Fraud is big business in the UK.
A massive £824 million was stolen through unauthorised financial frauds last year. That’s according to the Fraud: The Facts 2020 report from banking trade body UK Finance, and while that’s down by 2% on the year before, it’s still an awful lot of money.
Within this, authorised push payment (APP) scams make up a huge proportion of business fraud losing businesses over £455 million a year and it’s these APP scams that have been particularly effective when targeted at businesses.
Adam Philpott, EMEA President at security software giant McAfee, said that cybercriminals are being innovative in finding new ways to scam victims, and that it is “therefore vital that businesses are aware of the potential risks and feel empowered about ways to overcome them”.
So how do these scams work? And what can business leaders do to improve their defences against such schemes?
The different types of APP scam
An APP scam is where a fraudster convinces you to authorise a payment into their account, but it can take many forms. For businesses, there are a few common types of APP scam to be aware of.
Invoice and mandate scams
In terms of the money lost, the biggest are invoice and mandate scams, which according to the UK Finance report amounted to £82.4 million for business victims. On average, the payment made to the scammer came to £16,209.
This is where a scammer intervenes in dialogue between the victim and the person they legitimately want to pay, redirecting the payment to an account they control.
It tends to be the result of the scammer intercepting emails or compromising an email account, so that they can then pose as a supplier or tradesperson, like a builder or conveyancing solicitor.
They then issue a fake invoice for the goods or service supplied, calling for payment into an account managed by the scammer.
There are a number of steps outlined by UK Finance which business managers can follow to protect their firms from invoice and mandate scams:
- Confirm any bank details directly with the genuine business in person or over the telephone before any payment is made.
- If you receive communication around a change in payment details, then do not use the contact details in the email to confirm them ‒ instead check the company’s official documentation or website.
- When making a payment to an account for a first time, only transfer a small amount first. Then check with the company, using known contact details that you trust, to check the payment has been received in order to increase your confidence that the account details are correct.
As the name suggests, this is a form of fraud where the scammer poses as the boss or another high ranking official within the business. They then attempt to convince the victim to make a payment into the scammer’s bank account as a matter or urgency.
In order to carry out the scam, the fraudster will either find a way to hack into the CEO’s email address, or else use spoofing software to email members of the finance team from a convincing looking account.
This form of scam led to businesses losing £16.5 million in 2019 according to UK Finance.
So how can businesses protect themselves?
- Check any unusual payment requests directly ‒ speak to the person asking you to make the payment in person or by phone to confirm the instruction is genuine. Do not use the contact details in the email or letter sent asking you to make the payment.
- Ensure the business establishes a properly documented internal process for requesting and authorising all payments. Be suspicious of any requests for payments that are made outside of this process.
- Any email or letter which requests an urgent transfer should be treated with suspicion.
Finally, there are impersonation frauds. Precisely who the scammer poses as can vary significantly, from the police or the bank to energy suppliers and government departments.
When the scammer pretends to be the police or a bank, they will warn the victim that an account has been compromised and urge them to move money into a different one, which the scammer controls.
With other impersonation scams, the victim is talked into handing over money to pay a fictitious fine, overdue tax or return an erroneous refund.
It can prove effective too, with all impersonation scams leading to losses of £24.7 million by businesses last year.
To protect your business from these scams, you should:
- Remember banks and the police will never ask you to transfer money to a safe account
- Never give remote access to your computer to anyone as the result of a cold call or unsolicited message
- If you are suspicious about the person contacting you, hang up and then contact the organisation directly to check if it was genuine.
Don’t let your guard down
Philpott cautioned that the current shift to remote working may put businesses at greater risk, with staff letting their guard down.
He explained “Businesses may now be accessing banking services from home devices which may not be as securely configured as those available in the office, posing further risk of fraud via remote access.”
Adam Philpott, EMEA President, McAfee
Katy Worobec, managing director of economic crime at UK Finance, agreed that with so many businesses closed or working remotely, it has never been more important for businesses to check all payment requests or bank details are genuine before processing them.
She continued: “We would urge businesses to always follow the advice of the Take Five to Stop Fraud business toolkit on how to stay safe from scams, and remember that criminals are experts at impersonating people, organisations and the police.”
Equals is here to help simplify the way businesses spend, send and manage their money.
For more on international payments, check out Equals FX – our expert payments service that takes the hassle out of sending money overseas. If you’re more interested in taking control of your business expenses, see Equals Spend – our spend management tool.