Millions lost as fraudsters expose a mandate for change 

Over the past 6 months KPMG’s Forensic team has examined 11 new cases of fraud and become aware of at least 13 more where the modus operandi indicates that organisations are falling victim to an increasingly popular and trending style of scamming.

The cases range in value from just over £30,000 lost by one business in a single transaction to a total of £5 million extracted from another.  It also appears that there is little discrimination in the type of organisation being targeted.  Of the various instances identified, seven have been in the retail industry, but telecoms suppliers, manufacturers, providers of leisure services and public sector organisations are amongst the victims, too.

Increasingly known as ‘Payment Diversion’ or ‘Mandate’ fraud, the scam revolves around fraudsters posing as employees of an organisation’s supplier and providing false instructions asking for bank account details to be changed.   KPMG’s investigations reveal that the technique is so convincing that organisations, who are unaware of fraudsters’ methods, can fall for it repeatedly.  One, case for example, involving an organisation in the retail sector, saw 3 separate attacks of this fraud.

According to KPMG’s analysis, the majority of scams are directed towards organisations where the relationship between buyer and supplier is in the public domain.  In all but 4 of the 24 cases uncovered fraudsters appear to be making use of openly declared business relationships – an unintended consequence of public sector organisations’ determination to demonstrate transparency in their business dealings and private sector businesses informing stakeholders of core relationships.

With the cases coming to light revolving around large payments (the average fraud is £1 million), it also seems that fraudsters believe that flaws in organisational checks and balances ensure ‘payment diversion fraud’ is easy to get away with.  The cases examined by KPMG suggest that fraudsters also assume that a lack of knowledge, amongst employees, about the typical ‘red flags’ to look out for, prevent discovery of the crimes, before it is too late.

Priya Giuliani, director in KPMG Forensic, said: “Payment Diversion Fraud often works because the fraudster builds a level of trust before making their move.  Sometimes it can be as simple as making calls at ‘month-end’ so that instructions to change payment details come across as timely and helpful.  The truth is that many organisations fall victim because they trust the request is coming from a genuine supplier as the fraudster quotes apparently sensitive information, they are too busy to corroborate anything and assume their procedures are adequate enough to prevent fraud from happening.”

Of the cases identified, the majority of frauds were discovered because suppliers chased payments.  Only 3 incidents were spotted before payment was made to a fraudulent bank account because staff raised the alarm after calling trusted contacts within their supplier’s Accounts Team.

Relying on individual vigilance is clearly not a strong enough safeguard.  According to KPMG’s analysis discovery of a fraud does not always result in full recovery of the stolen funds. For example, one fraud, where the business operated in the manufacturing industry, saw the company recoup less than 5 percent of the funds lost.  Another saw a public sector organisation recover just £20,000 from £350,000 lost to a fraudster.

Giuliani adds: “Organisations that are particularly vulnerable don’t have an embedded anti-fraud culture and this leads to weak controls.  Sometimes those with an off-shored finance function are the ones most likely to miss red flags, either because of cultural differences or due to a focus on KPIs revolving around processes, not prevention.  The difficulty is that fraudsters are constantly mutating their modus operandi to over-ride any controls that are put into place, making this a constant game of cat and mouse.”

To fight the growth of Payment Diversion Fraud KPMG recommends that organisations adopt 5 key actions. These are:

• Know who you are speaking to on the phone and keep logs of callers and requests so these can be referred to when taking calls, to see the call history

• Stop employees volunteering private information to callers (such as supplier numbers)

• Confirm who is making the request to change bank account details – is it from the usual contact and usual email address? 

• Check the supplier history – have any other changes in standard data been requested, is this a supplier with high value transactions?

• Only process requests that are received in writing and on letterhead.  Check letterhead to others from the same supplier and verify requests with trusted contacts at suppliers.

- ENDS -

For further information please contact:

Mike Petrook, KPMG Press Office
020 7311 5271 (t), 07917 384 576 (m) or mike.petrook@kpmg.co.uk

About KPMG

KPMG’s Fighting Fraud website can be found at: www.kpmgfightingfraud.com

KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and operates from 22 offices across the UK with nearly 11,000 partners and staff.  The UK firm recorded a turnover of £1.6 billion in the year ended September 2010. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. We operate in 150 countries and have more than 138,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity.  KPMG International provides no client services.