Mandate fraud occurs when criminals impersonate a company’s suppliers and convince the company to change the bank account details they hold for that supplier. The next time they order goods or services from that supplier the payment goes to the fraudster instead of the supplier.
According to an article from PWC, mandate fraud is increasing in frequency, volume, and sophistication. A blog post from PWC’s Fraud Academy gives some additional information on how this occurs.
Traditionally fraudsters would send a letter, complete with a supplier logo, requesting the supplier’s payment details be changed. Those enacting the change would unwittingly divert legitimate payments to the fraudster’s bank account. However, fraudsters are increasingly registering email addresses similar to those of the legitimate supplier hoping an air of legitimacy will discourage the victim from verifying that change.
For example, a target organisation may receive an email from the address email@example.com, where the absence of ‘m’ or ‘uk’ isn’t noted or challenged. In reality, the email domain has been registered by the fraudster in Columbia, where the suffix is ‘co’.
Where fraudsters rely on a forged letter or email, they have also been known to make a prior request to update the supplier’s contact details. The rationale being organisations typically have weaker controls around updates to contact details, as opposed bank account numbers. Inadvertently, the bogus contact may be contacted in an attempt to verify any bank changes, which the fraudster is understandably happy to concur.
As organisations become more aware of the threat from mandate fraud, fraudsters are now turning to increasingly sophisticated methods to circumvent those procedures.
Fraudsters have also been known to contact a supplier first, pretending to be from the target organisation in order to gain information about upcoming payments. Equipped with details of purchase orders, an air of authenticity is added to any change requests, hoping to discourage verification procedures.
It is inevitable that suppliers will change their bank details from time to time. When faced with a change request, organisations need to be vigilant to the risks, build scepticism and awareness amongst those working within purchase ledger roles, and ensure processes are effective for the verification and approval of such changes. Most importantly, those controls must be operating. All too often we see victim organisations believing they had appropriate countermeasures in place only to realise (too late) that those processes weren’t adopted (e.g. through absence of training to new employees).
The full blog post can be read on the PWC blogs website.
Implications & recommended actions:
- Business’s or Businesses should have controls in place to prevent mandate fraud. It is important that these can be demonstrated to be effective- including arrangements to monitor and quality check the robustness of these controls in practice.
Search The Blog
- Reopening as Lockdown Measures Ease April 20, 2021
- IR35 changes take effect from 1 April 2020 January 25, 2021
- New UK immigration laws in force from 1 January 2021 January 25, 2021
- Prepare your business for Brexit December 17, 2020
- No-Deal Brexit and Driving in Europe December 6, 2020