What is payment diversion fraud, and how can you avoid it?

Tim Mitchell, Content Director, Get Safe Online

Payment diversion is a type of impersonation fraud. In its most basic form, it started when humans began exchanging products and services for payment, be that early coinage, a sheep, a cartwheel or a flagon of wine.

Back then, it wasn’t that easy to commit, as transactions were face-to-face and perpetrators had to be pretty clever and either do their homework to find out who owed what to whom or disguise themselves as someone else. Now however, we have the internet, which presents fraudsters with limitless opportunity, stealth and relative anonymity.

Payment diversion fraud is committed against organisations who pay for goods and services via direct debit, standing order, bank transfer or some other kind of electronic method. Which is pretty much every organisation you can think of, including those in the third sector, abhorrent though that is. In fact, it is the type of fraud most commonly experienced by respondents in a recent survey commissioned by Fraud Advisory Panel and BDO.

How does payment diversion fraud work?

Depending on how it’s committed, payment diversion fraud is also known as business email compromise (BEC) or mandate fraud.

Fraudsters normally contact charities and other organisations via email, although it can also be via a physical letter or even a phone call. They claim to represent a company that the targeted organisation has been buying products or services from – or has a subscription with. Typically, they say that they have changed their banking details – because of either a different bank or new account – and request that payments be updated accordingly. If you or the individual in your organisation falls for the con, the first you may be aware is when your supplier contacts you to say that your payment hasn’t been received.

You’ll no doubt have heard about payments for people’s homes being diverted from conveyancing solicitors’ bank accounts to those set up by fraudsters. Of course, organisations carry out similar transactions, the same risk applies and sometimes the numbers are bigger.

I mentioned email being the most commonplace initiator to payment diversion fraud. Fraudsters often create fake business email addresses very similar to genuine ones and use them to send fake payment requests and invoices to make them more believable. For additional authenticity, some spoof the sender address to make it indistinguishable from the real thing. Whichever the method used, the result is the same: the payment ends up in bank accounts controlled by cybercriminals to be used to fund either opulent lifestyles or more serious organised crime, including terrorism and people trafficking. Instead of, sadly, with those who need it most … the beneficiaries and employees of the charity.

How to avoid and deal with payment diversion fraud

• If you or anyone else in your organisation receives a notification to change payment details, take a few moments to consider the request.
• Always call the real payee on the phone number you know to be correct to check its authenticity. Even if this is time consuming or seems overly cautious, it’s preferable to becoming a victim of fraud.
• If you think you’ve been scammed, report it immediately to your bank as well as Action Fraud at actionfraud.police.uk or by calling 0300 123 2040 (or the most appropriate law reporting/law enforcement authority in your country if you’re not in the United Kingdom).
• Also consider whether you need to report the matter to your charity regulator. For reports to the Charity Commission for England and Wales treat it as a serious incident.
• Make sure all passwords in the organisation are strong and unique to the account to which they’re applied. email passwords are particularly important because:

• • Most organisations’ (and individuals’) normal email addresses are the ones which they use for logging in to all their accounts.
  • Inboxes, sent, and archived items almost certainly contain a large volume of confidential information including correspondence with suppliers and other payees.
  • The vast majority of fraud against organisations starts with an email.

• Make colleagues, employees, trustees, volunteers and other stakeholders aware of the importance of not oversharing on social media (that’s personal and LinkedIn), especially about their work. An innocent post can reveal information about their and colleagues’ roles and activities, often making them easier for fraudsters to target.

Please, make the most of the many benefits of the internet and continuing digital transformation, and hopefully you and your organisation can do so with increased confidence with the above tips and the advice on our website at www.getsafeonline.org/business