Change-of-banking-details scheme defrauds quietly

Beware fraudsters who want to masquerade as your service providers. They’ll steal purchasing information, change bank account details and trick you into paying them.

Jill is a creditor’s clerk at Organization A in South Africa. It’s month end, and she’s about to process payment of an invoice for Supplier X. She then receives an email from Hugo, the debtor’s administrator in the collections department at Supplier X, who requests payment of the R2 million rand (about US$140,803) invoice into a new bank account. He’s sent an attached confirmation letter for the new bank and other supporting documentation. Jill accepts the information and prepares a payment request for the new bank account.

The next day, the funds transfer into the new bank account. Joey, the debtor’s clerk at Supplier X, calls to say that he hasn’t received payment for services rendered. Jill sends him the proof of payment, but Joey tells her the bank account number is wrong. Jill then sends Joey the email in which the debtor’s administrator at Supplier X supposedly requested the change in banking details. Joey replies that he didn’t send the request. Jill freezes. She realizes she’s been duped.

Organizations need to be aware of this insidious change-of-banking-details fraud when perpetrators assume the identities of legitimate suppliers and divert payments of invoices into their own accounts. They do this by sending forged, altered or manipulated legitimate documents and/or emails that then flow through organizations’ normal payment systems.

Fraudsters — or sometimes organized syndicates — normally obtain personally identifiable information, such as company invoices, via email phishing attacks and spyware or from colluding insiders who’ll rummage through company mailboxes. Organizations normally only detect problems when legitimate suppliers inquire about their outstanding payments. (See “Business email compromise” at the end of this article.)

These fraudsters often pay “runners” as fronts to open bank accounts into which conned organizations unwittingly send their payments. By the time the bona fide suppliers are asking for their money, the fraudsters have withdrawn the funds in cash or transferred them into other bank accounts. They then vanish with little or no trace. The runners are identified through the banks and are sometimes apprehended but not always prosecuted because they often plead ignorance or that the fraudsters blackmailed them. Organizations lose vast amounts of money if they don’t implement the proper controls.

Cases we’ve seen

Here are two examples of this type of fraud that our firm has recently investigated:

Faulty online vendor system

As in the opening case, the fraudster paid a runner to use the runner’s bank account and then obtained information on payments to an organization’s service providers by intercepting emails and by colluding with an employee. The fraudster discovered that a service provider had sent the organization a large invoice. So, the fraudster, in the guise of the service provider, logged onto the organization’s vendor system (possibly with help from an internal accomplice) and asked to change his banking information. The organization had already unwittingly given the fraudster information that allowed him to gain access to the online system.

The fraudster convinced the organization to change the banking details of the true service provider by forging a bank confirmation letter that accompanied a letter on the service provider’s letterhead — stolen by an insider accomplice — requesting the changes. He then sent them to the organization by email or in person to the reception desk. The organization then changed the banking details and transferred payment to the amended bank account. The fraudster walked off with R250 000 (or about US$17,600).

Costly conversation

In this case, the fraudster intercepted email correspondence between the organization and a service provider about the payment of invoices by registering a fake domain and creating a fraudulent email address that impersonated the service provider’s personnel. The fraudster then began a conversation with the organization about changing the banking details of the true service to that of his.

Below, see a typical email the fraudster would send to an organization requesting changes in banking details before submitting a final invoice for payment.

The fraudster sent a follow-up email that put pressure on the organization to meet the payment deadline to obtain early payment discounts. The organization paid the invoice and lost R510 000 (or about US$35,905). The fraudster was never caught.

Flaming red flags

• Scrutinize email correspondence carefully for misspelled words and incorrect grammar. In the email example above, see the missing word “as” before the word “follows,” “over” is spelled “ovir” and “payments” is spelled “paymets.”
• Check email addresses carefully for incorrect extensions, such as “.com” instead of “.co.za.” (The internet country code top-level domain for South Africa is “.za.”)
• Examine domains of email addresses for addresses that differ even slightly from legitimate addresses. For example, kanaidoo@eENSafrica.com instead of kanaidoo@ENSafrica.com.
• Look for copied-and-pasted email signatures, which, in most cases, you can determine by the reduced resolution and by comparing previous legit emails from service providers.
• Check contact telephone numbers. A pay-as-you-go contact number — not a landline — is often a telltale indicator of syndicate involvement.

