By Daniel Hunter
Over the past 6 months KPMG’s Forensic team has examined 11 new cases of fraud and become aware of at least 13 more where the modus operandi indicates that organisations are falling victim to an increasingly popular and trending style of scamming.
The cases range in value from just over £30,000 lost by one business in a single transaction to a total of £5 million extracted from another. It also appears that there is little discrimination in the type of organisation being targeted. Of the various instances identified, seven have been in the retail industry, but telecoms suppliers, manufacturers, providers of leisure services and public sector organisations are amongst the victims, too.
Increasingly known as ‘Payment Diversion’ or ‘Mandate’ fraud, the scam revolves around fraudsters posing as employees of an organisation’s supplier and providing false instructions asking for bank account details to be changed. KPMG’s investigations reveal that the technique is so convincing that organisations, who are unaware of fraudsters’ methods, can fall for it repeatedly. One, case for example, involving an organisation in the retail sector, saw 3 separate attacks of this fraud.
According to KPMG’s analysis, the majority of scams are directed towards organisations where the relationship between buyer and supplier is in the public domain. In all but 4 of the 24 cases uncovered fraudsters appear to be making use of openly declared business relationships — an unintended consequence of public sector organisations’ determination to demonstrate transparency in their business dealings and private sector businesses informing stakeholders of core relationships.
With the cases coming to light revolving around large payments (the average fraud is £1 million), it also seems that fraudsters believe that flaws in organisational checks and balances ensure ‘payment diversion fraud’ is easy to get away with. The cases examined by KPMG suggest that fraudsters also assume that a lack of knowledge, amongst employees, about the typical ‘red flags’ to look out for, prevent discovery of the crimes, before it is too late.
Priya Giuliani, director in KPMG Forensic, said: “Payment Diversion Fraud often works because the fraudster builds a level of trust before making their move. Sometimes it can be as simple as making calls at ‘month-end’ so that instructions to change payment details come across as timely and helpful. The truth is that many organisations fall victim because they trust the request is coming from a genuine supplier as the fraudster quotes apparently sensitive information, they are too busy to corroborate anything and assume their procedures are adequate enough to prevent fraud from happening.”
Of the cases identified, the majority of frauds were discovered because suppliers chased payments. Only 3 incidents were spotted before payment was made to a fraudulent bank account because staff raised the alarm after calling trusted contacts within their supplier’s Accounts Team.
Relying on individual vigilance is clearly not a strong enough safeguard. According to KPMG’s analysis discovery of a fraud does not always result in full recovery of the stolen funds. For example, one fraud, where the business operated in the manufacturing industry, saw the company recoup less than 5 percent of the funds lost. Another saw a public sector organisation recover just £20,000 from £350,000 lost to a fraudster.
Giuliani adds: “Organisations that are particularly vulnerable don’t have an embedded anti-fraud culture and this leads to weak controls. Sometimes those with an off-shored finance function are the ones most likely to miss red flags, either because of cultural differences or due to a focus on KPIs revolving around processes, not prevention. The difficulty is that fraudsters are constantly mutating their modus operandi to over-ride any controls that are put into place, making this a constant game of cat and mouse.”
Join us on