Over the last few years the Fieldfisher Fraud, Corporate Crime and Investigations team have seen a steady increase in the number of clients coming to us following either attempted or successful Authorised Push Payment (APP) frauds. These are frauds where the client has authorised the payment, usually to what they thought was a genuine supplier or business partner, when in fact fraudsters masquerading as genuine counterparties have provided their own bank account details instead. Often these frauds are only discovered when the genuine counterparty chases its payment. The increased sole use of email to communicate has allowed fraudsters to interpose themselves in email chains and/or convincingly mimic business contacts and genuine email addresses, giving convincing reasons, which are often accepted on face value, as to why bank details have changed. Payments are frequently made without question.
Our experience shows that if banks checked the name of the payee against the bank details provided before making a transfer it would normally have been clear that there was a mismatch. However, in the case of electronic payments, banks are not required to make such checks and transfers are made solely on the basis of bank account number and sort code. But that is about to change.
The UK’s six largest banking groups, covering around 90% of bank transfers, are required to fully implement confirmation of payee checks by 31 March 2020. This move is designed to protect customers from APP frauds and scams. The new system will mean that if there is a mismatch between the name of payee and bank account details in the UK, banks will notify the person making the payment and ensure they want to go ahead before the payment is made.
Time is accordingly running out for APP fraudsters. However, because of this we urge businesses to be particularly vigilant. Over the last few months we have seen a marked increase in these frauds, or attempted frauds, being reported to us. We speculate that because this, seemingly easy, avenue for fraud is about to be cut off the fraudsters are redoubling their efforts in the countdown to 31 March. But there is one very simple thing that can be done to combat this type of fraud: if a counterparty provides new bank details, always pick up the phone to an existing contact at that business (using a known phone number) before making the payment.
However, if your business is unlucky enough to find itself a victim of this type of fraud there are a number ways which it might be possible to recover your payment. The key is to act quickly, as soon as the fraud is discovered. That will provide the best chance of stopping the dissipation of the money in its tracks. There are a number of tools we can use, for example applying for freezing orders and disclosure orders from banks to trace the money and find out details of the account owner. In a recent case we managed to recover EUR10.5m out of EUR15m transferred as a result of such a scam using such tools (and we are seeking the remainder from those involved). So all is not necessarily lost. But now may be the time to review your policies and procedures relating to payments. No doubt the fraudsters are already working on their next scam so businesses need to remain ever vigilant.