Many of us may think that fraud or scams tend to be almost the stuff of legend: the emergence of a long-lost relative on the other side of the world asking for donations, or the bank clerk in Burkina Faso who has millions of dollars to share. While such attempts may make great conversation around the dinner table, the question we might jokingly ask one another is; do we really know anyone who has fallen for these scams?
Seemingly unsophisticated phishing scams like those mentioned above have now evolved, however, to a much more dangerous level of highly sophisticated fraud. This includes fraud where businesses, both small and large, are duped into paying money to a fraudster rather than a legitimate supplier or approved destination.
This type of payments-related fraud usually takes three main forms – invoice redirection, CEO and mandate fraud. While the style of the fraud differs slightly, such as the fraudsters impersonating senior executives (CEO fraud) or a seemingly legitimate email from a supplier (invoice redirection fraud), the results are the same and can be devastating for small businesses. Once an incidence of payments fraud has occurred and the money has been processed, the funds are quickly laundered through the banking system, making it difficult to trace. Stolen funds are rarely recovered, leaving financial institutions and their customers, UK businesses, to bear the cost.
Businesses are being duped
The reality is that companies are being duped out of significant amounts of money – and a lot of the time, they didn’t see it coming. The City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that over £32 million has been reported to be lost as a result of CEO fraud alone. Organisations in both the UK and the US have experienced losses of thousands to millions of dollars/pounds, such as tech group Ubiquiti Networks which was swindled out of $47 million, and a company in Atlanta that was scammed out of $1.8 million. In the UK, a property sector company was duped out of £102,000 by a supposed supplier email advising them of a change of bank details. The money was sent to the new account but a week later the genuine supplier called to ask for their money, which is when the fraud finally came to light.
Unfortunately, these are not isolated incidents. A new report shows that many small businesses remain in the dark about this threat; a staggering 31 per cent don’t know what payments fraud is or understand the potential impact on their business. Even more alarmingly, 57 per cent of SME owners and 56 per cent of board members stated that they didn’t believe invoice redirection, mandate and CEO fraud were a genuine risk to the business.
The Small Business Fraud Report from Vocalink Analytics also showed that 49 per cent of UK SMEs seem unaware that payments fraud can have a catastrophic impact on their business, instead believing that losing clients or staff members is a bigger risk. This is despite Action Fraud figures that show that fraud affects one in four small businesses annually, and in one year, fraud losses to SMEs were estimated at £18.9 billion.
As you would expect, those who have fallen victim to payments fraud are understandably more aware of its impact. The research found that 71 per cent of small business owners that have been victims of payments-related fraud, believe that it is now the biggest risk to their business. Some 71 per cent of these business owners also worry that it will be an even bigger issue for them in 2018.
No measures are in place to counter the issue
Surprisingly, although 74 per cent of small business fraud victims have made changes to their business to prevent payments fraud, 54 per cent still haven’t implemented a specific policy to double check invoice details – possibly the most vulnerable part of any business in light of the style of CEO, invoice redirection and mandate fraud.
As a small business, what can you do? Vocalink Analytics offers the following advice for business owners and operators:
- Be vigilant – make business fraud the business of everyone not just the accounting teams. Train client-handling or account-facing teams about the risks, implications and how to identify the signs.
- Authenticate – verify any requests from the MD, CEO or board through a tiered system where emails and telephone conversations that request the movement of money are verified by a second contact.
- Introduce checks – instigate checking of communications amongst finance and account-handling teams such as email addresses, use of English, and written mistakes in the email. Encourage a system whereby suspect emails are checked by a second team member.
- Protect – anti-virus software must be kept up to date, and computer systems must be secure. This is not an additional cost but an essential part of day-to-day business practice.
- Be alert – watch out for suppliers or clients that insist on paying by cheque or via a bespoke payment system that may appear unusual. Ensure they are verified before agreeing to any business transaction.
The good news is that the industry is acting fast to fight back. Financial Fraud Action is spearheading an integrated approach alongside financial institutions, regulators, government and
specialists to identify fraud and bring criminals to justice. State-of-the-art technology is gaining the upper hand and companies such as Vocalink Analytics, through our Corporate Fraud Insights solution, have already foiled fraudulent attacks in both private and public sector organisations across the UK. Importantly, these data-analytics solutions continue to leverage cutting edge analytical models to identify new types of payments fraud as they occur, helping to identify and prevent potential future attacks.
For business owners and managers, the first step should be to review current procedures and put in place the cost-effective advice offered by Vocalink Analytics. By tightening up processes, businesses and the authorities can work in tandem to prevent what is becoming a very real and potentially devastating threat to the UK small business community.
Gary Kearns is executive vice president, Vocalink Analytics, Mastercard.
Further reading on small business fraud
