Perpetrated via a variety of methods, the goal of these scams is to entice a business to make a payment for a legitimate supplier to a potentially 'hijacked' bank account not associated with the supplier.
Fraudsters have been obtaining legitimate supplier information, potentially through public tender, social media, or other information sources.
The fraudster then impersonates the supplier and makes contact with a target business, occasionally initiated by notifying of a change of the legitimate supplier’s contact person to an alias the fraudster has created.
This can be followed by sending through fabricated 'official-looking' documents requesting a change of bank details.
The targeted business will then update the supplier’s bank details and makes a regular payment to the new bank account, to which the fraudster has access – often having seized or hijacked it from another victim.
Finally, the fraudster may withdraw the funds or transfer to other bank accounts, thereby making tracing and recovery of funds extremely difficult.
“This scam may only be detected when the original supplier, completely unaware of their identity having been stolen, asks why they haven’t been paid,” said Stephen Roberts, associate director, advisory, at KPMG.
“Therefore, depending on agreed payment terms, this may be some time after the scam occurred, thereby further reducing the possibility of recovering the fraudulently obtained funds,” he added.
Mr Roberts noted that raising awareness across a business is a necessary counter-measure against fraudsters, given employees will likely be the first point of contact.
“It may also be prudent to review processes and controls in place to verify the identity of, or instructions from, third parties that your organisation deals with. In the short to medium or even long term, after a cost-benefit assessment of the risks associated with such scams, an adjustment to business process may help mitigate the risks of falling prey to these fraudsters,” he said.
“Whilst it’s widely regarded that 'prevention is better than cure', for any organisation who feels they may have fallen victim to such a scam, the general advice is to act fast. Contact your financial institution and seek to put a freeze on the cash payment, whilst engaging with an appropriate expert or authority to help your organisation investigate the alleged scam and attempt to trace and recover any fraudulently obtained funds.”