Business Email Scammers Finding Success With UK Firms

The U.S. isn’t the only place where business email scams are threatening the enterprise. New research from RSM, which provides consulting services to middle-market firms, finds that U.K. companies are losing millions of dollars, thanks to what the U.K. market calls “mandate fraud.”

According to news from City A.M. on Monday (Oct. 2), which highlighted RSM’s research, U.K. companies are losing a collective $42.5 million because of mandate fraud, which, like the business email scam, involves a scammer emailing a supplier or business to trick them into making a payment into a fraudulent account. RSM found that more than 1,500 businesses a year are tricked, making the crime the third-most common way criminals defraud a company.

Fraudulent bank cards and internal employee fraud are the top two tactics, according to reports.

Action Fraud, a U.K. fraud and cybercrime reporting firm, also highlighted the RSM data this week.

“These figures show that far too many businesses across the region are falling victim to mandate fraud. While in some cases the losses are relatively small, in others, they can run into hundreds of thousands of pounds, potentially putting the future viability of the business at risk,” said RSM Forensic Partner Akhlaq Ahmed in a statement. Ahmed also noted that staff training and exercises to test employee response to phishing attacks are key ways companies can protect themselves against cybercrime.

“Businesses must wake up to the threat of mandate fraud and take urgent action to prevent it. With the right training and controls in place, there’s no reason why these fraud attempts should be successful,” Ahmed added.

The U.K.’s Charity Commission issued a warning in early 2016 over mandate fraud and the threat the scam poses to charities in particular.

“The threat of mandate fraud is an ongoing issue for charities, with cases continuing to be reported to Action Fraud from across the sector,” the Commission said in its January 2016 alert.

“The mandate fraud cases we hear about increasingly involve cunning tactics by fraudsters to gain the trust and confidence of their victims,” said the Commission’s Director of Investigations, Monitoring and Enforcement Michelle Russell in the alert. “There’s no doubt that fraud and deception tactics will keep on evolving. Awareness of fraud risk and the tactics used by fraudsters is the most effective way of preventing charities from becoming victims.”

Despite the heightened warning over mandate fraud, Action Fraud’s latest statistics found that overall fraud across the U.K. actually dropped in the first half of 2017 compared to the first half of 2016. Combined card, remote banking and check fraud in Q1 2017 was 8 percent lower than in H1 2016, the company said last week.

But, Action Fraud said, that doesn’t mean businesses should breathe a sigh of relief when it comes to cybercrime.

“Fraudsters will do all they can to appear like the real deal, so always be on your guard for any calls, texts or emails out of the blue asking for your details,” said Senior Fraud Prevention Officer at the Dedicated Card and Payment Crime Unit, Tony Blake, in a statement for Action Fraud.

“They may even be able to quote some basic information about you,” Blake continued. “Stop and think before you give away any information, and if you are the slightest bit unsure, then hang up and don’t reply. Instead, contact the organization directly on a number you trust, such as the one on their official website.”

That advice can be particularly useful to businesses facing mandate fraud, which sees fraudsters often posing as legitimate suppliers or other business partners in an effort to get a target to pay a fake invoice.

Earlier this year, TD Bank warned that this scam, known as the business email compromise in the U.S., is now the most common cyberattack against corporates. A survey of attendees of the NACHA Payments 2017 conference found that 91 percent of financial professionals expect payments fraud to become an even bigger threat in the coming years, with nearly two-thirds saying their organizations have already been a target of some type of cyberattack.

A fifth of NACHA attendees said the attack appeared in the form of a business email compromise.