How your business could be targeted, and what to look out for
All businesses can be the victim of a scam
This is where a customer contacts the company to order goods or services and payment will usually take the form of a cheque or draft.
Following payment, the customer gets in contact to reduce or cancel the order, or to advise that an error has been made, e.g. purchase prices has been added to the shipping cost, and requests an urgent refund.
The company, who are keen to build a strong relationship, processes the refund quickly and return it using an electronic payment.
In due course, the original cheque or draft is returned unpaid because it’s fraudulent. The company who has refunded the amount ‘overpaid’ is therefore left out of pocket. Businesses should be careful:
Of a new customer making an unusually large order
When the payment method differs from what was previously discussed (for example, if payment is made by cheque when an electronic transfer had been expected)
If the buyer makes a payment above the asking price, regardless of the reason given, and demands that the overpayment is returned electronically
Of being are put under pressure to release goods/funds without undertaking essential checks
Businesses should always ensure that a credit to its account cannot be returned before any goods or funds are released
A member of staff at your finance department receives an e-mail pretending to be a senior member of staff within the organisation, requesting they arrange an urgent payment outside of their normal procedure due to exceptional circumstances.
The e-mail appears to be genuine due to the address in the "From" box reflecting the genuine e-mail address for the senior member of staff. With the recipient believing the e-mail to be genuine, they arrange for the payment to be made through their preferred payment method for the credit of the fraudster's account, from where the money is usually quickly withdrawn.
There are two methods which the fraudster could use to facilitate this type of fraud attempt.
Using their knowledge of how e-mails are relayed over the internet through different servers, the fraudster is able to construct an email which appears to have come from another source, whilst disguising the true originator. Hovering the curser over the name in the "From" box will not reveal the true origination address in these cases, and therefore makes the e-mail appear genuine.
Hacked E-mail Accounts
An alternative method for the fraudster is to hack into the victims e-mail account direct, and start issuing e-mails in the victim's name, including payment requests to Banks or work colleagues. Customers that are more vulnerable to this type of attack are normally users of e-mail services such as Gmail, Hotmail, Yahoo, for example.
Businesses should have a specific documented internal process for the arrangement and authorisation of payments. Any requests outside of that procedure, especially if received by e-mail, should be regarded as suspicious. If this is the case, contact should be made with the person sending the email verbally, using a known contact number from their internal records, to confirm the request.
It is also recommended to strenthen passwords for access to e-mail accounts, to include a mixture of Uppercase letters, numbers and special characters, e.g. $&, etc.
Ransomware is a form of malicious software that gives criminals the ability to lock a computer from a remote location - then display a pop-up window informing the owner that it will not be unlocked until a sum of money is paid. We recommend you follow these simple steps to avoid ransomware.
Never click on links or attachments in suspicious emails or text messages.
Only visit websites you know are trusted and safe
Ensure you have effective and updated antivirus software and firewall running before you go online.
Regularly back up all your data, including to a USB-connected device stored remotely from your computer. This is because some ransomware can also infect your cloud-based storage.
Change of bank details scam
What is it?
Fraudsters may initially contact a company and ask for a contact name who they can send an invoice to. A request will be sent (this will appear in order and seemingly from a known supplier, contractor, etc) advising you that they have changed their bank account details used to receive regular payments. The fraudster has changed the account details to a bogus account which doesn’t belong to the person you think you are paying.
The details for the Company Secretary, Finance Director or other officials, including their signature, will appear correct. This information has likely been copied from the company’s Annual Report and/or web site.
How to fight against it:
Email addresses used by the fraudsters are very similar to the genuine suppliers, contractors and other third parties.
Undertake an independent check with the company who is asking for their bank details to be changed, using a known contact telephone number and not the one on the request. Also do this for any new payments to be set up.
Don’t publish your bank account details on the internet (the site may get cloned and genuine customers may end up sending money to a fraudster).
Ensure that information is not disclosed to third parties who are not entitled to receive it or who cannot be suitably verified.
Other common scams
Fraudsters will stop at no end to try and scam you out of your money. Common techniques include Vishing, Phishing and Smishing. These can affect both businesses and peronal customers and are covered in our central fraud guides.