UK SMEs exposed to a higher risk of mandate fraud due to COVID-1

The major shift to remote working in the UK due to the COVID-19 pandemic is significantly increasing the risk of mandate fraud for businesses. In today’s blog, we look into some of the most common types of mandate fraud and best practices to prevent them from happening.   

According to Action Fraud, the National Fraud and Cyber Crime Reporting Centre, there have been more than 678 coronavirus-themed fraud reports since the outbreak, with actual losses totalling close to £2mn. While the majority of the frauds are related to online shopping scams, a large percentage are also about phishing scams attempting to obtain sensitive personal and financial information. On 10 April, the Evening Standard reported that the number of phishing attempts related to COVID-19 has increased to 2,747.

As more people are now working from home and using their personal technology and WiFi setups with only basic protection, businesses face an increasing risk of mandate-related scams such as bank payment/transfer requests and account data changes.

Some banks are also loosening their mandate management procedures to adapt to the new remote environment which opens up another opportunity for fraudsters to target companies.

For example, Barclays UK are now providing their business banking customers with the option to change their account signatories over the phone. According to the instructions on the bank’s official website, people can make changes to a business mandate* over the phone by simply providing some basic information about the account including account number and sort code, business name, full name of the person to be changed, and address. With company information easily accessible online via official sources like Companies House, this might be then exposing their business customers to a potentially higher risk of impersonation scams and mandate fraud.

And while no company is protected against financial fraud, SMEs are particularly vulnerable as they usually lack sufficient resources to implement effective internal fraud control and prevention systems. Additionally, the majority of SMEs tend to underestimate the level of risk and believe that financial fraud is affecting mostly larger corporations. 

According to the 2018 Small Business Fraud Report by Vocalink, 58% of UK SMEs believed that the impact of a potential payment fraud on their business would be minimal, and more than 30% were completely unaware of the various types of payment-related fraud such as invoice redirection, mandate and CEO fraud.

Below is a quick guide on the most common types of mandate fraud and some of the best prevention and detection practices business can deploy. 

What is a mandate fraud?

Mandate fraud is a high-value fraud that targets companies and involves changing a direct debit, standing order, money payment or bank account mandate, usually related to a business supplier. False payments and money transfers are then sent to fraudsters, rather than the real recipients.

 

Are you exposed to mandate fraud?

Cygnetise helps reduce the risk of mandate fraud by making authorised signatory management more efficient, transparent and secure.

Cygnetise desktop mockup
 

What are the most common types of mandate fraud?

  1. Your online bank account is hacked and account payment details are changed so that payments are transferred to the hacker’s account.

  2. You are contacted by someone who pretends to be from an organisation you have a standing order with and they ask you to change the details of the order. The standing order is then changed and future payments are made to the fraudster instead to the real organisation.

  3. You are contacted by a person pretending to be one of your suppliers and asks you to update your existing direct debit as they’ve changed their bank details. In result, the direct debit payment is made to the fraudster’s account instead to the actual supplier’s one.

  4. Someone contacts your bank pretending to be you and requests changes to your business mandate and authorised signatories. The bank then implements the changes and the fraudster gets full access to your account and funds.

How are mandate frauds done?

Bank mandate fraudsters usually use publicly available company information, such as contract wins announced on the internet and media, to target supplier accounts which are likely to receive large payments. Besides seeking information from public sources like companies’ own websites, social media and registrar websites like Companies House, fraudsters can also use direct tactics such as telephone impersonation scams to trick employees and get further details of relevant contacts, supplier reference numbers or sensitive information such as security codes and account numbers.

After obtaining all relevant company information, fraudsters often hack into the email account either of the target company or one of its clients or suppliers and send payment diversion requests. In some cases, scammers also send payment instructions to the bank directly via email or post.

How can you protect from mandate fraud?

There are several actions you can take to prevent your business from becoming a victim of mandate fraud. These include:

  1. When receiving payment-related emails, make sure the sender’s email address exactly matches your own records.

  2. Know your customers and be aware of your top 20 creditors. Mandate frauds are usually targeted at major organisations so you should be particularly careful when receiving any requests to change their bank details.

  3. Before making a payment to a supplier’s new bank account, you should contact them directly via a secured and valid contact phone number or email address and confirm the changes to their bank details.

  4. Adopt a dual control system for authorising payments and ensure the same employees cannot both post and approve payment transactions. If possible, have a senior finance staff member to review and officially authorise any changes to payment and bank account details.

  5. Regularly review and update your fraud protection policies and ensure all staff are fully aware of them.

  6. Maintain an up-to-date repository of account and signatory information.

  7. Use advanced technologies like blockchain to securely manage and share your authorised signatories in real time and have a complete and clear audit trail of any changes made to your data.  

Cygnetise provides a secure, real-time blockchain-based signature and bank mandate management application, equally accessible from principle or remote locations. The application does not require any system integration and can be implemented within 24 hours. 

To learn more about Cygnetise’s application and request a free demo, please email our team at info@cygnetise.com.

* A business mandate is a set of instructions and a list of people in your business who are authorised to manage its bank accounts. If you’re on the mandate you can perform the following tasks: 1) Manage the everyday banking, including making payments; 2) Sign up for products and services, including additional accounts and finance where appropriate; 3) Add or remove people from your mandate when they join or leave the business.

 

Sources:

https://www.barclays.co.uk/business-banking/manage/business-mandate-change/

https://www.forbes.com/sites/trevorclawson/2018/01/29/payment-fraud-still-on-the-rise-and-smes-are-most-at-risk-says-uk-survey/#1cf6b131be59

https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/Financial-lines/PrivateEdge/crime/payment-diversion-frauds.pdf

https://www.cps.gov.uk/cps/news/beware-fraud-and-scams-during-covid-19-pandemic

https://www.scotland.police.uk/assets/pdf/keep_safe/bank-mandate-fraud

https://www.standard.co.uk/news/crime/fraud-2-million-coronavirus-scams-uk-covid19-a4412091.html

Stephen Pomfret