Fraud by redirecting payments to Payroll, Suppliers

computer, hand, help

Cyber criminals have managed to divert significant sums of money that have been paid to a supplier, for example, to their own accounts, all subsequent payments to the intended supplier will be diverted in the same way.

Often this type of criminal act is only identified when the supplier or the payee sends a payment reminder. By this time, it might already be extremely difficult or even too late to catch the perpetrators and to recover the sums of money in question, which can be very large in some cases.

Similar methodology is used for payroll scams as well. Email claiming to be the employee may be sent, complete with the employee’s title, stating it’s a new personal email address.

In some cases, fraudsters will even do some “name dropping” of senior management/ executives in the organization to add legitimacy to the request like “my HR such and such told me to email you”. Often the payroll re-direct attempt targets an executive or President/CEO of the company. The success of these particular cases may be due to the fact many employees do not want to question an email they believe is coming from an Executive.

Online scams have been around for a long time. While we may have become better at spotting a suspicious looking email dotted with spelling mistakes and bad grammar, we don’t usually expect the scam to involve people or businesses that we deal with on a regular basis or would otherwise believe to be trustworthy.

A common mode of fraud is seen where an email account is initially hacked. The hacker then intercepts a conversation between a payer and payee and re-directs the payment to a different account, or the hacker hacks/ interferes with the email account of the payee and provides new account details, either within the body of an email or by changing the payment details in an otherwise legitimate invoice.

Diverse organizations have been affected from Legal, Building and Real estate industries to not-for-profit organizations, small businesses and government agencies.

Losses can be significant, particularly in the case of property transactions with people losing deposits or final payments after inadvertently sending the funds to a scammer’s bank account.

Protecting yourself from payment redirection fraud

If your organization does a lot of electronic transfers then:

  • Be alert to attempts by scammers to intercept payments due and owing to you and ensure that your email accounts and computer systems have adequate security systems in place to reduce the risk of hacking.
  • Make a list of genuine payment accounts. Check regularly for any changes of name, address or account details.
  • Check any changes of payment details by using at least two verification modes.  If you receive any requests from the supplier to change account details, verify any such request by contacting the supplier again.
  • Closely scrutinize the invoice and query any changes to ensure that the payment is going to the correct account. For large EFTs it is always prudent to cross check bank account details with the supplier.
  • If you receive a payment request that seems unusual or an email request to change bank account details, get verbal confirmation before making the payment. It is best not to pick up contact information from the request as it could direct you to a fraudulent contact, but from your original database.
  • Never entertain change of bank account details of employees when contacted on phone only.
  • Let your payment recipient know that you have made the payment – in this way you will be able to identify any incorrect payment details in good time.
  • Do not make supplier information, for example, company names, publicly available – cyber criminals often get their information from publicly accessible sources.
  • Consider including a statement on all email communications with customers stating that the business’s bank account details will not change during the course of the transaction and that the business will not change its bank account details via email.
  • Update your terms and conditions to set out a clear process for changing key information. For example, you might implement a policy that no changes should be made to banking or personal details without them first being verified directly by phone with a nominated individual from your organization.
  • Regularly check sent and deleted email folders, as well as bank account statements, for unusual activity.
  • Cyber risk insurance policies are available for businesses to cover cyber extortion, media content, and network interruption. Consider opting for such.

What can you do if you’ve been scammed?

Unless the other party is waiting for the money and regularly checking their bank account, you may not find out that the money has gone to the incorrect account until the payee chases you up for non-payment, which could be days or weeks later.

Once you’re aware that a scam has taken place, contact your bank immediately. There’s a small chance that they may be able to recover the funds from the recipient bank, if withdrawals haven’t already been made.

You should also consider obtaining professional IT advice to secure your email systems and data from hackers.

When one party makes a payment to an incorrect bank account because of fraud, the account remains unpaid and debt recovery action against the victim of the fraud can be commenced to enforce payment, meaning the payee may be out of pocket for double the amount.

Avoid financial losses with a few extra steps:

If an organization’s practices are to accept payroll changes via email, it is highly recommended that dual verification be made by calling the employee on the internal phone number in your records (not one given in the email) or asking them to submit a request in hardcopy with proof of ownership of account accompanied by their wet signatures.

Receipt in Fraudulent Identities:  In many cases, the Receiving account was opened online using a stolen identity. In other cases, the Receiver account is an established account where the account owner is acting as a money mule.

If you are notified that an account at your institution is being used to receive funds in these types of cases, consult your internal Compliance Team and follow your Anti-Money Laundering remediation protocols.



Leave a Comment

Your email address will not be published. Required fields are marked *