In an increasingly digital world, it is somewhat ironic that “the best defense against change of banking detail scams is hardly digital, or very sophisticated, at all,” says Bilal Kajee, Head of Risk Management, Business and Commercial Banking at Standard Bank Group. “A simple, old fashioned phone call to the supplier or third party that you are about to pay can quietly and quickly scupper even the most sophisticated digital payment scams,” he adds.
Critically, it’s important to make these calls as soon as fraud is suspected. The longer it takes to identify and report a scam involving changed banking details, the more damage can be done.
Criminals will go to great lengths to prolong scams. For example, “after changing payment details, fraudsters will often continue sending businesses false statements showing how their debt is being paid down” reports Kajee. It is only when the real supplier terminates services that clients realise they have been scammed.
While businesses can’t control who accesses their clients’ or suppliers’ invoicing records, they can control their own payments. Businesses can easily call suppliers, for example, and verify amounts and payment details. They can also follow up with suppliers, confirming that they have indeed received the funds sent. And “you don’t have to wait 48 hours,” says Kajee. Most banks can confirm payment of funds almost immediately, even if they’re not yet showing on the recipient’s statement. Again, “a simple call is all that’s required,” he adds.
Here’s how to spot and avoid change of banking detail scams:
- Emails advising change of payment banking details are the most obvious red flags. These should always be followed up with a phone call to the beneficiary to check whether banking details have indeed changed and are correct as per the email received. Ideally, businesses should call a person they know, on a number they have been using for a while to deal with the supplier. “Avoid calling any new names or numbers that appear on the change of banking details email. Instead, call the people you have been dealing with for years,” advises Kajee.
- If businesses are unable to call the supplier directly to validate payment details, they can call their own bank. All banks provide account validation letters.
- Alternately, Standard Bank clients can validate account and account details themselves through the Account Verification Services function on Standard Bank’s payment platform.
- Simply “sending suppliers proof of payment, showing names and account numbers is also a pretty foolproof – and completely analogue – way of nipping a scam in the bud,” adds Kajee.
- Updating malware shields and other protections on email systems is also critical. Scammers can use malware specifically targeted at billing systems to infiltrate businesses simply by sending clients an email which their staff then open.
Kajee also reports that while many CEOs or finance heads believe staff are calling beneficiaries and conducting these basic checks, “operational staff are often not told what to look out for and don’t, in every case, check that funds have been received by beneficiaries – especially when there are multiple payments monthly.”
The frequency of data breaches means that even if individual client businesses and Standard Bank ecosystems are secure, fraudsters can still easily get hold of third-party supplier and other beneficiary details, including emails and often passwords too.
While the client or supplier environment is completely external to businesses and their banks, “this doesn’t mean that businesses can’t to some extent also manage these external exposures,” says Kajee. Simple know-your-client strategies, regular personal contact and communication with clients and beneficiaries supported by a business practice environment that educates staff on threats while empowering them to call and check, present formidable defense against change of banking detail scams.
If there is rule of thumb at all, it is to “avoid an entirely digital process,” says Kajee.
Scammers, for example, sending an email with fraudulent payment details rely on staff responding directly to the mail, using exactly the details on the fraudulent email. One call or check outside of this loop, independently verifying details internally, with a bank or directly with the third party, “breaks the chain of disinformation, dramatically reducing the potential impact of change of banking details fraud,” concludes Kajee.