KPMG has noted a new trend in relation to business fraud which poses a serious risk of significant financial loss.
Lucas Chiloane, manager in Forensic Technology at KPMG and Roy Waligora, partner at KPMG, write that a payments fraud scheme is on the rise exposing businesses to potential financial and reputational loss. Fraudsters target companies by pretending to be from suppliers and divert otherwise valid payments to the fraudsters bank account.
Fraudsters seem to be targeting businesses using supplier or vendor bank account details. In one such case, a fraudster contacted an individual, a relatively junior staff member, in the accounts department and said that they were calling from one of their suppliers who wished to inform them that their account details had been changed.
The accounts clerk, as normal, requested proof of the change in bank details in the form of:
* A signed and stamped letter from the bank confirming the change in bank account details; and
* A signed letter from the supplier on the supplier’s letterhead, confirming a change in bank account details.
The requested (forged) documents were then provided in a matter of minutes via e-mail communication. The documents appeared to meet the requirements necessary to execute the change of supplier bank details on the system.
E-mail spoofing tactics – which involve using technology tools to disguise the source or sender of an e-mail, and make it appear as though it had been sent from a legitimate e-mail address – are normally used to send the requested documents.
The fraudsters take the time to gain an understanding of the business and establish with which suppliers businesses deal as well as which individual in the accounts department to target. In some instances supplier account details are altered, and as soon as the payment is processed, the records are restored. This happens in cases where the fraudsters work in collusion with internal accounts personnel.
KPMG suggests implementing the following proactive solutions:
* Institute a process in which approval from at least two senior members in the accounts department is required before any changes to supplier details are made.
* Make a simple call to your regular contact at the supplier to confirm the change in details.
* Verify all the details (such as address, phone number and on) on the change letter and whether the signatory is employed at the bank issuing the change letter. The details supplied by the fraudsters are usually fictitious and are
designed to obfuscate verification thereof.
* Put in place regular data analytics or monitoring procedures to identify recurring changes in supplier details.
* Ensure that all supplier invoices reflect bank account details and the relevant purchase order number before being processed for payment.
* Allocate a dedicated supplier number to each supplier, to be quoted on the invoice for identification purposes.
* Consider an arrangement whereby only duly authorised individuals in the supplier firm sign each invoice for comparison with a signature held by the creditors department.