Social engineering / bank mandate fraud

Bank mandate fraud is when a third party tricks you into sending a payment to a bogus account by impersonating the genuine organisation or individual. This is also known as “social engineering” and “payment diversion fraud”.

Sometimes these e-mail scams appear to be an internal request to make a payment; this is known as CEO fraud. In these cases a spoof e-mail is sent from a fraudster, purporting to be the CEO or a company director, to a member of the finance team insisting that an urgent payment transfer is needed for some reason. The member of staff, believing that the message is genuine, does as instructed only to discover later that they have sent funds to a fraudster. 

ANY e-mail received from a third party regarding a change to bank details – or setting up new bank details if it is new supplier/payee etc. should be treated with suspicion and checks should be made to ensure that the request is genuine. Fraudulent e-mail addresses are often very similar to the genuine address (perhaps a letter missing or a different top level domain name (i.e. “.com” instead of “.com.sg”) making such spoof e-mails hard to spot. ITIC advises that you use the telephone to call the supplier/client and check that they really have changed their bank account. Never seek confirmation of this change to bank account information via e-mail, or by using the phone number provided in the e-mail, as you may end up corresponding with the fraudster. 

ITIC have heard of mandate frauds involving cash to master movements, freight payments, supplier invoices and even payment of their insurance premium. Ensure that all staff, not just the finance team, are aware of these types of e-mail fraud.