31 March 2016
Safeguard your business against fraud.
What is in this document?
This leaflet examines the most frequent cases of fraud which may impact on your business as well as advice to protect you against it. As you will see fraudsters are clever and very organised. The cases of fraud presented are not trivial, they happen every day worldwide. Beware.
If fraud is detected although the transfer has already been made, immediately notify your ING contact to try to block the funds before they disappear. Bear in mind that after 24 hours it is practically impossible to recuperate stolen amounts.
How to use this document?
We recommend that you distribute this document in your company. Advise all directors to read it as well as anyone with power of attorney over the company's accounts. Fraudsters often target the latter.
Unfortunately total protection does not exist, as fraud is often linked to a human factor. Nonethe - less if you communicate and apply the recom - mendations made in this leaflet in your business you can restrict the risks considerably. This leaflet is offered for purely information purposes by ING and has no contractual value. Consequently it may, under no circumstances, serve as a basis to hold ING liable in particular if, despite these recommendations, your company is a victim of any of the scams detailed in these pages.
Social Engineering or CEO fraud
What is it?
What are the consequences?
Social engineering is the fact of gathering information about a target company in order to manipulate an in-house person of such company to take action (often to make a payment) or disclose confidential information.
- Fraudsters will contact your company by e-mail or by phone, acting as auditors, chartered accountants or even a federal department making an investigation. By this means, they collate information on your company's internal payment procedures as well as the people who make them.
- Then they contact the staff of your company with rights to make large payments and act as the CEO or the CFO (often away on mission in another entity of the group). They refer to the possibility of taking over a foreign rival requiring a major transaction. They also invoke a fiscal control in another entity of the group requiring funds to be transferred to such entity. Other scenarios are possible. In each of them, it is expressly stipulated that the transaction must be made urgently and with the utmost secrecy.
- The fraudsters will even call on an external consultancy (whose identity they have stolen) to make the operation more credible. Such consultancy will then contact the member of staff of your company to confirm the transaction and reiterate the secrecy and urgency of the payment to be made. If the staff member hesitates the fraudsters will use several tricks such as using top names in the company, flattery, even threats.
What safeguards to take?
- Always be cautious when funds are asked to be transferred urgently and secretly.
- In the event of an urgent request, always call back the person who made the request on a known phone number.
- Never let the same person have dual signing powers (cards and PIN numbers).
- Another safeguard: appoint a reference (who is neither the CEO nor the CFO) who must be contacted when a confidential or urgent transaction is requested. Such person can contact the company director personally to check the authenticity of the request. Caution, such powers may not be known outside the company.
What is e-fraud?
What are the consequences?
E-fraud covers phishing and malware infections. It may affect your company or you personally in your private life.
Whatever the case, the cyber criminals will try to steal money by recovering the identification codes and electronic signature of their victim. With such codes, they transfer money to their accounts by emptying your bank accounts.
- You receive an e-mail supposedly from your bank claiming to be a security check, that an account will be blocked or that a change will be made to the services offered by the bank. Other motives are possible. Each time the aim is to get you to click on the link in the e-mail and divert you to a false identification page for your PC banking.
- On that page, you enter your initialisation codes which the criminals retrieve as you are on their site and not your bank's site. With your codes, these criminals can enter into your PC banking and prepare transactions. To that end, they now need a signature code to transfer money from your accounts.
- To obtain your signature code, they will phone you and ask you to insert your card in your card reader (this is called vishing), or you will see a screen asking you to wait a few minutes. Once the time has past, a new screen will appear and ask you for your signature code (dynamic phishing).
What safeguards to take?
- Never give your PC Banking codes to anyone. If someone asks you to insert your card in your reader and to give them the code displayed on the screen, it is suspicious.
- Never sign a transaction you have not entered yourself (you will be asked to create a code with your card reader by using the signature button, which is different from the identification button, when you are not making a payment.
Proper management of online means of payment
Some corporate behaviours can facilitate the task of fraudsters and increase your exposure to fraud:
- Poor management of dual signing:
dual signatures is a means of detecting fraud. The person who must add the second signature has an external look on the transaction and can detect fraud more easily. Never leave both signatures in the hands of the same person and check what you are signing.
- Shared access to the company's accounts:
sometimes it can be easier to share access to a business's PC banking. One person holds the access and shares their codes with colleagues. Yet this increases the risks of fraud and prevents you from knowing who was the fraud victim.
- Bad use of account mandates:
by sharing electronic access to a company's accounts, the mandates are also shared. In this way you also give access to your personal accounts. Each agent must have their own individual access to the company's accounts. This is a security for the company and also for the person who will only be able to affect the accounts of your business.
What is it?
What are the consequences?
Invoicing fraud is manifold. In all cases, the fraudsters will change the banking details of the company which issued the invoice to indicate their own and, as a result, receive the amounts invoiced.
- The criminals intercept the invoice between the time it is posted and its receipt, or by hacking the boxes for sending e-mail.
- The fraudsters change the invoice to indicate their own banking details on it. They can do this in different ways: a new invoice is compiled with the new details, a sticker (often fluorescent) with the fraudsters' banking details and mentioning a change of bank is placed on the real banking details, etc. Then the invoice is sent again.
- The invoice is received and paid to the new bank account number. It is highly likely that the following invoices will also be paid to the wrong account until the real issuer of the invoice realises that their invoices have not been paid and contact the debiting company.
Variants of such fraud
Invoicing fraud comes in several varieties. For instance, the debiting company receives an e-mail from what it thinks is its supplier, stating a change of bank and consequently of account number. This message will bear the suppliers' letterhead and seem legitimate. In such cases, no invoices are intercepted, but an ordinary message with the new banking details is sent. All pending invoices as well as subsequent invoice must be paid to the new account number.
Whatever the scenario, the aim of the criminals is to make a change to what we call the suppliers details (phone number, bank references, e-mail address) in order to steal money.
How to protect yourself as the issuer of invoices?
To limit the risks of your invoices being intercepted, avoid sending them in an envelope with your logo or any name identifying your company.
It is recommended to send each invoice through two different channels. For instance by e-mail and by post. This way your debtor must be informed that it must only pay bills where both invoices are identical. By writing your banking details in red on the invoice, you can facilitate checking prior to payment.
How to protect yourself as the receiver of invoices?
It is very easy to protect against this type of fraud by calling back to confirm. Any change in your suppliers' details (address, phone number, e-mail address, account number, etc.) must result in a phone call to the usual number (and not to the number indicated on the invoice). This is how tentative fraud can be detected quickly.
Who to contact in case of doubt or fraud?
If you notice attempted fraud or if fraud has occurred in your businesses, immediately inform your ING contact. By calling your bank quickly, you will increase the likelihood of recuperating the funds embezzled.
Other formalities with the authorities can also be required (filing a complaint with the police, etc.). Our specialists can also advise you on the steps to be taken.