Payment diversion fraud involves cyber criminals posing as trusted entities to take scheduled payments. Incidents have risen over the pandemic, as home working has made people more vulnerable to falling for it. 

I had personal experience of an attempted payment diversion fraud when I was a Trustee and Chairman of the Audit and Risk Committee of a large charity. A fraudster contacted the charity purporting to be from a supplier that was owed over £200,000 and asking for the payment to be made to an alternative bank. Fortunately our fraud prevention procedures and internal auditor spotted it in time to avoid the payment being made but it was a close call.

So, with payment diversion fraud on the rise, what do businesses need to know, and how can they spot the signs and avoid it?

Types of payment diversion fraud

There are a few types of payment diversion fraud, including mandate fraud and fraudulent bank communications. 

Mandate fraud is when a person contacts you – usually by email or phone – pretending to be a supplier and asking you to change their bank details. Any payment made to this 'supplier' afterwards will go to the fraudster's bank account and not the actual supplier. 

Fraudsters can also hack into the email of a client or supplier and send false payment instructions, which can seem more genuine to the victim. 

Another version of this fraud is fraudulent bank communications; the fraudster claims to be a bank to get you to reveal account security details, enabling them to make a payment out of your account. 

Fraudsters will hack into the system of the supplier, or they will create a domain name that is very similar to the supplier. When you receive an email from them, you don't notice that the email address is ever so slightly different. 

Accounts payable teams are often processing a lot of payments. In situations where those teams are working from home, individuals may not go through the same level of checks that they would in the office.

How can businesses avoid it? 

To learn to dodge an attack, business owners first need to know how fraudsters work and the techniques they often use in this kind of fraud.

Training staff is important so that they're aware of these types of fraud and scams and give emails more than one glance. There's often a couple of signs that you can pick up on. The email address might not look the same as you expected or the way an email is written may be different to previous emails.

Often, these messages will appear out of the blue. Suddenly a payment is urgent, a password is about to expire, or specific account details need verification. That's quite often the technique used when they're pretending to be HMRC, saying you need to take action now. Otherwise, you're going to get into trouble. They're trying to pressure you and scare you.

Businesses also need to have adequate checks in place to try and avoid fraud when it happens. This could be a double-check system before any bank details are changed. Phone the supplier to make sure you have the correct details or compare a previous invoice with a new one to make sure they match. If instinct suggests it's not right, it probably isn't.

What to do if it happens to you

If it happens, stop any further payments immediately and follow your business' fraud prevention procedure. This could include reporting the incident, being alert for any suspicious or unusual activity and changing any passwords that might be compromised. 

If you shared any bank account details, contact your bank to freeze the account or look for suspicious activity.

For more information, click here for the National Crime Agency’s PDF which explains what you need to know about payment fraud and how to protect yourself.

Stay safe

Noel Guilford