Bank transfer fraud is an omnipresent and growing threat. Recent developments linked to the Covid-19 pandemic and the pervasive uptake of remote working have only exacerbated the risk of cyberattacks. So, how can businesses detect fraudulent behaviour? How can they guard against potential threats?
There are many people who can tell you about their individual experience of fraud involving either a bank card or a cheque. Businesses, too, are at risk of such fraudulent practices. In 2016, the amount scammed in reported frauds was estimated between €300 and €450 million. This suggests that the overall amount is much higher, as not all businesses that fall victim to fraud report it.
Whether their scam involves a bank card, a cheque or a bank transfer, fraudsters make no distinction and treat all businesses, from large corporates to SMEs, as fair game. For an SME or mid-cap company, though, fraud can be enormously damaging and may jeopardise the company. This is especially true for bank transfer fraud, which can involve significant amounts, reaching as high as hundreds of thousands of euros. Recovering funds is difficult and can create a core problem for the business, to the point that in some cases, the company has to file for bankruptcy. How can you identify and protect yourself from bank transfer fraud?
Identifying bank transfer fraud
There are currently four types of bank transfer fraud. The following is an explanation of how they work, from most common to least widespread:
- The fake invoice scam: the concept is simple. A scammer sends an invoice to a business’s accounts department, which does not recognise it as a fake invoice and pays it. The fraudsters might also mark it as an “invoice approved by” a given department to make it seem more credible. This type of fraud is very common and often involves an amount as high as several hundred euros. This kind of scam is hard to detect, with many businesses not realising that they have been defrauded.
- Changing suppliers’ bank account details: the fraudster gathers information about the company’s relationship with suppliers, then sends an email with updated bank account details, passing themselves off as the company’s official supplier. The company believes they are dealing with the usual person and makes payments to the scammer’s account instead of that of their genuine supplier. This type of fraud is also very widespread – the very kind that iBanFirst’s clients have experienced most often in the past with their conventional banks – and can have a greater impact than the fake invoice scam, often going as high as tens of thousands of euros.
- CEO impersonation fraud: as an individual, you have undoubtedly received many emails from scammers passing themselves off as friends and family, asking for an immediate transfer of funds to help them out of a difficult situation. CEO impersonation fraud is the business world’s equivalent and works in the same way. The scammer gathers information on the company and its executives, using social media, for example. They subsequently impersonate one of the C-level executives by email, suggesting the need for an urgent and confidential financial transaction. Feeling under pressure or out of a sense of trust, the company performs the transaction and the scammer picks up the money. They then transfer these funds to offshore accounts. This kind of fraud is increasingly common in France and can amount to a great deal of money, in the region of several hundred thousand euros.
- Banking malware: the last, and least common, type of risk is also the most dangerous. This is a sophisticated type of fraud which can involve up to €1 million being defrauded. The perpetrators send an email to an employee at the target company, with an attachment. While the attachment appears to be harmless, it is actually malware. A kind of Trojan horse. The software links to a banking interface that is not the real one, but looks exactly like it, or, alternatively, it reports a problem with the account and directs the user to a telephone number connected to the fraudster. Using such schemes, scammers can rapidly transfer substantial amounts to offshore accounts and sometimes launch distributed denial-of-service (DDoS) IT attacks on the defrauded company, to distract it from the fraud.
It is important to know about these different methods of fraud to protect your business against them as much as possible, as they are not uncommon and fraud tactics are becoming increasingly sophisticated.
How can you protect yourself from bank transfer fraud?
There are several easy-to-implement best practices to protect against bank transfer fraud.
The most important recommendation for businesses is to always check the authenticity of the information directly with their supplier. This may involve, for example, calling your supplier to check bank account details before making transfers, or indeed, requesting a statement of the account details directly from the bank, rather than using the details included in an email.
It is important to record everything you know about a particular supplier in a database, together with their bank account details, contact names and email addresses, along with the appropriate domain names and telephone number. If bank account details are changed, it is crucial to arrange for a manager to approve them, and it is especially important to make additional checks whenever there are any data changes relative to your supplier.
If you have any reason to suspect fraudulent activity, use two different channels of communication to check, such as both email and telephone. Also, where the company’s major suppliers are concerned, regular, stringent checks are key to ensuring that transactions are secure.
Overall, special attention should be paid to whether information is consistent, and to checking internally that any requests made are valid. The majority of fraud cases could be prevented by looking more closely at whether the information is consistent and by making additional checks in-house. This is true for CEO impersonation fraud, changes of bank account details and fake invoices.
Additionally, make sure you are well protected from a technical perspective.
- Anti-virus protection is a must, to ensure that the attachments you receive do not contain malware.
- Always use an in-house computer to make bank transfers, never a third-party or private computer, unless this is done via a VPN connection.
- It is strongly advised that you introduce two-factor authentication systems for logging into your bank accounts. This is an absolute must for iBanFirst, since our clients’ security is a top priority.
Lastly, it is important to provide training for your team on these issues, since more than 95% of fraud cases involve human error. Some of the ways you can minimise the risk of fraud include explaining to your employees how these scams work, providing training with concrete examples of fraud, encouraging your teams to check the identity of anyone asking for information about the business, and restricting how much information related to your company and your employees is released on the internet.
Don’t neglect training, as this can make all the difference. At iBanFirst, we conduct regular training on fraud-related topics. To ensure that you build awareness effectively amongst your teams, there is software you can use to simulate emails with attachments or which ask for information about the company. You can subsequently ascertain who has clicked on or replied to the email. This means you can engage directly with employees who have clicked on or replied to the email, and therefore minimise the likelihood of a fraud being perpetrated under the same conditions.
How can you recover defrauded funds?
If, despite all these best practices, you fall victim to a bank transfer fraud, you need to act quickly, as time is of the essence in such cases. If you suspect fraud, alert your line manager and the institution that sent the funds. Depending on the timing, this may help to stop the transfer. Forty-eight hours after the transfer is made however, it is unfortunately highly likely that the funds will already have been transferred offshore or used.
At the same time, you will need to report the incident. One week after the transfer, the chances of recovering the defrauded amounts plummet, and you will need to rely on the work of the police for the potential seizure of the funds.
It should be noted that you are very unlikely to recover the defrauded amount in full, and the timescales for recovery are long.
Banking fraud is a reality for all businesses and it can pose a genuine threat to the viability of SMEs and mid-caps. The winning combination to minimise risk is a secure IT system, the routine checking of information and appropriate training for your team.