We hear about payment fraud all the time and in our industry, we come across it more often than we would like. Although the fraudsters come up with new schemes all the time some very simple checks and actions will reduce the risks of getting caught out. Yesterday, a company located not too far from our offices in Cambridge received a supplier invoice which happens most days. This particular invoice was the upfront payment invoice for some goods. Unusually, this was immediately followed up by a phone call asking for prompt payment in order to avoid delays in shipping. The company needed the goods and therefore made the payment of over £5000 promptly.
Although the order and invoice were genuine, the payment details on the invoice were not. They had been hacked and changed to a fraudster’s account. It was a shame to hear this and there was very little Cambridge Support, their bank or police could do after the event.
So, how did this happen?
Without knowing all the details of their setup and IT environment, it is difficult to confirm but this is probably what happened. Through a shared or weak password and a poorly secured computer, the fraudsters gain access to a user’s email account, set-up an email forwarding rule that is not so easily noticed unless you are looking for it. This gives them visibility of all the incoming and outgoing emails. Using software tools and manually, they become familiar with the users’ communication and activities. When they spot an email that is of interest, they simply intercept it, make changes and re-submit it back into the mailbox without the user noticing anything unusual.
We apologise for stating the obvious but be very careful when making payments, especially to new suppliers or accounts. If you have any doubt, contact the supplier on a contact number you know and trust for confirmation.
Also, please apply the following simple rules to protect yourself and your colleagues from payment fraud:
- Make your passwords complex. At least 12 characters with a combination of upper case, lower case, numbers and symbols
- Change your passwords often
- Use a different password for each different system you use
- Do not share your password with anyone and if you must share it, then change it as soon as possible if you can
- Ensure your anti-virus software is up to date
- Apply all security updates to your computers promptly