South East: Businesses lose £3m to mandate fraud

Businesses in the South East are being urged to alert staff to the dangers of mandate fraud after new figures show that companies in the region lost £3 million last year.

The data, obtained by RSM from Action Fraud, the UK’s national fraud and cyber-crime reporting centre, revealed that businesses in the region submitted 235 reports about mandate fraud in 2016-17.

There were 87 reports with verified losses of nearly £1.5m in the Thames Valley in the past year, plus 32 in Hampshire and another 14 in Dorset.

Mandate fraud occurs when an employee is tricked into changing a regular payment mandate such as a direct debit, standing order or bank transfer and redirecting it into a fraudster’s account.

The fraudsters can contact employees via email purporting to be from a supplier that receives regular payments. These approaches are sometimes plausible as they have correct details of staff members’ names and departments obtained as a result of phishing attacks. The scam will often only come to light when the real supplier chases for payment.

Nationally, there were more than 1,500 reports about mandate fraud in 2016-17 costing businesses some £32.2m, 12 per cent of all losses reported to Action Fraud by UK businesses last year.

Akhlaq Ahmed, forensic partner at audit, tax and consulting firm RSM, said: "These figures show that far too many businesses across the region are falling victim to mandate fraud. While in some cases the losses are relatively small, in others they can run into hundreds of thousands of pounds, potentially putting the future viability of the business at risk.

"Businesses must wake up to the threat of mandate fraud and take urgent action to prevent it. With the right training and controls in place, there’s no reason why these fraud attempts should be successful."

Businesses are advised to do the following:

• Implement training programmes for staff, particularly those in the finance function, so they are aware of the risks.
• Consider running an ethical hacking exercise to test resilience to phishing attacks.
• Verify all requests for amended payments by checking directly with the organisation or supplier in question.
• Monitor bank statements regularly and report any suspicions to the bank and the police.
• Notify the supplier organisation that has been impersonated.
• Never leave invoices or regular payment mandates on display for others to see.