In Payments Fraud, Bad Guys Play Go Phish


There’s nothing new under the sun, except when it comes to payments fraud.  Phishing still grabs victims by the wallet, and Barclays warns against social engineering.  In the meantime, fake invoicing made the news in the UK and elsewhere.


There’s nothing new under the sun, they say … except for new ways to steal. Payments fraud is, of course, no longer confined to someone swiping a credit card and running up a tab or taking money from a cash register.

In the world of data theft and emails, the bad guys and victims never meet face to face. And since one might never know who is on the other side of a far-flung business relationship, the opportunities for theft abound. The methods may be crude or high-tech and dazzling.

Barclays Urges Vigilance

To that end, as noted in The Week, Barclays Corporate Banking warned business owners that a number of methods must be considered to protect against bad actors. The fact remains that “fraudsters often employ low-tech methods, rather than trojans or other malicious software.” In terms of methods, the bank warns business owners to be vigilant against social engineering, which means it is urging “professional services clients to check, check and check again.”

Again, the name of the game is social contact, but rendered through electronic means. The social engineering gambit is, of course, known as phishing, and lures the unwitting into giving away sensitive data or sending money to the fraudster.

In corporate fraud, it is the invoice that may be the lure, with account details that facilitate the transfer of money … never to be seen again. To be vigilant, said Barclays, business owners need to make staff aware of the invoice fraud specter. Invoices must be checked carefully, as should email addresses — and, of course, steady contact with suppliers is helpful.

In an individual example of corporate fraud, in the U.K., Neil Avery Hughes, a director of Contact Transport Limited, was banned for nine years from forming or acting as director of a company (among other restrictions) after it was found that he submitted false claims worth 1 million pounds, and after gaining cash advances that were higher in value than the work completed. This resulted in a loss to the invoice discount facility provider.

Separately, in New Zealand, a woman in the midst of building a child care center fell victim to a hacker to the tune of $53,700 — where the hacker posed as a contractor and sent a false invoice. Anna Ryder, reported the New Zealand site Stuff, made the payment to her father, who had been paying suppliers from his own bank account. The hacker intercepted an invoice, then posed as the contractor — with a fake invoice, new bank account and just enough plausible detail to make the scam work. Ryder and her father were alerted to the fraud only after the real contractor began asking for payment.

New Zealanders have lost as much as $865,000 from fake invoices so far this year, reported the site.

It may not be time to expect the outlook to brighten soon. The Credit Union Times reported, per a study by TD Bank, that a majority of payments professionals — surveyed at the 2018 NACHA conference in May — expect fraud to get worse. As many as 84 percent of professionals think that fraud will, in fact, increase. That’s a slight drop from previous estimates.

“This drop could indicate that companies are gaining confidence as they prioritize and invest greater resources in cybersecurity prevention and preparedness,” the report noted. “Further supporting this idea, 9 percent of respondents noted that cybersecurity software will have the greatest positive impact on the payments industry over the next three to five years, potentially indicating that payments professionals may finally be seeing some positive developments in the area of cybersecurity.”