13 March 2020
During 2018 fraudsters stole £1.2 billion in banking and credit card scams, an increase of 16% over the previous year. The finance industry is taking ever more innovative measures to limit criminal activities, but businesses need to be vigilant. Many successful scams are as a result of data being stolen in cyber-attacks on companies of all sizes.
As I hung up on the second telephone scammer of the day it occurred to me that only a few years ago it was a rare event to have a conversation with a criminal, but now it happens several times a week. Of course most of these are easy to spot, but scammers are becoming more sophisticated and many hold stolen data that enhance their credibility. A few weeks ago I had a call from someone claiming to be my broadband supplier who quoted some of my personal details including my account number, no doubt the fruits of a successful hacking exercise.
Less complex scans are also on the increase. What could be simpler than following a delivery van and stealing packages left at recipients’ houses? This ‘Porch Piracy’ apparently accounted for 90,000 lost parcels in New York last year.
Fraud relating to the unauthorised use of debit, credit and other payment cards amounted to £671.4 million in 2018, up 19% on the previous year (according to UK Finance, an organisation representing the banking and finance industry). This represented 8.4p per £100 spent, as opposed to 7p in 2017. In terms of the number of incidents reported this was 2,617,739, up 40% on 2017. Of these, the majority were remote purchase fraud and the total amount stolen by this method was £506.4m, of which £393.4m was via internet trading.
Other sub-categories of unauthorised card fraud are: counterfeit (£16.3m); lost or stolen (£95.1m); card not received (i.e. stolen in transit) (£6.3m); ID theft (£47.3m).
Don’t get this APP
The second most significant financial crime is known as Authorised Push Payments (APP). This is where a criminal gains the confidence of an individual or business and persuades the victim to make a payment to a bank account under his control. As security measures put in place by financial institutions improve and become increasingly resistant to fraud, criminals have resorted more to APP. 2018 saw an astonishing rise of 50% in the financial cost of such activity, reaching £354.3m. The number of reported cases was 84,624 – a rise of 93%. Most of the victims were individuals, but 6,409 were businesses and similar organisations, who lost in total £126m.
The types of APP crime that most affect businesses are CEO fraud and invoice, or mandate fraud. In a typical invoice or mandate scam, the criminal targets a business posing as a supplier and claims that the bank account details have changed, so the business thinks it is making a payment to a legitimate payee but in fact pays the funds into the criminal’s account. Usually the criminal has previously obtained information by hacking an email account.
CEO fraud is similar, also involving the criminal obtaining sensitive information beforehand. The criminal poses as a senior employee of the company and persuades a member of the finance team to make a payment to an account controlled by him. This type of fraud is thankfully rare with total losses being £14.8m in 2018.
Protect yourself and your business contacts
To protect your business against such scams, ensure that your team is trained to be suspicious of any payment requests that do not conform to established, normal procedures. When a supplier advises a change of bank details, telephone the usual contact at the supplier’s office to confirm it.
To make life difficult for criminals you need to ensure that your data cannot be stolen in cyber-attacks. According to insurers Hiscox, 47% of SME’s were targeted in such attacks in 2019, up from 33% in 2018. The General Data Protection Regulations (GDPR) are a good starting point for keeping your customer and supplier data secure. Hiscox reports that 80% of British businesses have now implemented adequate GDPR compliance measures. As this was introduced in May 2018 and applies to all organisations that hold personal data. very few businesses are exempt.