Mandate Fraud is also known as Creditor Fraud, Payment Diversion Fraud and Supplier Account Takeover Fraud.
Changing bank accounts is an unusual occurrence and therefore any request to update records should be treated with suspicion. Changes should be authorised at a senior level.
This fraud involves the changing of account details for supplier or customer accounts in order to gain control of an account and benefit from unauthorised payments. This could include changing of bank details in a direct debit, manipulation of credit card activity, or changing of an employee’s bank account details for their salary, particularly when a bonus is due.
Fraudsters rely on the Payee (Company) name not being checked by the Banks. In most cases, only the Sort Code and Account Number are checked by the receiving bank.
Additionally, company details, including signatures on published accounts, are copied from the internet.
All companies and organisations are urged to ensure that they have robust authorisation and monitoring procedures in place for the creation and changing of bank details and monitoring of payments.
This also applies when providing account details in order to set up new payments or amend them.
Requests may be received by phone, letter or email to update account details. These requests must be monitored, checked and authorised before changes are made.
Details of suppliers are obtained from:
- Inside knowledge, including corrupt staff acting fraudulently.
- Publicly announced contracts.
- On-line transparency of contracts, particularly public sector contracts.
- Internet research about the targeted organisation, their activities and identifying key staff.
- Social Engineering to gain information from unsuspecting employees, this may include telephoning companies to gain information about their procedures.
The approach is made by:
- Telephone: there may be some urgency or reason to get changes made in a hurry: this is an indication of a potential fraud.
- A written request (letter or fax): this may be in ‘official’ looking letterhead quoting publically available information such as company registration and director details.
- An email request: using information and logo’s that look legitimate and have a reply email address that is ‘spoofed’ to give the impression that it is legitimate.
In all cases
- All the information presented may be correct, including directors, key contract staff, and signatories, having been collated and checked against different sources. They may be routed directly or in such a way that they appear to be from another part of the organisation, even if apparently authorised by a senior manager, the request should be thoroughly checked.
- All staff should be wary of providing sensitive company information, by phone or other means, especially contract and account information including references.
- Establish with suppliers, and internally, points of contact for handling and changing sensitive information for that may benefit fraudsters.
- Call-back your supplier using records in your system (not on the letter) to check the veracity of the request.
- Get a confirmatory email from the expected corporate email address.
- Make a note of your enquiries; be willing to double check information.
- Other policies may need review - clear desk, information security, staff vetting, internal and external financial controls.
- Do not publish account details and signatures on yearly reports.
Further checks that may be considered
- Enquiries to verify the new payee account details. With most types of bank transfer, only the Sort Code and Account number are verified, not the account holder’s name.
- When contacting companies, do not automatically use the information provided on suspicious letters, faxes and email. Check this against contract documentation, payment records and other information. Contact the accounts department direct and not the name on the letter
- Internet checks may highlight discrepancies and previous attempts. However, fraudsters may create incorrect records on the web, including business directory entries and web sites, in order to mislead.
- Check the details on any request for change - company numbers, VAT registration numbers, contact details, web and email information.
- Companies House information should be treated with caution. It is only a register and there are significant problems with details being changed in order to divert goods and payments.
- If making contact by phone, do this via main switchboards. Telephone calls may be re-directed, email addresses and incoming phone numbers are easily changed to look like legitimate ones.
If a Payment has been made
- Faster Payments’ where bank transfers take only a few minutes are monitored by the fraudster and money may be moved on very quickly making it impossible to freeze the account and recover the money.
- Banks usually only refund money when they are at fault. If a duly authorised transaction is made the loss will remain with the organisation making the payment.
- The correct organisation will still have to be paid unless it can be proved that they acted fraudulently.
If Fraud or other crime is suspected
- Do not continue with the transaction. You may not get your money back.
- Report your suspicions to the bank whose details you have been given.
- Follow the ‘reporting fraud’ advice on the Metropolitan Police web site.
- Where money has been lost, and you can identify the offender, a report to your local Police may be more appropriate.
- Fraud by False Representation does not require money to be lost. In these circumstances a report to Action Fraud may be more appropriate.
- Fraud is not the only offence that may be alleged - Theft (employee), False Accounting or Money Laundering offences may be apparent and advice would be given at the time of making a report to Police.
- Preserve any document and other correspondence for forensic examination. Place them carefully in a document holder and do not delete computer records.
In circumstances where you feel that it is appropriate to warn others, who may be involved in your supply chain or industry, information may be shared for the prevention and detection of crime in accordance with the Information Commissioner’s Office guidelines.