LAZIO FOOTBALL CLUB in Rome and Dublin Zoo have both fallen victim to an email fraud known as invoice redirection.
While it might sound like something that will never happen to you, it is a growing concern for both personal and business banking customers, as well as for the economy as a whole.
Lazio football club was reportedly conned into paying €2 million into the wrong bank account following an email from fraudsters posing as agents from Dutch football club Feyenoord.
The Roman team was due to pay the final instalment of a transfer deal to Feyenoord in exchange for defender Stefan de Vrij. It bought the player in 2014 and had been paying in instalments.
However, the final payment was made to fraudsters after the Italian club received an email that appeared to be from Feyenoord asking for the €2 million along with new bank account details. An investigation is ongoing.
Dublin Zoo fell victim to a similar invoice redirection scam when it received an email claiming to be from one of its suppliers informing the zoo that they had changed their banking details. The zoo was asked to make all future payments to the new account.
When invoices were later sent for payment, the zoo unwittingly lodged the money into the fraudsters’ account. Close to €500,000 was taken but gardaí have recovered the majority of the money.
How invoice redirection works
An email appearing to be from a legitimate supplier is sent by the fraudster containing an instruction to change bank account details.
To make the request look as authentic as possible, the scammers will research the appropriate contact in your business to request the change and study which suppliers you use. These fraudulent requests and invoices may be almost indistinguishable from the norm.
When the legitimate supplier next sends an invoice to your company, the funds are sent to the amended bank account of the criminal, where the money is transferred or withdrawn immediately.
Generally businesses do not realise they are the victim of the crime until the real suppliers send a reminder invoice.
One company shared its experience with us:
Ruth works for a large multinational company and is responsible for paying creditors as invoices arise. She received an email appearing to be from one of the company’s creditors notifying her of new payment details.
She updated the account information on the online banking system, but as no payment was due did not make any payment and went about her day.
The following month an invoice was submitted requesting payment. The invoice was legitimately from her supplier. A week passed and the supplier rang to request payment.
Ruth knew that she had already made it and confirmed the new bank account details while on the phone – she was taken by surprise when they notified her that they had not changed their bank account details at all.
Upon further investigation it was found that the email she had received, advising of the new bank details for payment, was fraudulent.
Ruth told us about the stress she experienced as a result of the scam. The money had gone overseas and Ruth’s bank worked on recovering the funds. Fortunately most of the funds were returned and she was able to pay the legitimate supplier.
Our top tips
Fraud awareness initiative FraudSMART – developed by Banking & Payments Federation Ireland in conjunction with member banks – is advising businesses to ensure they have robust policies in place to deal with requests around changing bank accounts.
These include verbally confirming with a known contact in the suppliers office as to whether the instructions are genuine or not.
In addition to verbal confirmation any requests to changes in bank account details should be escalated to a supervisor or manager.
Victims of this fraud can range from very small businesses to large corporations and the consequences of falling for a scam like this can be catastrophic, sometimes resulting in the closure of businesses and redundancies.
Here are our top tips:
- Be vigilant, check and challenge any request to change bank account details.
- Make a phone call to a known contact within the company that appears to be requesting the change in account payment.
- Do not to contact the supplier of the invoice through links or contact details supplied in the email as you may be contacting the fraudster.
- Don’t make any changes to payment details until you are certain it is genuine, even if they are claiming it is urgent.
- Companies should ensure employees are aware of this type of threat and how to avoid it.
Niamh Davenport is fraud awareness and payments manager at the Banking & Payments Federation Ireland