Mandate fraud
Mandate or payment fraud typically occurs when an organisation is deceived into changing a regular payment, such as a direct debit, standing order or bank transfer, by someone posing as an organisation or individual that it makes regular payments to. During disaster and emergency relief, there is often a spike in mandate fraud.
Mandate fraud can also relate to the payment of membership or subscription fees, and generally involves changing account details for supplier or customer accounts to divert funds. Once the new account details are in place, any subsequent payment will not reach the true supplier because it is automatically diverted to the fraudster.
Another common form of mandate fraud is CEO or payroll fraud. This is where a fraudster requests changes to payroll bank account details. This type of fraud typically occurs when an email is sent to an organisation from a criminal purporting to be the organisation’s Chief Executive Officer (or a senior manager) with instructions to change the bank account details of the person they are impersonating. The criminal will often request that funds are urgently transferred to the alternative bank account. The employee receiving the email will feel pressured to comply due to the apparent seniority of the sender and the urgent nature of the email.
How mandate fraud works
Criminals gather information which is then used to impersonate suppliers, senior employees or customers from various organisations and individuals. Methods include:
- gaining inside knowledge, including from corrupt employees
- accessing publicly available contract information, including publicly announced contracts and online logs of supplier contracts
- conducting online research about the targeted organisation, their activities and identifying key staff
- direct contact to gain information from unsuspecting employees, which may include telephoning staff at organisations to gain information about their procedures.
Once information is gathered, several methods may be used to gain control of an account and benefit from unauthorised payments. Fraudsters will usually request an update to account details by telephone and/or email.
Changes requested by fraudsters may include:
- changing bank details in a direct debit
- a payment to be made over the phone via credit card
- changing an employee’s bank account details for their salary.
How to spot mandate fraud
Mandate fraud can occur in different ways, but some common methods to be aware of include:
- Direct targeting and grooming or manipulation of individuals to get them to divulge confidential information.
- A telephone request where the caller suggests an urgent change to a supplier’s bank account details.
- An email request from an unknown email account that is not recorded on the organisation’s records.
- An email where a minor change has been made to the sender’s address details, giving the impression it is a genuine contact email address at first glance. Employees should always confirm the authenticity of an email received from a supplier or employee by using established contact details already held on file.
How to prevent mandate fraud
Mandate fraud can involve sophisticated techniques. Those attempting it have often harvested information on their targets and may use well-honed methods to impersonate a supplier. However, by being alert to the fraud risk and ensuring employees follows some simple checks, the likelihood of an organisation falling victim to mandate fraud can be significantly reduced.
- Organisations should periodically confirm supplier information held on file, including bank account details, registered address, email address, company registration number, GST number, or the name of the key contact at the company.
- All staff should be cautious when providing sensitive company information, especially contract and account information.
- Use existing payment systems and platforms, if possible.
- Review and adhere to existing information security policies such as clear desk, staff vetting, and internal and external financial controls. Employees working from home still need to adhere to information security policies relating to their online systems and follow established protocols.
- If unsure about a request for change, contact the supplier using records already in the system – not the communication method requesting the change – to check its veracity.
- Ensure that authorisation and monitoring procedures are in place for creating and changing bank details and monitoring payments, and that employees are aware of these procedures and know how to use them.
- Implement processes for managing payments over a certain amount, for example, the process could involve needing two people in your organisation to review or sign off payments above a certain threshold.
- Ensure systems are in place to protect information stored online and in email accounts, for example two-factor authentication for remote access email accounts. Check that these are working properly for employees working from home.
- Train employees on social engineering techniques that could be used by a fraudster to commit mandate fraud. Social engineering is the psychological manipulation of people into divulging confidential information they would otherwise not provide.
- Always issue receipts or remittance advice to suppliers so they know when a payment has been made.
- Report suspicious activity or transactions to your organisation’s bank as soon as suspected.
- Alert employees to all unsuccessful frauds so they know what to look out for and to be on alert for any repeated attempts.
Mandate fraud case studies
Fraudsters impersonate international supplier
A New Zealand company had a supplier in China they used regularly. Fraudsters obtained enough information about the Chinese supplier to imitate their emails, including using a very similar email address, and even copying the signature in the email. Fake invoices were sent to the New Zealand company, at a time when they were expecting to receive invoices from the supplier. As a result the invoices were paid to the fraudsters’ account, resulting in losses of over $300,000.
Fraudsters try to get bank account details changed
Fraudsters inserted themselves into an email exchange between a public sector organisation and a customer with whom the organisation was finalising grant funding. The fraudsters instructed the organisation to change the bank account into which the funding was to be paid.
The attempted fraud was detected when, to validate the legitimacy of the instruction, the organisation contacted the customer using contact details already held for that customer, not the contact details in the email. The customer denied sending the instruction, which prompted the organisation to investigate their systems and detect the fraudulent attempt.
More information
- Find out more about the seven common personas that fraudsters use when committing financial crimes
- Learn how the impacts of fraud go beyond just financial
- See how a robust and well-structured procurement process is the first line of defence against procurement fraud and corruption
- Minimise the opportunities for fraudsters to exploit your government-funded initiative
- Learn what gaps and weaknesses to watch out for in contracting and supplier management processes