01 Nov Practical steps to protect against business fraud
Business fraud is real, common and becoming increasingly less obvious to spot.
This is an example of a fraudulent invoice I received a few years ago when I first started out in business. I did not make the payment as I quickly realised that the invoice was fake. Red flags highlighted below:
- The invoice looks like it was produced using a basic online template and does not look professional or genuine;
- The document is labelled as a ‘quote’ rather than an invoice;
- There is no registered company or business name and an online search did not reveal any results about the business;
- It says ‘VAT included’, but the VAT is not shown separately. If they were VAT registered they would have provided their VAT registration number. It also says ‘this is not a VAT receipt’, which is contradictory;
- A street view of the address when searched for online does not reveal a business premises or anything to indicate that a business is located there.
There are likely to be other factors too, but these are the ones that I spotted!
Don’t just take documents at face value
The key point here is to ensure you always receive a proper, legitimate invoice from customers. Do not take documents at face value. If in doubt about an invoice you should always query it with your customer before making payment.
Here are two examples of common fraudulent attempts, which can sometimes catch out small businesses:
Scenario 1: An email is sent from the CEO to the Finance Manager requesting urgent payment to an unfamiliar recipient. Due to the nature of the request, and the fact the CEO is requesting it, the payment is made. Later it is found that the email address, supposedly belonging to the CEO, was in fact incorrect and only then is payment questioned. It was an email address very similar to the real one (maybe one letter different) so from a casual glance it looked correct.
Solution: Make some small changes to internal checks and systems
- Question anything that seems unusual. Does the email address look slightly different to what you are used to? Does the language or tone in the email from the CEO seem unlike them? Is this an unusual request for you to be receiving?
- Create an internal code word or number for processing payments. If you want to be sure you always recognise a payment as legitimate, you could create a unique identifier between those who send the payment request and those who make the payment.
- Create an email address only for payment requests. If this is systemised and communicated with everyone in the team, any requests not sent to the dedicated email address and therefore received by the dedicated person responsible, stand out. Use two step authentication to access the email account.
- Provide cyber security training for the whole team. A big team can be an easy target for a fraudster because they rely on lack of communication between departments as a weak spot. Train your whole team to be alert to the risks and characteristics of fraud.
If in doubt, please contact Barnes & Scott for advice.
Scenario 2: A customer requests a change to their bank account details for a regular payment. You have a longstanding relationship and a high level of trust between you so you make the changes requested. It is only when the real customer contacts you to discuss non-payment of your invoices that the fraud is discovered.
Solution: Always confirm a change to key data such as a bank account number
- Pick up the phone – Just one confirmation call can protect you from losing thousands. If you receive a request like this, call your customer to double check the details. By incorporating this into your business systems, you can ensure that it is followed company-wide.
The two scenarios above are examples of fraud that are particularly common amongst small businesses. Fraud is always evolving and whilst you may not always be able to fully protect yourself from it, you can take steps within your business to ensure the risks of financial loss are managed effectively.
Key things to remember when it comes to your financial information
People also pose as HMRC. HMRC are hyper-vigilant at warning people about the newest scams and we want to make sure you are aware of some key points too:
- HMRC never send emails about tax refunds or rebates;
- Although HMRC do send texts, they never ask for personal or financial information in a text message;
- HMRC never use WhatsApp to contact customers about a tax refund;
- HMRC never use social media to offer a tax rebate or request personal information.
HMRC is aware of automated phone call scams too. A client of a firm received a call from someone professing to be a bailiff of Northampton Crown Court, calling on behalf of HMRC. The ‘bailiff’ stated that he had a court warrant to collect a sum of £853.27, which would increase by a further £400 if not paid within 30 minutes. He told the client he was on his way to their registered address to seize goods unless the debt was paid within that time.
The client notified HMRC who confirmed that they did not owe anything. HMRC noted all the details, including the phone number, to investigate further and the police were notified.
If you get a suspicious call like this, note the date of the call, the phone number and the content and report it to HMRC here. HMRC also provide more examples of phishing emails and bogus contacts here
If you are unsure about any requests or demands relating to your financial information, you can also contact Barnes & Scott to discuss.