Businesses warned after £32m lost to mandate fraud

Businesses are being urged to alert staff to the dangers of mandate fraud after new figures show losses topped £32m last year.

The data, obtained by RSM from Action Fraud, the UK’s national fraud and cyber-crime reporting centre, reveal that businesses submitted over 1,500 reports about mandate fraud in 2016-17. 

Mandate fraud occurs when an employee is tricked into changing a regular payment mandate such as a direct debit, standing order or bank transfer and redirecting it into a fraudster’s account. 

The fraudsters can contact employees via email purporting to be from a supplier that receives regular payments. These approaches are sometimes plausible as they have correct details of staff members’ names and departments obtained as a result of phishing attacks. The scam will often only come to light when the real supplier chases for payment.

The £32.2m losses from mandate fraud accounted for 12 per cent of all losses reported to Action Fraud by UK businesses last year.

The highest number of incidents were reported in the London Met Police force area (256), followed by Thames Valley (87) and Greater Manchester (57). 

The highest losses were recorded in the West Midlands (£8.3m) followed by London (£4.4m) and Northumbria (£1.6m).

Akhlaq Ahmed, forensic partner at audit, tax and consulting firm RSM said: ‘These figures show that far too many businesses are falling victim to mandate fraud. While in some cases the losses are relatively small, in others they can run into hundreds of thousands of pounds, potentially putting the future viability of the business at risk.

‘Businesses must wake up to the threat of mandate fraud and take urgent action to prevent it. With the right training and controls in place, there’s no reason why these fraud attempts should be successful.’

Businesses are advised to do the following:

  • Implement training programmes for staff, particularly those in the finance function, so they are aware of the risks.
  • Consider running an ethical hacking exercise to test resilience to phishing attacks.
  • Verify all requests for amended payments by checking directly with the organisation or supplier in question.
  • Monitor bank statements regularly and report any suspicions to the bank and the police.
  • Notify the supplier organisation that has been impersonated.
  • Never leave invoices or regular payment mandates on display for others to see.