Increasing susceptibility

Particular conditions can make organizations more susceptible to change-of-banking-details fraud:

• Allowing junior employees to change sensitive information without senior management approval.
• Using temp staff in high-risk areas.
• Inappropriate governance, compliance and ethics policies and procedures or absence of good ones in billings and collections.
• Inadequate communication and training within the organization of the above policies and procedures.
• Inadequate security controls. Install the latest security updates and run all anti-virus/anti-spyware software.
• Inadequate integrity due diligence performed on new hires by foregoing basic pre-screening such as criminal and reference checks.
• No segregation of duties between processing and approval.

Risk-minimizing measures

Take these steps to minimize your risk of change-of-banking-details fraud:

• Require watermarked, officially stamped and sequentially numbered change-of-banking-details documents. Record transaction of documents in a register controlled by two senior employees.
• Obtain original, signed invoices for very large payments directly from service providers when possible.
• Make sure the current details of the banking system payment match the original details. Attach the verified details to the original invoice. Finally, mandate that senior officials of your organization approve the documents before payment.
• Verify all amendments of banking details with service providers and banks. Call service providers with original listed phone numbers and not the numbers on the documents. Ask to speak to someone you’re familiar with and whose voice you recognize. Fraudsters pay attention to specific details. If you call a number listed on a fraudulent document, normally a person is waiting eagerly at the other end of the line to confirm the fraudulent details.
• Insist on a confirmation that the name of the account holder on the banking system corresponds with the bank account number.
• Strategically place security cameras in areas of your organization’s building that require customer and client interaction so you might identify would-be fraudsters.
• Send out monthly correspondence to your service providers to inform them that your banking details haven’t changed.
• Don’t publish any bank account details on your website or any other place on the internet.
• Don’t disclose sensitive information to any parties who aren’t entitled to receive it.
• Don’t throw away sensitive documents that contain banking details. Shred them!
• Publicize in-house changes to mandatory policies and procedures on banking details through internal bulletin boards and staff intranet portals.
• If a fraudster rips you off, immediately report the crime to authorities for investigation. If they arrest suspects, provide the police with necessary support for prosecution.
• Enforce your zero-tolerance policy against fraud by setting an example.

Inform your colleagues

Change-of-banking-details fraud is a highly prevalent threat. Minimize your organization’s risk of payment to fictitious service providers by ensuring your colleagues know the conditions that make them susceptible and help them implement the necessary precautions.

Kashmita Reddy, CFE, is forensics manager at ENSafrica in Cape Town, South Africa. Contact her at kreddy@ensafrica.com.

Sidebar: Business email compromise

The change-of-banking-detail scheme isn’t the only fraud that involves fraudsters’ misuse of email communication to fool organizational employees. In recent years, a new form of spear-phishing attack known as business email compromise (BEC) has emerged that directly targets executives or other high-ranking corporate employees who have the ability to make large payments. BEC schemes typically involve fraudulent emails that appear to be from the company’s own CEO or from the head of a foreign supplier that the company has done business with for years. The emails often instruct the employee to perform a time-sensitive wire transfer to ensure that the supply chain isn’t disturbed.

Increasingly, fraudsters pair these emails with insistent phone calls from someone posing as the email senders or as the senders’ attorneys.

In May 2017, the FBI released a bulletin about a sharp increase in the number of BEC schemes in the U.S. with a total of $5 billion in losses reported from October 2013 to December 2016. (See Business E-Mail Compromise, E-Mail Account Compromise: The 5 Billion Dollar Scam.)

Although these schemes can take numerous forms, the FBI has identified five common scenarios for BEC schemes:

• Business working with a foreign supplier: Fraudsters posing as a company’s foreign supplier send an email to the company and request that funds be transferred to an alternate account controlled by the fraudsters.
• Business executive requesting a wire transfer: Fraudsters use the compromised email account of a high-level executive to pose as the executive and ask an employee to transfer funds to the fraudsters’ account.
• Vendors receiving fraudulent request for payment: Fraudsters use an employee’s compromised email account to identify the company’s vendors and ask them to transfer funds to the fraudsters’ account.
• Attorney impersonation: Fraudsters posing as the company’s attorney contact an employee and request a transfer of funds to the fraudsters’ account, often insisting that the employee act quickly and secretly.
• Data theft: Fraudsters use the compromised email account of a high-level executive to request employees’ tax information or other personally identifiable information from the person responsible for maintaining such information (e.g., human resources personnel). This stolen data may then be used to commit one of the BEC schemes described above.

These schemes are often successful because employees want to satisfy their superiors or business associates and are intimidated into action without verification.

Source: Online ACFE Fraud Examiners Manual, Section 1: Financial Transaction and Fraud Schemes, Computer Hacking.