In an increasingly digital world, the risk of falling victim to 'authorised push payment fraud' is rising. The sudden shift to home working exacerbates this threat and has created the perfect storm of psychological pressure, exposure to cyber risks and untried procedures, which are ripe for exploitation by fraudsters. As we noted in our March post (Banks delay implementing push-payment fraud checks when they are needed most), the Payment Services Regulator will not take any formal action in respect of banks' delays to implementation of confirmation of payee checks until 30 June 2020 at the earliest.
Authorised push payment fraud is a form of fraud in which victims are manipulated into making real-time payments to fraudsters, typically by social engineering attacks involving impersonation. Let's look at a real life example.
Company X has a well-known relationship with Company Y, a supplier of goods or services. Each month, Company Y tenders its invoice to Company X's accounts payable team. But don't worry, Company X has a fool proof procedure, which has withstood the test of time and caused no problems since mobile phones were the size of a Ford Escort. What could possibly go wrong?
In short, many things: a fraudster could submit a fictitious invoice to Company X purportedly from Company Y; a member of Company X's accounts team could fraudulently double-pay Company Y's invoice from different accounts within Company X; a fraudster could imitate Company Y and request that Company X updates its stored bank account details for Company Y.
Fraudsters are becoming increasingly adept at exploiting psychological weaknesses and the current economic climate is likely to increase their audacity. In the New World of working from home, it may be easier for fraudsters to impersonate senior decision makers, with seemingly valid reasons why they cannot be contacted. E-mailed instructions from senior members of your organisation to make an urgent, business critical and highly confidential payment could appear credible whilst navigating the current economic tempest (and trying to look after two children who weren't up in time for Joe Wicks' daily energy burn). Normally any instructions might be conveyed in person, but what used to be normal is now abnormal.
Some simple, proactive steps can significantly minimise risk to your business:
Establish robust internal processes for handling changes to payment details, e.g. only designated employees should be able to make changes to payment arrangements; all payment requests must be made by telephone or video call.
If you receive a request to move money into a new bank account, contact the supplier directly using established contact details to verify and corroborate the payment request (not the details used in the mandate).
Make a £1 test payment for new payees over a reasonable threshold and confirm receipt with payee.
Invoices, payment mandates and other documents containing sensitive financial information, should be stored securely, shredded after use and only be accessible to necessary staff.
Do not rely exclusively on electronic signatures given the risk of misapplication on forged requests.
If all else fails, the courts are still open. Various remedies including freezing injunctions, search order and Norwich Pharmacal disclosure orders remain available to help victims discover and recover. We have recently recovered more than £750,000 transferred by a fraudster to a UAE bank account and have so far recovered more than €11.4m out of a €15m fraud, although acting quickly is key.
Please review our Covid-19 hub for updates and get in touch if you require further information.
Sign up to our email digest