How SMEs can avoid falling for fraud 🕳️

Sarah Hiraki

 · 11/20/2019  · 11/20/2019

Financial fraud is a growing risk to SMEs (small and medium-sized enterprises). An independent study, commissioned by Revolut Business last month, showed one in five (22%) SME leaders across UK, France and Poland ranked fraud and cyber crime among their top concerns. Recent findings from across the industry suggest they are right to be concerned. Accounting software firm Xero highlights figures showing that businesses with fewer than 100 employees report 28 percent of all instances of fraud. Findings from UK Finance suggest overall fraud increased 40% in the first six months of 2019 to total a staggering £616m stolen from UK bank customers. Last year, a YouGov survey suggested that 50,000 jobs in SME businesses were lost as a result of fraud.

Start for free now

At Revolut Business, we want to make sure you avoid falling for common fraudulent scams. We have developed machine systems and insights so that we can scan for, predict and block unusual activity automatically – but a significant proportion of fraud uses so-called “social engineering” to trick you into authorising fraudulent payments.

❌ Authorised and unauthorised fraud

The concept of authorised fraud may seem oxymoronic – who would authorise a fraud? However, there is a clear and important difference. Any use of your credit card, bank account or other payment system by a third party to purchase things without your knowledge or permission is categorised as “Unauthorised Fraud”.

Authorised Fraud, by contrast, is when you are tricked into unwittingly approving a payment to an account controlled by a criminal. This can happen using spoof emails, fake invoices, pressurised calls, or altered account numbers. Importantly, because the payment was authorised, banks are not obligated to protect or reimburse you. The best defence against these attacks is awareness and vigilance.

👍 Approved Push Payments

Approved Push Payment (APP) is becoming the most prevalent form of Authorised Fraud. It comes in three main guises – Invoice fraud, CEO fraud and Mandate fraud. Invoice fraud is perhaps the most straightforward, it involves sending a fake invoice for payment by an SME. £93 million was paid to criminals using fake invoices in the UK in 2018. Mandate fraud cons firms into updating existing regular payments to divert to different accounts. Last year, this practice cost UK businesses £100 million. CEO fraud impersonates the CEO, or other senior management figure in a firm, to demand quick payment to a fraudster. Interpol estimates that CEO fraud cost businesses $1 billion globally last year.

You would think that any of these would be easy to spot, but criminals use sophisticated social engineering techniques to create situations in which you are less likely to check invoice details. These range from timing emails to coincide with monthly payment runs, mirroring supplier invoices and logos precisely, applying time pressure and false deadlines, or even using actual events like change of address to slip fake invoices, requests to update direct debits or urgent instructions to pay a new supplier into normal business routines.

🕵️‍♀️ Educate, be vigilant and double check‌‌

Anti-fraud is everyone’s job, and everyone needs to be informed of the risk and the policies to mitigate it. Ensure everyone in your business is aware of the risks and the types of fraud. Resources such as and Action Fraud have detailed examples and explanations to help you spot suspicious activity. Make sure your policies are rigorously followed all the time. Where possible, reinforce them by automating payments and requiring multiple sign-offs to alter them. ‌‌

Check frequently for anomalies. Even when you pay the same invoice every month check all the details against core (ideally offline) records of the supplier’s address, telephone number and account details. If anything looks different or just ‘wrong’ in some way double check.  ‌‌

And when you check, don’t rely on replying to a suspicious  email to ask for clarification. Call. Ideally, call a known contact using a number that you have used before. Sophisticated thieves will create fake numbers, email addresses and even websites to convince you they are legitimate. Always go back to a familiar, proven  source for confirmation of new instructions. Never respond to unsolicited emails or calls asking to change details without thoroughly checking. ‌‌

We all want to get paid faster, reduce bureaucracy and time-wasting process, but as the business world continues to evolve, we must all make sure we don’t leave gaps and opportunities for fraud. A fast payment is a good payment, but a fraudulent payment hurts everyone. Fraud hurts not only your bottom line, but also your business relationships and professional  reputation. Better to pause, double and triple check and even delay a payment than to become another fraud statistic.

Start for free now