UK businesses transferred £93 million into the accounts of criminals who were posing as legitimate payees last year, latest figures have revealed.
There were 3,280 invoice and mandate scam cases involving businesses during 2018, with an average loss per case of more than £28,000, according to UK Finance. Only around one-third of the losses (£27 million) was eventually recovered.
Despite the massive financial impact of thefts, four in 10 businesses in the UK are unaware of the risks posed by criminals, its research shows.
Invoice fraud involves criminals targeting businesses by posing as a regular supplier and making a request for their bank account details to be changed, often by email. Businesses are then tricked into sending money to an account controlled by the thief rather than the genuine supplier.
A UK Finance survey of 1,500 firms throughout the UK found that more than half (55%) of sole traders are aware of the threat of invoice fraud compared to two-thirds (68%) of small business and 84% of large businesses.
Smaller firms are also less likely to have experienced invoice fraud, with one in 20 sole traders targeted, compared to one in four larger firms.
Despite the risks, many companies are failing to act to avoid falling victim to criminals, including nearly one-third of large firms.
Katy Worobec, managing director of the economic crime unit at UK Finance, said: “Invoice fraud could happen to businesses of all sizes. It’s vital that all employees are trained to identify potentially fraudulent transactions.
“The gangs behind this type of fraud are increasingly sophisticated and will often get hold of details that allow them to pose convincingly as regular suppliers.”
She warned that if an external contact asks for a supplier’s bank account details to be changed, it must always be verified with that supplier separately on the phone or in person, using the contact details on file.
Companies are also urged to review advice available from the Take Five to Stop Fraud campaign on how to stay safe.
Financial crime can hit companies of any size. Last week it was revealed that a gang tricked two of the word’s biggest companies, Facebook and Google, into sending more than $100 million to accounts controlled by criminals.
Emails were sent to employees and agents of the two tech giants pretending to represent Taiwanese hardware maker Quanta Computer and requesting payment to the criminals’ account. The scheme netted about $23 million from Google and $98 million from Facebook. Google recovered its losses, while Facebook recouped the bulk of its funds, but its losses weren’t disclosed.
Invoice finance is just a small part of a massive national annual bill for fraud involving businesses and consumers, with £1.2 billion stolen last year by criminals. In addition, the banking sector prevented a further £1.7 billion in fraudulent transactions.
Criminals stole £354 million in authorised fraud and £845 million in unauthorised fraud during 2018.
Industry research suggests that the theft of personal and financial information through social engineering caused by data breaches outside the financial sector was a major contributor to the fraud losses.
Last year, there were 2.6 million cases of unauthorised financial fraud, in which account holder does not provide authorisation for a payment to proceed.
Total losses were up 16% last year compared to 2017, mainly through card fraud and remote banking scams, although 98% of customers were fully refunded.
However, less than a quarter of victims of authorised push payment scams recovered their losses.
In an authorised push payment (APP) scam, a customer is duped into authorising a payment to another account which is controlled by a criminal, with losses last year split between personal (£228 million) and business (£126 million) accounts.
In total there were 84,624 APP scam cases, split between personal (78,215 cases) and non-personal (6,409 cases) accounts.
A new authorised push payment scams voluntary code will come into force in May where finance companies will reimburse victims of scams in any scenario where their bank or payment service provider is at fault and the customer has met the standards expected of them under the code.
Worobec added: “Fraud is a crime which poses a major threat to us all - it can have a devastating impact on victims and the money stolen funds even more damaging crimes such as terrorism, drug trafficking and people smuggling.
“Every business, from online retailers to social media companies, as well as the public sector, has a duty to work together to beat fraud and prevent stolen data getting into the hands of criminals.”
Key findings from Business Payments Survey
|Size of business||Sole trader||Micro (1-9 employees)||Small (10-49 employees||Medium (50-249 employees)||Large (250-plus employees|
|Proportion aware of invoice fraud||55%||60%||68%||76%||84%|
|Proportion that have experienced invoice fraud||6%||9%||12%||17%||26%|
|Proportion that have taken steps to protect themselves||21%||43%||46%||43%||63%|