The fastest growing fraud risk for businesses is remote attack through insecure email accounts and web-based accounting systems. Fraudsters have discovered how to infiltrate or manipulate these online systems in order to intercept key data and cause the transfer of sums of money directly into third-party bank accounts.
Gavin Cunningham, partner and forensic specialist at accountancy firm, Menzies LLP.
These so-called ’phishing’ frauds involve the use of ‘bait’, which is usually contained in a circular and false email that an unsuspecting person might open and respond to. This email may contain a malicious link by which information can be extracted from the company’s systems, or a response given to the fraudster might give away key information, which could include a director’s email address and signature details.
Prior to the explosion in internet banking and email communication over the last decade, traditional methods of targeting fraud against businesses relied heavily upon personal contact and direct communication. However, the move to remote banking and reliance on the electronic word has opened up massive opportunities for organised and dedicated fraud gangs. There are many methods they use but the most dangerous is ‘spear phishing.’
This occurs when a fraudster obtains real details about a target business and uses it specifically to request transfer of funds using apparently genuine credentials that impersonate a known third party. The largest online frauds are perpetrated using this method. For example, a supplier’s email account is compromised and the fraudster changes just a couple of details on an email address in order to request that a payment due is made to a new false bank account that the fraudster has set up.
This type of extraction fraud has always been about, typically using an insider at the business who is responsible for setting up false purchase orders or supplier accounts that require payment. However, the fraudster’s ability to access confidential online information about a business means they can now obtain supplier details without the need to know anyone inside the business.
Currently fraudsters have tended to target businesses and processes where large sums of money are likely to circulate regularly, such as law firms settling property transactions, or businesses with month-end payment runs, or even banks. Email addresses are changed by just one character and customer or supplier invoices that look identical to the real thing are sent out with false bank account information. The instantaneous nature of electronic bank transfers means once the electronic payment is sent it is then bounced immediately to the fraudster and there is no chance of recall. In practice it might take days before the mistake is even spotted.
Content from our partners
What can you do?
Vigilance is essential and a few sensible measures should always be followed:
Set up intelligent alerts – It is possible to put in place alerts that notify relevant managers if any third party bank account changes are made. However, it is important to remember that there is no point in emailing for confirmation as the manager is unwittingly likely to be communicating with the fraudster.
Monitor email changes – keep a look out for any changes to the email addresses of your intended payees. If they have changed recently, think twice before authorising any payment.
Examine any unexpected or suspicious emails– if the address doesn’t match up with that of the purported sender, or the contents seem wrong, then check it out before opening the communication and never forward it on – you could be making the problem worse.
Staying vigilant to fraud at home and at work is increasingly important for everyone. As fraudsters become more and more sophisticated in terms of their approach, business managers understand that it is becoming harder to spot phishing attacks. To stay protected, it is important to establish where any risks lie and put in place bespoke systems that will help to spot any irregularities.
