Fraudsters seem to be targeting businesses using supplier or vendor bank account details. In one such case, a fraudster contacted an individual, a relatively junior staff member, in the accounts department and said that they were calling from one of their suppliers who wished to inform them that their account details had been changed. The accounts clerk, as normal, requested proof of the change in bank details in the form of:
- a signed and stamped letter from the bank confirming the change in bank account details; and
- a signed letter from the supplier on the supplier’s letterhead, confirming a change in bank account details.
The requested (forged) documents were then provided in a matter of minutes via email communication. The documents appeared to meet the requirements necessary to execute the change of supplier bank details on the system. Email spoofing tactics - which involve using technology tools to disguise the source or sender of an email, and make it appear as though it had been sent from a legitimate email address - are normally used to send the requested documents.
The fraudsters take the time to gain an understanding of the business and establish with which suppliers businesses deal as well as which individual in the accounts department to target. In some instances supplier account details are altered, and as soon as the payment is processed, the records are restored. This happens in cases where the fraudsters work in collusion with internal accounts personnel.
KPMG suggests implementing the following proactive solutions:
- Institute a process in which approval from at least two senior members in the accounts department is required before any changes to supplier details are made.
- Make a simple call to your regular contact at the supplier to confirm the change in details.
- Verify all the details (e.g. address, phone number etc) on the change letter and whether the signatory is employed at the bank issuing the change letter. The details supplied by the fraudsters are usually fictitious and are designed to obfuscate verification thereof.
- Put in place regular data analytics or monitoring procedures to identify recurring changes in supplier details.
- Ensure that all supplier invoices reflect bank account details and the relevant purchase order number before being processed for payment.
- Allocate a dedicated supplier number to each supplier, to be quoted on the invoice for identification purposes.
- Consider an arrangement whereby only duly authorised individuals in the supplier firm sign each invoice for comparison with a signature held by the creditors department.