Your IndustryMay 14 2019

Beware the invoice scammers

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
Beware the invoice scammers
comment-speech

A new study has revealed that the UK’s financial services industry lost almost £93bn in 2018 as a result of invoice scams and more stringent adherence to standards is urgently needed to avoid the situation worsening.

The research by UK Finance also suggests many firms are unaware of the risks posed by this type of fraud.

Among those most at risk of being targeted by scams such as ‘phishing’ attacks, are businesses that hold client money for the purposes of making property transactions, purchasing bonds or other investments, or buying insurance.

These firms often hold large sums of money and may not have considered the possibility that they could be targeted by scammers.

One of the main areas of fraud risk for firms holding client money is insecure email accounts and web-based accounting systems.

Fraudsters are able to exploit any weaknesses they find in such systems in order to intercept key data and cause the transfer of sums of money directly into third-party bank accounts.

‘Phishing’ attacks often involve the use of ‘bait’, contained in a false email that an unsuspecting person might open and respond to.

This email may contain a malicious link, allowing the fraudster to gain access to the firm’s systems.

Alternatively, the fraudster might be able to extract key information from a member of staff, such as a director’s email address and signature details.

Widespread use of email and online banking has led to more sophisticated scams, which involve fraudsters compromising the email account of a known third party, such as supplier, in order to impersonate them and divert payments into their own bank account.

To protect against such attacks, financial advisers and other financial services firms such as mortgage and insurance brokers need to be vigilant and ensure their systems are robust and reviewed regularly.

Seeking certification from Cyber Essentials, a scheme run by the National Cyber Security Centre, will ensure certain standards are met, but it is also important to keep their knowledge and understanding of the latest fraudulent activity up to date.

Specialist fraud-testing firms may also be used to carry out penetration testing and identify areas of potential weakness.

Adopting robust processes and procedures can help to prevent firms becoming an easy target for fraudsters. For example, staff should look out for changes to address/contact details and bank account details that are not highlighted or announced.

Another red flag could be a new bank account, with the same sort code, but a different account number that was not known until the invoice was received. A change of payment terms could also indicate something is not right. 

Staff should be regularly tested to ensure they are alert to possible attacks and receive regular training to ensure they are aware of the latest scams. It also makes sense to segregate duties, so more than one person is responsible for authorising payments. 

Whilst it is a requirement for firms holding client money, all businesses should consider putting in place a Risk Register, which should be reviewed regularly, listing all potential risks affecting their day-to-day operations and the safeguards in place to mitigate them.

A meticulous approach to cash management can also help businesses to guard against fraud by ensuring any anomalies are easy to spot.

For example, three-way forecasting, which links together data from the firm’s balance sheet, profit and loss accounts and cash flow – providing managers with excellent cash visibility across all areas of the business.

If actual figures are falling short of expectations in some areas, or performance starts to slide unexpectedly, managers should investigate the reasons why.

Greater focus on compliance and adherence to standards can help all businesses to guard against fraud. 

The Client Assurance Standard from the Financial Reporting Council specifically applies to firms that are authorised to hold client money. 

To ensure compliance, firms must carry out regular client account reconciliations, matching funds in their bank account to internal accounting records and to a record of monies owed to each client.

As these accounts are often targeted by fraudsters, detailed systems and procedures must be in place to protect them and a risk assessment must be carried out and reviewed regularly.

Firms handling client money can not afford to ignore the risk posed by invoice scammers and Risk Registers must be regularly updated to ensure they reflect the evolving threat of such fraudulent activity.

As well as ensuring staff are well trained and cash is well managed, firms must ensure they are fully compliant and have the right systems and procedures in place to protect client money and their own.

Mike Ayres is a senior manager in the advisory services team at accountancy firm, Menzies LLP