Who do you pay?

It is easy to forget that invoices were once sent by post – a cheque was raised, dispatched by post, and delivered by the supplier to their bank to deposit. The bank would check and confirm the recipient’s name and the payment would be completed.

Invoices now arrive by email, specifying bank account details for electronic payment, with payments near-instantaneous. It is faster, but is it progress?

When processing electronic payments, banks neither check the payee name, nor have an obligation to do so (Tidal Energy Ltd -v- Bank of Scotland PLC, 2014). Only the sort code and the account number are actually required.

Criminals know this. They know that if they can swap the “real” bank details for those of an account they control, they can pocket the payments.

A recent report by UK Finance concluded that in 2018, about £93m was stolen in scams of this type. We anticipate this figure may even be on the low side. Yet the report also concluded that 40% of businesses were unaware of the risks.

The technology sector is particularly vulnerable to these scams. There are lots of invoices, involving large sums, with limited face-to-face contact with suppliers. It’s easy for criminals to intervene. At risk are payments to your suppliers, and also invoices you send to your customers. While your customers would usually remain responsible for any misdirected invoice payments, you are nonetheless in an awkward position if they insist they paid in good faith.

But how could criminals swap the payment information without you knowing? Simple – they take advantage of the whole process being electronic.

For example:

, Sending an email with replacement account details. This might allege that details on the original invoice were wrong, or that the supplier has just changed banks. Crucially, the payee name doesn’t need to change for the scam to succeed.

, Intercepting the supplier’s outbound invoice email, and changing the payment details, before it reaches the recipient. Neither the supplier, nor the recipient, might have any reason to suspect that the details have been changed (until it’s too late).

These scams may seem obvious and crude, yet they are succeeding on a large scale. Fortunately, there are simple precautions that can help protect you:

1. Avoid using public WIFI hotspots: They make it easier for criminals to intercept communications, and expose your devices to a greater risk of being manipulated.

2. Know your suppliers: Maintain an internal record of contact and payment details.

3. Verify any new or changed payment details by phone: Use a phone number from your own records (not from an email, or from the internet).

4. Check invoices. Did you actually make an order? Is the amount correct? Criminals often research these details to make a scam more convincing, but basic checks are still worthwhile.

5. Tell your bank urgently if you suspect you have been scammed: Occasionally, it may be possible to freeze the payment.

Unfortunately, if the criminals do succeed, there may be little you can economically do. However, if the sums involved are significant, we’d recommend a prompt review of your options. Looking to the future, work is ongoing on a system to enable bank payees to be verified. But until that system arrives, significant risks remain.