Fraud Risk Officers: payment redirection fraud... hiding in plain sight

Just like my cat hiding in plain sight (or so she thinks) in the photo above, payment redirection fraud hides in plain sight.

A] The scenario that makes us cringe:

Abby’s been running her small business, ABC, LLC, for over ten years.  The bookkeeper for ABC, LLC, Frank, has been with the company for the past five years and handles accounts payable, billing/receivables, and payroll. He does his job well, and pays some suppliers via ACH payment through their bank ReliableBank.

One day Frank receives a “Change Advice” email from one of their suppliers of raw materials, Phillips Materials, asking Frank to update the ACH instructions for when he pays invoices. Per the Advice, future payments should go to a different account number at a different bank. Frank pays this supplier $10,000 to $15,000 twice per month.  Frank doesn’t notice that the supplier’s email address in the email he just received is one letter off. Instead of the email containing “phillips,” it contains “philllips.” Instead of the email coming from [email protected] the email came from [email protected].    Frank never notices the extra “l” in the email address, nor does he call Jack personally (at the existing phone # on file) to confirm the change verbally. Frank dutifully updates the ACH instructions with ReliableBank for the payment he’s sending out in a few days, thinking he’s doing the right thing.  Poof…out goes the ACH payment to the fraudsters. Out goes the next ACH payment about 2 weeks later, and another ACH payment 2 weeks after that.

One day Jack from Phillips Materials calls Frank to ask why payments on the account have stopped and to let them know the next shipment of materials is getting placed on hold until the account is brought up to date.  Frank’s beside himself and asks Jack if perhaps the supplier’s new bank is mis-applying the ACHs.  Jack asks, “what new bank?”  At that point, both gentlemen know exactly what’s happened. Frank needs to have a very uncomfortable conversation with his boss, Abby, and with their banker at ReliableBank. 

What happened?

Fraud happened. An incredibly successful and growing form of fraud whereby a bank’s customer has been scammed, so the bank’s customer provides instructions for sending an ACH but the instructions send the payment to a fraudster. 

Frank notifies his bank, ReliableBank, and their research reveals that the payments sent to the fraudulent account at the other bank are gone, and the account has been closed.

The frustrating aspect of this type of fraud is that no one technically did anything wrong. ReliableBank processed the ACH payment per Frank’s instructions.  Frank believes he’s sending the ACH to the correct place, based on the instructions he received in the Change Advice from his supplier… not realizing that the instructions came from a fraudster.

B] The solution that helps us sleep at night: 

One phone call… one simple 2-minute phone call from Frank to Jack (person-to-person interaction) would likely have prevented this fraud. This is one of those situations where part of the solution is quick, easy, and free.  

The other part of the solution involves banks providing specific scenario-based awareness and training to business customers – that is, the owners and their accounting staff who process payments and payroll. Generic messages about “being careful about fraud” are not effective, nor will they ever be effective. Business owners and their staff need to be informed of exactly how the fraudsters operate, and what the scam-attempt will look like. They need to know to call the supplier at the phone number on file, and not use the ‘new’ one conveniently included in the payment Change Advice. They need to know that they have to reach a real human, preferably one they have an established relationship with. Diligent bookkeepers, however, might say “but those efforts will delay the next payment and I’m a great bookkeeper so none of my payments are ever late.”  They need to understand that it’s better that one payment be delayed than to have three payments go to a fraudster. 

The last piece of this involves relationships – those things that are becoming extinct in the automated business world (and fraudsters know that, by the way.)  Accounting staff in small businesses should do everything possible to establish relationships with their suppliers who invoice them so they can verify information and perhaps recognize a voice.  This is important because, in some situations, the supplier’s phone number has been ported to the fraudsters, too. That’s a very deep fraud that could only be thwarted if Frank had an established relationship with Jack and was astute enough to realize something was amiss when fraudsters answered his call.

C] The call to action:

The worst part about this fraud is that the funds typically go toward terrorist financing and other nefarious crimes. It’s not a good situation and we’re all in it together, so let’s do our best to continually bring this scenario to the attention of business owners.