Invoice Redirection fraud (or Mandate Fraud) occurs when your company receives a request to change a direct debit, standing order or bank transfer mandate, from someone purporting to be from another organisation to which regular payments are made, for example a business supplier. It generally takes place when a criminal impersonates your company and deceives the customer into making payment of the company’s genuine invoices to a fraudulent third party account instead.
The most common form of invoice redirection fraud involves the criminal sending a letter or email (sometimes with a letter attached) to staff within a finance office impersonating a genuine company that they do business with. The letter will state that your company has recently changed bank account details and all subsequent invoices should be paid to the following new account details.
The fraud perpetrator creates a fake email chain which appears to be from senior managers within your company, in order to convince the staff member within a finance team that the invoice is legitimate and needs immediate processing. In most instances, the names used in the email correspondence are actual your company employees, suggesting that the fraud perpetrator has had insider assistance or has researched/used social engineering to gather information about your company. The fraud perpetrator may also have intercepted email or postal correspondence from your company.
The fraud perpetrator calls up staff from a finance team within a large organisation and pretends to be a senior manager from head office/overseas office and enquires why an invoice has not been paid. The fraud perpetrator uses an aggressive tone and essentially bullies the staff into paying the invoice. In advance of the fraud, the fraud perpetrator would usually have sent an email/letter requesting payment to new a bank account. By putting the staff member under sustained pressure during the phone call they ensure that any checks and processes are not followed as rigorously by the staff member.
Over a number of weeks the fraud perpetrator begins a process of social engineering staff within the finance team. Through a series of phone calls and emails the fraud perpetrator convinces the staff member that they are an employee of a supplier to your company and their new point of contact there. Eventually your company receives a letter or email requesting they change bank account details for the next invoice. The staff member contacts the supplier using their pre-existing contact details, which are now the criminal’s details. The fraud perpetrator confirms that the change of account details is accurate and the next invoice is paid to an account under the fraud perpetrator’s control.
Fraud perpetrators also take advantage of staff going on annual leave during the summer months. Aware that invoices may be paid by staff who lack experience and awareness of the threats in this area, fraud perpetrators will increase the volume of invoice redirection attempts.