Kaley Crossthwaite from BDO LLP provides an insight into one of the most popular frauds and how you should deal with it

Over the past 12 months we here at BDO have been asked to assist clients on what is becoming an increasingly common fraud. It is worryingly simple and apparently successful and has moved beyond just companies – earlier this year, Guernsey States’ Treasury lost £2.6m to such a scheme.

The key reason that these frauds are successful in diverting significant funds from the victims is a fundamental lack of, or observance of, basic internal controls to safeguard payments

So how is it done and what can you do to prevent your organisation from becoming a victim?

The fraud takes place along the following lines. The fraudster contacts the company purporting to be from one of your suppliers. The fraudster informs the company that the supplier’s bank account details have changed. New bank account details are provided. The company then makes payments of invoices to the ‘new’ bank account of its supplier. It is only when the supplier starts chasing for payment of outstanding invoices that the company realises that it has being making payments to a fraudster.

This type of fraud is one that BDO’s forensic group has been seeing ever more regularly and the fact that a public body has been targeted indicates that it has escalated beyond what has traditionally been a corporate fraud.

Although the overall technique is similar, the fraudsters use a variety of methods to communicate the change of bank details to the victims and persuade them that they are legitimate. Examples that BDO has seen include:

  • The use of an emailed letter that purports to be from a director of the supplier and in which the ‘new’ bank account details are given.
  • Advising the victim of changes to other minor details initially by telephone, thereby building a rapport with the victim’s staff (normally one individual), before advising of the change of bank details.

More recently, we have seen an interesting variation on this theme whereby the fraudster actually purported to be part of the company’s own in-house legal team. The victim, a recently recruited finance director (FD) of a French subsidiary, was contacted by the trickster and told that the parent company had suffered a fraud - he was being told this in confidence as a trusted employee so that his business did not suffer the same fate.

After a number of calls, and having built a relationship with the FD, the fraudster requested that a payment be made from the subsidiary to its parent – the reason given was that due to the cash taken out of the business from the alleged fraud the parent was about to breach its banking covenants. The FD duly obliged. However, the account into which he was asked to pay the monies was not that of the parent.

So why were the fraudsters successful?

It is common in these frauds that the fraudster gives the impression of having certain knowledge of the operations of the victims – on the face of it non-public information, for example, details of customers - thereby giving the impression of legitimacy.

However, in today’s information age there is much information available in the public domain – company websites often list major customers. Although this might give an element of legitimacy to the fraudster, the key reason that these frauds are successful in diverting significant funds from the victims is a fundamental lack of, or observance of, basic internal controls to safeguard payments.

In the most recent example, we established that French banks have processes that allow for one signatory only on corporate accounts. The fraudster knew this and exploited it at the expense of the FD.

In many of the examples, the destination bank account was changed without any apparent due diligence, basic checking or authorisation taking place. It is therefore essential that public bodies and companies ensure that they have basic controls in place to prevent them becoming yet another victim of this worryingly prevalent fraud.

So how can you prevent you or your organisation from becoming a victim?

BDO recommends that internal controls are reviewed to ensure that:

  • There is limited access and authority levels to change standing data, particularly in relation to cash outflows to the business.
  • Senior personnel authority is required to change data and reports of any changes made are provided to senior management on a regular and timely basis for review.
  • Checks are undertaken to verify that instructions to make payments to different bank accounts are bona fide.
  • There is sufficient segregation of duties to reduce the risk of one individual having access to all information to affect such a fraud.

However, none of these controls are effective unless implemented. If you find that you are the victim it is essential that you act quickly and obtain professional help from experts in this area.