Mandate fraud

14 October 2022

Mandate fraud usually takes one of two simple and effective forms:

  • someone who makes regular payments to an organisation is convinced to change the details of that direct debit, standing order or bank transfer by an individual or group pretending to be the organisation; or 
  • a fake invoice is sent containing the incorrect payment details. The recipient contacts the fraudsters to correct the error.

Mandate fraud is often perpetuated by organised crime and “career fraudsters”, because it’s a low-cost and low-risk way to make money and fund other types of criminality.

In accordance with NHS Counter Fraud Authority (NHSCFA) requirements, RSM’s NHS clients report all attempted mandate frauds. In 2021/22, reported mandate fraud attempts across our NHS clients reached over £6.4m. 

While the risk of receiving a mandate fraud attempt is very high, the hard work, vigilance and controls in place across the NHS reduce the likelihood of it being successful.  

Your key defences

People power

NHS staff are the first, and most valuable, line of defence against mandate fraud. When people are aware of the risks, they are alert to attempts. With guidance and training, they can spot the methods used by criminals, and prevent the loss of public money. Staff should be encouraged to attend finance or cyber-crime fraud training offered by your Local Counter Fraud Specialist (LCFS).


Before processing any new supplier payments or mandate changes, organisations should use the bank account verification system (if available). This system verifies the sort code and account number against the name of the intended payee, and will allow a payment only if they match. This facility is not always available on BACS, but organisations could consider a test transaction or verification, without sending funds, using CHAPS or Faster Payment systems.

Good cyber security

Criminals use various methods to gather key information, laying the groundwork to increase the success of a mandate fraud attempt. Initial activity can include hacking or putting malware into IT systems, particularly email systems.

We have seen instances of fraudsters:

  • “lurking” in NHS email accounts, monitoring the communication style and types of contacts;
  • adding Outlook rules to divert emails, then sending emails purporting to be the genuine account holder which are then immediately deleted; and
  • using “rules” to hide the responses from the genuine user.

This allows the fraudster to have a full email conversation with the intended victim from a genuine company email account.

This risk is not limited to NHS systems. Fraudsters will often target an NHS supplier so as to gain control of an email chain. They may then use their control of multiple accounts to play both sides of an email conversation to make the attempt seem legitimate. 

It is often difficult to identify exactly when an IT system compromise occurred, but good cyber security and user awareness, knowledge and discipline helps to prevent attempts from being successful.


  • Don’t click on unsolicited links in emails.
  • Don’t open unsolicited or suspect attachments.
  • Have a unique and complex password for your (or equivalent) email account.
  • Report anything suspicious immediately to your manager and/or IT team. 
  • Ensure your IT team carries out system updates and ensures that the latest patches and firewall updates are installed promptly.

Red flags for mandate fraud

What is the sender’s email address?

Get into the habit of hovering your cursor over the sender’s email name. This reveals the actual email address behind the name that appears onscreen. It is easy to change the sender’s name to whatever you want it to be, as it does not have to be the actual email address. If you hover over the name, you will be able to see the real email address and can check it against your previous correspondence and records.

Attempts are often made from email accounts designed to look similar to that of a genuine supplier. In links to the NHS email domain (, we have seen fraudsters replace the “n” with an “r”. In other examples, we have seen fraudsters replace an “m” with an “r” and an “n” (rn looks very much like m), and replace a “d” with a “c” and an “l” (cl). Usually, it is a small change that might not be immediately obvious, but is enough to ensure correspondence is controlled by a fraudster.

Is there a sense of urgency?

Fraudsters are most successful when they can make the target panic. The target will usually make a payment without taking time to stop and think. Mandate fraud emails often create a sense of urgency – for example, “My train is delayed, and I can’t access the systems, can you please send over £5,000 to Mr Morris in my absence ASAP.”

Remember there is always five minutes to take a moment, check with a colleague, or call the person you think has sent the email to check it did come from them. It is always better to wait and check, than act in haste and fall victim to fraud.

Beware of detours

Fraudsters will encourage their targets to bypass formal and official processes. Be alert to such requests, as it is unlikely that any of your colleagues will ever ask you to act outside of the usual procedures. 

Although sometimes these things do happen, if you are asked to cut corners you should contact the person you think has sent you the request. Don’t respond directly to the request, but instead use previously used contact details. Do not be afraid to query more senior staff. The Chief Executive will be happy to provide authorisation if it is a genuine request.

Are there grammar and spelling mistakes?

Spelling and grammar mistakes are common indicators of mandate fraud, either because English is not the fraudster’s primary language and/or because they are making multiple fraud attempts in haste.

If you know the email’s sender, or are familiar with their usual style of communication, don’t ignore anything about the phrasing of the email that strikes you as odd. It may be a sign that all is not as it seems.

What to do if you suspect a mandate fraud attempt

Check the contact details

Verify the request by making direct contact with someone you have dealt with previously. Always use known communication channels held in pre-existing records. Do not reply to a suspicious email, and never use the phone numbers or email addresses supplied on the request you have received.

Use known details to check the responses you receive or cross-reference them to a genuine website. You could also consider asking your contact to verify information that only they would know from previous correspondence or invoices.

Stop the payment

Contact your bank immediately if you think a payment has been made to a fraudulent account. Payments are normally made using the standard BACS process and take three working days to arrive in the beneficiary account. The payment can often be reversed if caught early enough.

A CHAPS or Faster Payments will transfer more quickly. If notified promptly, however, a bank may be able to put a freeze on accounts it holds. The onward bank can also be asked to freeze an account while enquiries are made. This process will also add a fraud flag that may save others from becoming victims.

Notify your colleagues

Flag any suspect payments and requests to your supervisor immediately. Fraudsters often target several people at once, so even if you identify a payment request as an attempt at fraud, a colleague may be about to authorise the payment.

Your IT department can secure compromised email accounts. It can also prevent future attempts by blocking fraudulent email domains and IP addresses.

Freeze the supplier account

The supplier account should be frozen to prevent any changes being made or payments sent. This allows further investigation without there being a risk of others sending money.

Do not engage

Do not ask the fraudster to provide more details or engage with them further. When they elicit a response, they may be more inclined to keep trying. If controls are strong and no payment is made, they will move their focus to another organisation where they have more chance of success.

Report the attempt

All attempts of fraud against the NHS must be reported to your LCFS, or directly to the NHSCFA. Contact your LCFS as soon as you suspect attempted mandate fraud. You should keep all communication as it may be needed as evidence.

We will work with your IT department to ensure any electronic evidence is secured.  

For further information, please contact Tim Merritt.