You work in a busy finance department of a fast-growing company. You receive an email from your CEO, asking you to make a large payment from the business bank account – and to do it ASAP. It’s for an important, time-sensitive deal. You quickly scan the message, one of many filling up your inbox. Perhaps you don’t notice that the email address isn’t quite right. The chief is getting impatient and sends you a chasing email soon after, piling on the pressure. It’s urgent – have you made the payment yet? You don’t have time to really think through the details. Nor does it cross your mind that you might be the target of an old, but still common scam. And since it comes from the top, you just get it done.
Disaster. Your actions mean your company has been defrauded out of many thousands of pounds by clever criminals, who own the account you just paid into. They only needed to search online to estimate what sort of size of payment your business might normally make, you were easy enough to find, and they were also smart enough to impersonate your boss – perhaps even using social media to see the real person is actually on holiday.
Such ‘CEO spoofing’ is among techniques fraudsters are using to take millions of pounds from businesses. According to UK Finance, a trade association whose members include the banks, financial fraud losses totalled a whopping £968 million in 2017 – with another £1.46 billion in fraud prevented.
Yet seven out of 10 businesses aren’t doing enough to protect themselves, putting them at risk of a financial scam or fraud, according to research from Take Five, a joint initiative from the finance industry and government. The same research found a quarter of businesses had fallen victim to a scam since 2014.
Young business owners are particularly at risk from fraud, according to Chris Moses, senior operations manager at security provider Blackstone Consultancy. He points to research from Accura showing that entrepreneurs aged 18-35 are most vulnerable to fraud attacks, with 35% of them admitting to having been a victim of fraud. He says: “This may not be surprising when more than a third, of millennial business owners admit that their accounts’ team doesn’t have a process in place to double check account details when invoices are received.”
The key to prevention is awareness, as banking fraud is often quite simple, and depends on impersonation. Common tactics criminals are using against businesses include:
- CEO spoofing: as in the hypothetical example above, fraudsters pose as the CEO or another senior member of staff. They send an email to an employee in the company’s finance department requesting an urgent payment is made outside of normal procedures, often giving a pressing reason such as the need to secure an important contract.
Top tip: always check any unusual payment requests to confirm the instruction is genuine. And keep an eye out for emails written in a different style to usual.
- Invoice fraud: criminals pose as regular suppliers to the company and request for bank account details to be changed to a fraudster’s account. Action Fraud, which is run by the City of London Police, estimates that as many as 675,000 businesses have fallen victim to a fake invoice fraud at some point in their trading history.
Top tip: if a supplier contacts you to make a formal request for bank account details to be changed, always verify with that supplier using their on-file details.
- Mandate fraud: criminals convince firms to change a direct debit, standing order or bank transfer mandate by pretending to be an organisation the business makes regular payments to, for example a subscription or membership organisation or supplier.
Top tip: don’t leave financial information like bills lying around. Always verify changes to financial arrangements with the organisation using their on-file details. And check your bank statements carefully and report anything suspicious.
- Phishing emails or vishing telephone calls: these two types of identity theft are intended to trick you into disclosing your password and details on fake banking websites, or to bogus callers.
Top tip: don’t assume anyone who has called, sent you an email or text message is who they say they are. Remember, real banks never email you for passwords and if you get a call from someone who claims to be from your bank, don’t give away any personal details.
- Fraud or identity theft caused by viruses or spyware: criminals use these different types of malware to access your bank account and other personal information stored on your computer.
Top tip: keep your internet security software up to date – it is not effective if switched off or not updated.
Tip of the iceberg: £113 million theft
One of the biggest cases of business banking fraud in recent years, revealed by the Met Police in 2016, highlights the extent of the problem.
The force’s investigators identified a sophisticated criminal gang targeted thousands of Lloyds and RBS business banking customers. They had been cold-calling them, pretending to be from their bank’s fraud department. They then duped the customers into revealing online account information, using the details to access accounts and steal £113 million from over 750 victims.
Several businesses nearly went bankrupt as a result, says the Met, whose investigation led to nine fraudsters being jailed for over 27 years.
It advises businesses never give out private information such as passwords, parts of passwords, PINs, card reader numbers, memorable information or other personal details. And reminds businesses that if a bank believes an account is being compromised, it will act to prevent this without asking for the company’s assistance.
Simple steps for banking security
Simple steps can help in businesses’ battle against fraud. Ryan Wilk, vice president at NuData Security, a Mastercard company, says: “The same steps that individuals should take with their personal online accounts, should also be taken with their online business accounts.”.
Ryan suggests the following tips to protect your business bank account from fraud:
- Check the company’s social media accounts to ensure that your company’s private information is not revealed.
- Activate alerts with credit bureaus, the bank, and all corporate credit cards tied to your business. Most banks and credit card companies offer security alerts as a free service. While the processes differ between various credit bureaus and entities, the goal is the same: immediate alerting of any suspicious activity.
- When you access the business online banking account, make sure it’s the right address. Spend those two extra seconds checking the address and that it has the padlock on the left. It should also say HTTPs, which means a more secure website ensuring your data is submitted via encrypted pages.
- Do all business from a trusted and secured network; never access the bank account through public Wi-Fi networks.
- Monitor your company’s bank statements regularly and be on the lookout for any anomalies.
- If there is a problem logging into the business banking account, call the financial institution immediately.
- Consider purchasing credit and identity protection services that can continuously monitor corporate accounts.
- Be suspicious of any email or phone communication from your bank that asks you to reveal information through a link or over the phone. Especially if they express some sort of urgency.
If the worst happens, and your business becomes a victim of fraud, then report it to the police by visiting www.actionfraud.police.uk. And, crucially, share your experiences with your colleagues, to ensure they don’t fall for the same trick.
Looking for more tips to help your business better manage its finances and overseas travel? Check out the Travelling for Business section of our blog.