« Cyber: the new face of fraud | Main | A British Standard for anti-bribery: the other 'fair trade' mark? »

03 October 2011

“Our bank details have changed"… or have they?

The problem

“Dear Accounts Payable department,
Our bank details have changed to the following.  Please can you update your records.”

Although not new, the “change of supplier bank details” scam illustrated above is staging a comeback with large companies paying out large sums to the wrong people.  To avoid being the next victim, here are some simple precautions.

What to do

Check your procedure for dealing with these requests, some of which may be legitimate:

  • Do you phone the supplier using a number taken from their website, ideally speaking to someone you know and have known for some time, to confirm the details of the change?
  • Do you make a note of the call?
  • Does the resulting change to the supplier master file require a senior level of dual authorisation, eg the same as for authorising a BACS payment run? Are changes made reviewed and validated subsequently? (Don’t imagine that an instruction to pay funds to an account with an inconsistent account name will be picked up by your bank – it’s the sort codes and account numbers which determine where the money goes.)

Watch out for the giveaways:

  • Often the letter will include the invitation “in order to confirm this instruction, please call me on my direct dial number xxx” – this will be an unconnected rented line or accommodation office manned by the fraudsters;
  • Similarly beware of supposedly confirmatory emails from almost identical email addresses, eg .com instead of .co.uk, or, pricewaterhousecooper instead of pricewaterhousecoopers which has been set up by the fraudster for that purpose;
  • Does the letter or email contain any errors? – it’s surprising how many typos can often be found
  • Is the letter marked urgent or accompanied by pressuring phone calls, warning of the consequences if the change is not made straightaway?

Warn your staff:

  • Before sending these letters, the fraudsters will often make so called “pretext” calls to your company to try and get information which will then be used to increase their chances of success.  This includes asking for the names or direct telephone numbers of people in your accounts payable department, or the supplier reference number for a particular supplier; these calls may be prefaced by an innocuous call (eg asking to check the post code) through which the fraudster establishes in the mind of the victim that he or she does indeed work for the supplier; in this way, the next time they call they are more likely to be accepted as genuine;
  • Is your clean desk policy working in practice? If not, this is a far easier way for the important information above to be gathered;
  • Information is also gathered by fraudsters through Freedom of Information requests and via compulsory public sector disclosure requirements. Consider if you are disclosing more than you need to.

Finally, consider the “inside job”.  Is there anyone in your organisation who could create such a letter him/herself, and then arrange for a supplier’s bank details to be changed?  If so, that person probably has too much power.

The fraud above fails in 99% of cases, but when it works, it’s very lucrative.  Implementing the steps above will stop you being in the 1%.

Posted by PwC at 12:00:13 in Edwin Harland

Share this article