Mike Ayres – Senior Manager
A study, conducted by UK Finance, reveals a loss of almost £93bn in 2018 in the UK’s financial services industry as a result of invoice scams.
Additionally, as many firms seem to be unaware of the risks linked to this type of fraud, it shows the need for more stringent adherence to standards in order to avoid this situation getting worse.
The risk of phishing attacks
Businesses that make property transactions, purchase bonds, buy insurance or other investments, often hold large sums of client money and may not have considered how likely they are to be targeted by scams such as ‘phishing’ attacks.
Fraudsters target these firms through insecure email accounts and web-based accounting systems by exploiting any of their potential weaknesses to intercept key data or transfer sums of money directly into third-party bank accounts.
A ‘phishing’ attack generally persuades an unsuspecting person to open and respond to false emails. These emails often contain a form of ‘bait’, such as a malicious link which, by clicking it, allows the fraudsters to gain access to the firm’s systems or enables them to extract key staff information, such as a director’s email address and signature details.
These days, even more sophisticated scams are made possible by the widespread use of email and online banking. By compromising email accounts, fraudsters can impersonate a known third party, such as a supplier, to divert payments into their own bank account.
Robust processes and procedures
It is therefore important that financial services firms such as mortgage and insurance brokers, as well as financial advisers, are vigilant and their systems are robust and reviewed regularly to ensure they are protected against such attacks. Schemes such as Cyber Essential, run by the National Cyber Security Centre, provide certificates which ensure a certain standard is met. Additional penetration testing can be carried out by specialist fraud-testing firms to identify areas of potential weakness.
In order to avoid firms to become an easy target for fraud, the adoption of robust processes and procedures is key. Staff should be looking out for red flags such as changes to address, contact and bank details without being highlighted or announced in advance or payment terms adjustments.
To increase alertness for possible attacks and to ensure they are aware of the latest scams, staff should be frequently tested and trained. Putting in place segregation of duties, where payments have to be authorised by more than one person, is an additional security.
Although the use of a Risk Register is only a requirement for firms holding client money, all businesses should consider creating and regularly reviewing, a list of all potential risks which affect their daily operations and the safeguards in place to mitigate them.
A meticulous approach to cash management makes spotting of anomalies easier and can also help the business to guard against fraud. A good example, is three-way forecasting, which provides managers with great cash visibility across all business areas by combining data from the firm’s balance sheet, profit and loss accounts and cash flow. Whenever actual figures are falling short of expectations or performance is sliding unexpectedly, managers are easily alerted and can investigate the reasons why.
In general, increased focus on compliance and adherence to standards can help all businesses to guard against fraud, but specifically to firms authorised to hold client money, the Client Assurance Standard from the Financial Reporting Council applies.
Regular client account reconciliations, where funds in the firm’s bank account are matched to a record of monies owed to each client and to internal accounting records, is needed to ensure compliance to this standard.
As fraudsters often target these accounts, firms handling client money cannot afford to ignore the risk posed by invoice scammers. Detailed systems and procedures must be in place and Risk Registers must be updated regularly in order to reflect the evolving threat of fraudulent activity.
For a firm to ensure full compliance and protection of client money and their own, staff should be trained sufficiently, cash managed appropriately and the right systems and procedures should be in place.