Protecting your business

Invoice redirection fraud

The fraudster may hack into a seemingly genuine email chain and provide replacement, but fraudulent, bank details for a genuine payment that is due to be made. The genuine invoice has been replaced with one containing fraudulent bank details, or the victim receives an email asking for the payment to be sent to a new bank account. The intended outcome is the same: the payment is sent to the fraudster’s account. The fraud is often not spotted until a few days later when checks are made, or when the true recipient chases up a ‘missing’ payment.

CEO Fraud

CEO Fraud happens when a member of staff receives an email that appears to have come from an owner/director/ senior colleague requesting that a payment is made. These email requests are sent by the fraudster as they have hacked into or imitated the person’s email account. The member of staff takes the email at face value and makes the payment to an account that the fraudster controls. These emails will often be sent to more junior members of staff who may be less likely to check the request with a more senior colleague. It’s likely that the content will also stress the need for urgency and/or the confidentiality of any payments. 

Banking fraud

This is where criminals get hold of a business’s bank account details and make unauthorised money transfers. They may send you a text message, email or call you posing as your bank to warn you about ‘suspicious activity’ on your account. They ask you to respond to the message with some account/security details to verify your identity. This will then give them access to your bank account. 

Hacked IT systems

Entire company-wide IT systems can be hacked, simply by an employee clicking on a link in a scam email. Your company’s IT security is then compromised and malware will monitor sensitive information and personal details, to eventually undertake fraudulent activity. This could be where emails from your finance department are intercepted with the criminal’s bank details so your customers end up paying them and not you.

• Keep commercial information safe by encrypting emails
• Any bank account details should be validated personally with the genuine recipient, on payments requests that are new to your business, or where a bank details have changed 
• Use dual authority internet banking mandates to introduce a second line of checks 
• Where a request has come via email, it’s useful to validate the information on a call, using the known contact details rather than those provided in the email 
• Avoid sole authority mandates for online banking. If more than one person is involved you increase the chances of something unusual being detected. 
• Check that internet banking authorities for staff are set at appropriate levels 
• Maintain up to date anti-virus software and firewalls
• Consider including a director or senior partner in your online banking payment process to improve your chances of identifying a suspicious payment. 
• Educate your staff and have clear internal procedures within your business to specify how payment instructions are carried out 
• Make sure staff training about online safety is up to date