually involve large payments (the average fraud is £1m), so it seems that fraudsters are pretty confident of the flaws in organisational checks. But there are actions you can take to make the fraudster’s life harder.
It seems, from KPMG’s analysis, that many fraudsters assume a lack of knowledge. Also, staff's willingness to appear professional and helpful makes it easier to obtain information. Perhaps management teams need to spend more time educating staff about the ‘red flags’ they should look out for. Think, for example, about simple checks such as asking for a name or a phone number so that requests can be verified. Or what about having a password between supplier and buyer which is not in the public domain, so that requests can be identified as genuine?
The scam, known as ‘Payment Diversion Fraud’, often works because fraudsters take the time to build trust with their victim, before making their move. Sometimes it can be as simple as making calls at ‘month-end’ so that instructions to change payment details come across as timely and helpful. We are all time-poor, but that should be no excuse for a casual approach to business. You wouldn’t share your private bank account details with a casual acquaintance, so why risk it for your employer?
Of course, relying on individual vigilance is not a strong enough safeguard. Organisations need to develop a culture where corroboration comes before action, no matter where a request is made within a business. Rather than focusing on ‘following a process’ employees should be told to find out who they are speaking to on the phone. They should also keep logs of callers and requests so these can be referred to when colleagues take calls. In other words, creating a call history creates a pattern, making it easier to spot anomalies.
It’s also important to stop employees from volunteering private information to callers. People like to talk, they want to appear helpful but it’s not always the right thing to do. To adapt a well known phrase, too much talk may not cost lives, but it can certainly cost money.
Externally facing staff must also be encouraged to confirm who is making the request to change bank account details. Is it the usual contact? Is the email address or phone number different?
And what about the supplier? A quick look at the history of your relationship with them should identify other changes or requests? If one has been made recently, another is unlikely. If none have been made, why is there suddenly a change? The difficulty is that fraudsters are constantly mutating their modus operandi to over-ride any controls that are put into place, making this a constant game of cat and mouse.