When the head of a company issues an order, most people comply without asking questions. Our deference to authority is at the core of a new form of scam, which uses ‘fake directors’ to steal huge sums of money from companies. Small firms need to be especially vigilant against this form of crime.
March 31, 2016
How common is it and how does it happen?
According to a KPMG investigation quite often. The scam revolves around fraudsters posing as employees of an organisation’s supplier and providing false instructions asking for bank account details to be changed. KPMG’s investigations reveal that the technique is so convincing that organisations, who are unaware of fraudsters’ methods, can fall for it repeatedly. One case for example, saw a firm hit by 3 separate attacks.
The cases range in value from just over £30,000 lost by one business in a single transaction to a total of £5 million extracted from another. It also appears that there is little discrimination in the type of organisation being targeted. Of the various instances identified, the retail industry, telecoms suppliers, manufacturers, providers of leisure services and public sector organisations are amongst the victims.
At Square Mile Broking we have seen our own clients suffer from this type of fraud. Also, It is likely that the true sum of money lost to fake director fraud is much higher than the reported figures; many companies do not report the theft, reluctant to admit the vulnerability of their systems.
How do the scammers know?
The threat to small firms from high-tech attacks such as malware, ransomware and viruses is better recognised than the low-tech threat from director fraud. Criminals can glean a lot of information from publicly available company information, news, websites and social media platforms such as LinkedIn.
Fraudsters combine knowledge about the company with convincing impressions of senior figures and heap on the pressure to complete the transaction quickly. The use of psychological pressure to obey authority is a central part of the scam.
How to prevent it
Educate your staff that this type of fraud is currently active in the market
- Respect standard working procedures and explain this to the person making the request
- Verify the legitimacy of the request by calling back the person using the contact information stored in your systems and not the one given during the call or within the email
- Be vigilant to any urgent or confidential request outside of the standard working procedure
- Be aware of any unusual bank transfer request such as high amounts to an unknown or foreign account or to a country where the company has no market relations
- Follow your intuition: if you have any doubt, it is better to take time and check
- Do not complete the request until it has been identified as valid
Have the right payment controls in place
- Use double signature/authorisation as an internal process Double signature is preferable for any payment, or at least for payments above a certain amount.
- Ideally those having the authority to sign off payments will be divided into 2 groups, for instance ‘A’ (the necessary authority to commit the company) and ‘B’ (according to their function, and thus their capacity to validate a payment). The A+B combination ensures that all payments are duly cleared (A) and justified (B). Other combinations (A+A, B+B) should not be accepted.
- The payment authority should be confirmed with your banks who in turn must be asked to report, or even stop, any unusual transfer transaction (amount, beneficiaries, purpose, etc.).
If you would like an assessment of your firm’s cyber risks please contact: 0330 024 2980 or Request a call back here