Supplier mandate fraud involves an attempt to impersonate a known supplier and divert legitimate payments into a fraudster’s bank account.
Figures for 2018 released by UK Finance show there were 3,280 cases of supplier mandate fraud in the UK resulting in a loss of £92.7 million by UK businesses.
Supplier fraud is not just a concern for large businesses, in 2018 there were 4,274 reported cases of this kind of fraud affecting personal bank accounts resulting in losses of £31.0m
How does supplier mandate fraud work?
It typically involves the accounts department receiving an email purporting to be from a known supplier to notify them of a change of bank details and requesting future payments to be made from the new account. The request may be received at the same time as an expected invoice.
An email received may look 100% genuine at first glance with the name of the supplier appearing as the sender in the from field of the email, hovering the mouse over the email address, should reveal the email address the message has actually been sent from.
An email can even be received from the supplier’s genuine email account if their company network has been compromised by hackers. It is possible for a legitimate email containing an invoice to be intercepted and for the payment details to be annotated by hackers. In this instance, the email would appear as originating from the genuine supplier.
Alternatively, the email address may have been made to look very similar to that of the supplier being impersonated, this may include an additional letter or character or similar variation of the genuine email address.
The fraud is often discovered when the genuine supplier contacts the organisation to question why they haven’t yet been paid.
This type of fraud can occur when you are in the process of having work completed, typical examples are receiving invoices for building work, or conveyancing. If the supplier’s email account has been compromised, the invoice to you can be intercepted and payment details replaced with those of the fraudster. It is good practise when receiving an invoice for payment to independently confirm with the supplier, the amount of the invoice received and the bank account details it should be paid into. If there is any doubt, pay £1.00 as an initial payment and follow up with the remaining balance, once the supplier has confirmed receipt.
Targeted attacks and other tactics
When targeting a business, fraudsters may research and build up as much information about the business as possible, using company websites, LinkedIn and other social media to collect details on relationships with customers and suppliers as well as named contacts working in various departments. Information about your suppliers may be taken from your company website, or alternatively if your suppliers have publicised working with you, information can be collected from their website or social media channels identifying you as a customer.
Attacks may be targeted at individual employees in the accounts department, again using information gleaned from the public domain and social media or by previously contacting the organisation requesting details of who to contact.
What can you do to prevent supplier mandate fraud
You may not be able to stop your business being targeted in this way, but there several steps you can take to mitigate the risk.
- Ensure relevant staff are well trained to be alert to this type of fraud and understand the steps they can take to identify it.
- Encourage staff to question and double check the validity of all requests to set up or change payment details
- Any requests to change standing data such as bank account details should be followed up and independently verified with the supplier using established contact details. Do not use contact details provided with the request to change details.
- Never accept changes to bank account details from an unsolicited telephone call purporting to be from a supplier
- When setting up a new supplier and making payment for the first time, it is a good practise to pay a small amount such as £1.00 and follow up with the remaining balance once the supplier has confirmed receipt of the payment.
- Check and reconcile bank statements carefully to identify any suspicious or unrecognised activity
- Train staff how to double check the original email address of an email received in relation to payment instructions and change of account details so that spoofed emails can be identified.
Report any attempted fraud to ActionFraud – the police’s national fraud and cybercrime reporting centre. Even if you’ve not suffered any financial loss, you should still report the attempt. You can submit a report via their website at www.actionfraud.police.uk.
Ensuring that all staff are aware of and alert to supplier invoice fraud and have been trained how to recognise it, can help reduce the risk of your business falling victim to this type of fraud.
If you would like any further information or require support with your accounts payable procedures or staff training, please get in touch to discuss how we can help.