Most people who use email have at some point received email scams. Most of these are obvious: emails in broken English from strangers, citing dubious reasons for needing a cash payment. However, in 2015 we have seen far more sophisticated frauds, and a number of large businesses have fallen victim to them.
These scams are carefully planned. They are usually addressed to individuals within the business who have the power to direct payments. The sender may appear as another senior individual within the business, a reputable professional, or an existing supplier. Fraudsters set up email accounts which are easily mistaken genuine accounts, usually with minor spelling differences. For example, a busy employee might not immediately spot the difference between firstname.lastname@example.org (the author's email address) and email@example.com (a non-existent email address). Often a corporate logo is copied into the email, so that it looks genuine. The requests are often plausible: for example a purported supplier sending a formal letter notifying details of their new bank accounts, a reputable professional demanding urgent payment of completion monies for a deal, or an email from the IT helpdesk asking for a password.
Companies can take steps to avoid falling victim to these scams. Anti-fraud and payment policies need to be resilient and updated regularly. Whilst each business will face different risks, key points that should always be covered are:
- Payment requests should be dealt with cautiously. Where requests are received by email, they should be verified in person with the sender. It is important that the details on the email request are not used for this verification – i.e. employees should not 'reply' to the email or use the telephone number on it, instead they should use details known to be those of the counterparty.
- It is wise to have heightened checks on unusual payments, including those over a certain money sum or payments where the counterparty has advised new payment details. Such payment requests should be verified by speaking by telephone to a known individual at the counterparty.
- Other policies which may not appear directly relevant to payments can also have an effect. For example, documents which contain details of suppliers and contracts should always be shredded to avoid this information falling into the wrong hands. Similarly, the company's electronic security is crucial.
Policies only work if they are complied with. Regular fraud prevention training should increase employees' awareness of fraud and remind them to follow the relevant policies.
If it all goes wrong
Finally, where a business falls victim to a payment scam, it is possible in some cases to trace and freeze the money. Often the money is moved abroad quickly, through a number of bank accounts. Businesses need to act quickly in these cases, as the longer they wait the harder it becomes to recover the money. The first 24 to 48 hours from the time of payment are often the most critical period.