Priority Scam Alert – Supplier identity theft leading to fraudulent payment
Your organisation receives a call from a legitimate supplier inquiring as to why their invoice hasn’t been paid. This enquiry may be nothing out of the ordinary, until your organisation looks at the accounting records which indicate that the invoice has been paid. What might this mean?
From recent media articles and our own experience, this turn of events may suggest your organisation has been the victim of the latest scam being embraced by external fraudsters, potentially involving organised criminal elements. The Australian Competition & Consumer Commission’s ScamWatch website has recently highlighted this as a scam for small businesses to be aware of. However, we have seen that local councils and larger corporations may also fall prey.
The scam itself may be perpetrated via a variety of methods, however the main goal is to entice an organisation to make a payment for a legitimate supplier to a potentially “hijacked” bank account not associated with the supplier. The fraudster may execute this scam as follows.
- Fraudster obtains legitimate supplier information from target organisation, potentially through public tender, social media, or other information sources.
- Fraudster impersonates supplier and makes contact with the target organisation, occasionally initiated by notifying of a change of the legitimate supplier’s contact person to an alias the fraudster has created, before sending through fabricated “official looking” documents requesting a change of bank details.
- Target organisation updates the supplier’s bank details and makes a regular payment to the new bank account, to which the fraudster has access – often having been seized or hijacked from another victim.
- Fraudster may withdraw the funds or transfer to other bank accounts, thereby making tracing and recovery of funds extremely difficult.
As highlighted by the opening hypothetical situation, this scam may only be detected when the original supplier, completely unaware of their identity having been stolen, asks why they haven’t been paid. Therefore, depending on agreed payment terms, this may be some time after the scam occurred thereby further reducing the possibility of recovering the fraudulently obtained funds.
Whilst the risk of detection in attempting to “adopt” the identity of an entire organisation may undoubtedly be higher than that of an individual, as with the recent slew of individual identity theft scams, there is a potential for higher “rewards” for the fraudster.
So, how do organisations protect themselves from the threat of these, often sophisticated, fraudsters?
Raising the awareness of your organisation’s employees can be a cost-effective countermeasure against these fraudsters. Employees are often the first line of defence in protecting the organisation from those trying to elicit funds through such scams. This may include educating employees on recent scams in your organisation’s sector / industry or the wider community, and also in making them aware of potential fraud “red flags” or indicators of activity which fail the “sniff test”. Encourage employees to embrace their own intuition and if uncertain, ask another employee or report it to their manager for a second opinion or advice.
It may also be prudent to review processes and controls in place to verify the identity of, or instructions from, third-parties that your organisation deals with. In the short to medium or even long term, after a cost-benefit assessment of the risks associated with such scams, an adjustment to business process may help mitigate the risks of falling prey to these fraudsters. For example, requests from a legitimate supplier to change bank account details may need to be verified through a direct phone call to the supplier. This verification should use, of course, the phone number on file and not the contact details provided on the documents requesting the bank details change – unless the contact number on file was changed recently, potentially by the fraudster.
Whilst it’s widely regarded that “prevention is better than cure”, for any organisation who feels they may have fallen victim to such a scam, the general advice is to act fast. Contact your financial institution and seek to put a freeze on the cash payment, whilst engaging with an appropriate expert or authority to help your organisation investigate the alleged scam and attempt to trace and recover any fraudulently obtained funds.