In the past, fraudsters (posing as the genuine supplier) usually have sent an email asking for beneficiary bank account details to be changed within the online banking records. If the recipient of the fraudulent email acts on this and amends the bank details, when the next invoice is received from the genuine supplier, the payment is made to the fraudster. The paying business then still has a liability to their genuine supplier as well as having sent the money to the fraudster.
The publicity around this scam has led to businesses being more aware of instructions to amend bank details, usually meaning they will call the known number of the supplier and ideally speak to a known voice to confirm the change – which is still strongly recommended.
Therefore, fraudsters are now looking for a new way to achieve the same results, so to do this, they are trying to gain access to email inboxes to find mail which has invoices attached. From here, what they aim to do is:
· Download a copy of the attached invoice and change the bank details to their own
· Set up an email address which appears to come from the supplier company
· Send a new email from the bogus email address, to the business whose email was attacked, and attached the frauded invoice
· State in the email message a phrase along the lines of “we sent you an invoice last week and realise that it contains our old bank details. We hope that we have caught you in time before you send the payment. Here is another copy of the invoice with our new bank details.”
So, how do I avoid falling victim to this type of fraud?
· Always use strong passwords which are not shared with other people and which are not used for multiple purposes.
· Add another layer of security at the log in stage, with a multi-factor authentication (for example having to enter a code received in a text message as well as the password)
· Protect mobile devices, including laptops, with encryption software which can also block the device if it is lost or stolen.
· Never change bank beneficiary details purely from a written instruction. Always make a telephone call to verify the instruction. Don’t take the phone number from the invoice – use the number already in your records or from a trusted website.