Over the last couple of years, cases of payment diversion fraud have been on the rise. In part due to the pandemic and increased remote working, organisations and individuals have become more susceptible to this type of fraud.
So, what do you need to know about payment diversion fraud and how you can you protect your company from this growing threat? Let’s take a look at the warning signs.
Types of payment diversion fraud
Payment diversion fraud can be classified in several ways but two of the most prominent types are mandate fraud and fraudulent bank communications.
Mandate fraud occurs when an individual contacts you (often by phone or email) and pretends to be a client requesting a change to their bank details. Once the change in bank details has been made, any payments made to the supposed client, are actually sent to the impersonator (criminals) bank account. The real client never receives the intended funds.
An increasingly common tactic taken by criminals, is to hack the email of a supplier/client and provide false payment instructions. This approach is even less detectable as they may create a domain name similar to the supplier, making it hard to spot the slightly different email address.
Fraudulent bank communications on the other hand involve the criminal impersonating bank staff with the intention of getting you to reveal account security details. Once they possess these details, they can easily extract money from your account.
In circumstances where the accounts team are processing numerous transactions, they may not always complete every check, at which point the likelihood of getting caught out in this way is increased.
Protect your Business from Payment Diversion Fraud
Gaining a good understanding of the techniques employed by criminals is the first step to protecting your company from this type of fraud.
Ensure that your employees have this knowledge, particularly those in roles on the front line of fraudulent activity. Staff should understand the importance or examining emails, such as checking the email address and considering whether the formatting or language appears different to usual or just ‘odd’.
The urgency of a request could also be a telling sign as often these requests appear unexpectedly. They may ask for an urgent payment, suggest that a password is due to expire imminently or that account details require verification. With regards to impersonating HMRC, criminals often claim that you need to act immediately to avoid a fine. This approach puts pressure on the recipient and hopes to scare them into providing the information requested.
A business could benefit also from increasing the security checks they have in place when it comes to dealing with account and transaction changes. For example, if a change to bank details is requested, the supplier in question could be called directly to ensure that the correct details have been received. Making a comparison to the bank details on a previous invoice is another practical way to ensure that details have not been tampered with in the email transmission process.
Sometimes just intuition is enough to ward off a payment diversion attempt. If something seems ‘off’ then it probably is. Take the time to double check and question any requests. It’s easier to take additional time to prevent fraudulent activity than to deal with the aftermath of it if funds are taken illegally.
What to do if you are targeted by Payment Diversion Fraud
If, despite all best efforts, the worst does happen and a payment is taken, you should report the fraudulent activity to your bank asap so that any suspicious activity is monitored, and further payments are prevented.
You should also report the incident to Action Fraud, the UK’s national reporting centre for fraud and cyber-crime, as this helps protect other would-be victims. Finally, be alert to any details such as passwords that may now be compromised and if at all unsure, change these details, and set-up two-factor authentication.
For more information on how to protect yourself and your business from Payment Diversion Fraud, visit the Action Fraud website.
