Tim Mitchell, Content Director, Get Safe Online
Payment diversion is a type of impersonation fraud. In its most basic form, it started when humans began exchanging products and services for payment, be that early coinage, a sheep, a cartwheel or a flagon of wine.
Back then, it wasn’t that easy to commit, as transactions were face-to-face and perpetrators had to be pretty clever and either do their homework to find out who owed what to whom or disguise themselves as someone else. Now however, we have the internet, which presents fraudsters with limitless opportunity, stealth and relative anonymity.
Payment diversion fraud is committed against organisations who pay for goods and services via direct debit, standing order, bank transfer or some other kind of electronic method. Which is pretty much every organisation you can think of, including those in the third sector, abhorrent though that is. In fact, it is the type of fraud most commonly experienced by respondents in a recent survey commissioned by Fraud Advisory Panel and BDO.
How does payment diversion fraud work?
Depending on how it’s committed, payment diversion fraud is also known as business email compromise (BEC) or mandate fraud.
Fraudsters normally contact charities and other organisations via email, although it can also be via a physical letter or even a phone call. They claim to represent a company that the targeted organisation has been buying products or services from – or has a subscription with. Typically, they say that they have changed their banking details – because of either a different bank or new account – and request that payments be updated accordingly. If you or the individual in your organisation falls for the con, the first you may be aware is when your supplier contacts you to say that your payment hasn’t been received.
You’ll no doubt have heard about payments for people’s homes being diverted from conveyancing solicitors’ bank accounts to those set up by fraudsters. Of course, organisations carry out similar transactions, the same risk applies and sometimes the numbers are bigger.
I mentioned email being the most commonplace initiator to payment diversion fraud. Fraudsters often create fake business email addresses very similar to genuine ones and use them to send fake payment requests and invoices to make them more believable. For additional authenticity, some spoof the sender address to make it indistinguishable from the real thing. Whichever the method used, the result is the same: the payment ends up in bank accounts controlled by cybercriminals to be used to fund either opulent lifestyles or more serious organised crime, including terrorism and people trafficking. Instead of, sadly, with those who need it most … the beneficiaries and employees of the charity.
How to avoid and deal with payment diversion fraud
Please, make the most of the many benefits of the internet and continuing digital transformation, and hopefully you and your organisation can do so with increased confidence with the above tips and the advice on our website at www.getsafeonline.org/business