Study Indicates ‘Payment Diversion’ Fraud a Growing Threat

Analysis of a number of emerging cases of fraud shows that UK organisations are falling victim to ‘payment diversion’ fraudsters as invoices are paid into the ‘wrong’ bank account, according to KPMG.

The firm reports that over the past six months its forensic team has examined 11 new cases of fraud and become aware of at least 13 more, where the modus operandi indicates that organisations are falling victim to the increasingly popular and trending style of scamming.

Cases range in value from just over £30,000 lost by one business in a single transaction to a total of £5m extracted from another. Little discrimination is evident in the type of organisation being targeted.  Of the various instances identified, seven have been in the retail industry, but telecoms suppliers, manufacturers, providers of leisure services and public sector organisations are among the victims, too.

Increasingly known as ‘payment diversion’ or ‘mandate’ fraud, the scam revolves around fraudsters posing as employees of an organisation’s supplier and providing false instructions asking for bank account details to be changed. KPMG’s investigations reveal that the technique is so convincing that organisations, which are unaware of fraudsters’ methods, can fall for it repeatedly. In one case an organisation in the retail sector, saw three separate attacks of this fraud.

KPMG’s analysis suggests that the majority of scams are directed towards organisations where the relationship between buyer and supplier is in the public domain.  In 20 of the 24 cases uncovered fraudsters appear to be making use of openly declared business relationships  – an unintended consequence of public sector organisations’ determination to demonstrate transparency in their business dealings and private sector businesses informing stakeholders of core relationships.

“Payment diversion fraud often works because the fraudster builds a level of trust before making their move,” said Priya Giuliani, a director in KPMG Forensic. “Sometimes it can be as simple as making calls at ‘month-end’ so that instructions to change payment details come across as timely and helpful. 

“The truth is that many organisations fall victim because they trust the request is coming from a genuine supplier as the fraudster quotes apparently sensitive information, they are too busy to corroborate anything and assume their procedures are adequate enough to prevent fraud from happening.”

“Organisations that are particularly vulnerable don’t have an embedded anti-fraud culture and this leads to weak controls. Sometimes those with an off-shored finance function are the ones most likely to miss red flags, either because of cultural differences or due to a focus on KPIs revolving around processes, not prevention. The difficulty is that fraudsters are constantly mutating their modus operandi to over-ride any controls that are put into place, making this a constant game of cat and mouse.”

To fight the growth of payment diversion fraud KPMG recommends that organisations adopt five key actions:

  • Know who you are speaking to on the phone and keep logs of callers and requests so these can be referred to when taking calls, to see the call history.
  • Stop employees volunteering private information to callers, such as supplier numbers.
  • Confirm who is making the request to change bank account details. Is it from the usual contact and usual email address? 
  • Check the supplier history. Have any other changes in standard data been requested, is this a supplier with high value transactions?
  • Only process requests that are received in writing and on letterhead.  Check letterhead to others from the same supplier and verify requests with trusted contacts at suppliers.


Related reading