With new research suggesting business fraud awareness is stagnating, two small company owners share their experiences of being stung by swindlers.
The impact of modern-day payments fraud would be minimal and only result in the loss of a small amount of money, is a belief 58 per cent of small and medium-sized businesses (SMEs) in the UK share.
According to new research from Vocalink Analytics, there has been no improvement when it comes to awareness of business fraud such as invoice redirecting – despite losses now totally £18.9bn a year.
Key business fraud stats
- 25 per cent – proportion of small businesses hit every year
- £18.9bn – losses to SME businesses each year
- 36 per cent – amount of SMEs which don’t know who to call in event of invoice fraud
- 47 per cent – amount of SMEs which have not made any changes to prevent fraud
To look at the situation in more detail, Business Advice spoke with two small business owners who had been caught out by fraudsters, as well as garnering some expert advice from Vocalink Analytics’ Dave Divitt.
Mark Ruthven runs a small architecture practice in London and was stung in 2016 when a fraudster hacked into the email account of an administrator of a semi-regular supplier – probably having tracked that the business made monthly payments.
After Ruthven’s financial administrator received a seemingly legitimate email advising her of a change in banking details, a BACS payment work £13,000 was ultimately sent later that month to the bogus account.
This type of fraud, commonly referred to as invoice redirection, is a growing trend and one causing billions of pounds worth of losses each year.
Ruthven added: “Very fortunately I just so happened to be speaking with the MD of the supplier we ‘paid’ shortly after the transfer and mentioned that we had made the payment to their new account.
“The immediate response was ‘what new account’. That set of immediate alarm bells for me.”
Ruthven and his team got straight on the phone to the bank, but found themselves in a very long wait to get through to the fraud department.
“It was frustrating as we were with the same bank as our supplier, and oddly enough the fraudster used the same bank to set up the bogus account we transferred into – so you would have thought there might have been an expedient way of putting a stop to things,” he said.
Technology, Divitt told us, is giving fraudsters different avenues to explore. “Whereas before you’d have to make a phone call or send a fax to trick someone, nowadays you have online systems which can be penetrated and therefore providing new ways of accessing businesses,” he commented.
“But businesses now have new services which can be implemented. Most are very simple, straightforward and not too expensive. You also need to treat requests to change invoice details as high risk and then call back a supplier on a trusted number.”
Ruthven and his business did have the money returned, after the call was followed up by a “pretty firm letter” to the bank manager.” A few days later the £13,000 appeared back in our account – no fanfare, no communication from the bank. But we understood they had managed to freeze the funds in the bogus account and return them to us.”
Ruthven believes the fraudster was not monitoring their accounts closely enough and so missed out on the opportunity to split the funds and send them elsewhere beyond the control of the banks.
Stevie Graham is another small business owner who has fallen victim to business fraud. In another fortunate set of circumstances, the entrepreneur just so happened to be casting an eye over his statement and noticed a lot of small and unusual transactions.
“They were from all over the world. Train tickets in Spain, a shoe shop in Germany, an electronics store in Hong Kong,” he remembered.
“We alerted the bank and their policy is to issue immediate reimbursements – for us around £2,000. But, for some reason, and despite me cancelling my card, the fraudsters were still able to make further charges of about £700.”
Graham’s frustration with his bank stemmed from not being alerted to purchases made in unusual international locations. “It wasn’t practical for me to have been making those payments. Simple logic tells you something is up.”
The bank apologised but he has since changed up institutions. “They were a new bank and the only reason we went with them was we had a large payment and the company was non-trading at that point but needed an account,” he said.
“With bigger retail banks, you need to make appointments to get a business account and there are long lead times. The other bank just lets you download an app and access an account number and sort code.”
The Vocalinks Analytics report found a third of businesses had not even heard of techniques such as invoice redirection and CEO fraud – an approach where a seemingly high-ranking member of staff sends an email to a more junior employee saying money needs to be transferred urgently to an account for a specific reason.
However, for companies that have experienced fraud, 71 per cent believe business fraud is now the biggest risk to their company – with 71 per cent also worrying that it will be an even bigger issue for them in 2018.
Ruthven is now far more attentive when it comes to payments. He and his team make sure to double check anyone asking to change bank details and get additional confirmation from any supplier.
“A bit like the boss who emails saying ‘we have a problem abroad, please send some money’, you definitely want to speak directly with that boss before doing any transferring,” Ruthven warned.
Graham, likewise, now regularly checks his bank statements to ensure anything untoward is picked up quickly. “I don’t not make purchases using my business card now, but if it is not a well-established retailer I would probably think twice about buying from them instead of going to someone like Amazon,” he admitted.
However, for those who don’t want to be clued up after something goes wrong, what are the red flags to look out for? With invoice redirection, a request for a change in details is an obvious alert. That could come through an email or a phone call. Whenever it comes through treat it as high risk and then go through trusted phone numbers to establish its legitimacy – just like general consumers who are called up and asked for personal details.
With CEO fraud, the pressure being applied is the red flag. Any legitimate executive in a company is gong to be willing to explain themselves and there will be a paper trail to legitimise the request. Don’t act on pressure of just speaking to a “CEO”. If something seems wrong, get a second pair of eyes on it.
New technology, especially in the fintech space, is unfortunately providing fraudsters will the tools and means to scatter funds very quickly. However, there are services and products out there designed to improve the ability of small companies to resist fraud attacks.
Make sure you think twice before sending your hard-earned cash to unknown sources.
If you’ve been a victim of fraud then Business Advice would like to hear your story. Please get in touch by emailing us on email@example.com.
Could you spot an HMRC phishing scam if sent one? Simple steps effective in identifying a phishing scam or fraudulent HMRC letter.
Sign up to our newsletter to get the latest from Business Advice.