As public awareness of online security grows, fraudsters have been using increasingly sophisticated methods to deceive businesses into unwittingly making payments to fraudsters’ accounts.
This often involves genuine emails from businesses to customers containing requests for payment being intercepted or copied (often with only very slight changes), that replace the legitimate bank account details with those of the fraudster. The recipient then makes an online payment to what they believe is the genuine company’s bank account, but is in fact the fraudster’s.
It can be extremely difficult to recover any money, and those affected often ask why their banks did not identify any problems when processing the payment. Historically, banks have only been required to check sort codes and account numbers when processing payments, rather than any other details that may be provided when making the request.
Pay.UK., the UK’s payments operator, has recently announced that banks will soon also be required to check payee names when processing payments. The new system should be implemented for most banks by July 2019.
Whilst this is undoubtedly positive news, businesses do leave themselves open to risk if they fail to have appropriate safeguards in place when requesting payments. As a minimum, you should:
- Review the procedures you use for sending out payment requests and ensure they are sufficiently robust and secure.
- Consider how and when you give your bank details. Could you include your bank details at the outset of a transaction instead, or send them out in a durable format (eg by post) instead of by email?
- Think about whether you should include some wording in your email footers to make clear that you will not inform customers of a change of bank details by email.
- Could you give your customers a protocol to follow if they want to verify bank details before making any payment – eg by contacting a specific department?
- When making large payments, consider contacting the recipient eg by a known telephone number, to verify bank details. Always be alert to risks: at VWV, we are aware of numerous examples of internal emails purportedly sent from CEOs asking for payments to be arranged, which are in fact bogus.
- Consider whether you have insurance in place for this kind of issue.
For more information please contact Ben Holt on 0117 314 5478 or Sarah Perry on 0117 314 5262.
Ben and Sarah are from VWV, an award-winning law firm.